NPM - Failed to replace env in config: ${NPM_TOKEN}

Question

I am trying to build a react app, but when I execute the command npm -i it gives me the following error:

Error: Failed to replace env in config: ${NPM_TOKEN}
    at /usr/local/lib/node_modules/npm/lib/config/core.js:415:13
    at String.replace (<anonymous>)
    at envReplace (/usr/local/lib/node_modules/npm/lib/config/core.js:411:12)
    at parseField (/usr/local/lib/node_modules/npm/lib/config/core.js:389:7)
    at /usr/local/lib/node_modules/npm/lib/config/core.js:330:24
    at Array.forEach (<anonymous>)
    at Conf.add (/usr/local/lib/node_modules/npm/lib/config/core.js:328:23)
    at ConfigChain.addString (/usr/local/lib/node_modules/npm/node_modules/config-chain/index.js:244:8)
    at Conf.<anonymous> (/usr/local/lib/node_modules/npm/lib/config/core.js:316:10)
    at /usr/local/lib/node_modules/npm/node_modules/graceful-fs/graceful-fs.js:78:16
/usr/local/lib/node_modules/npm/lib/npm.js:61
      throw new Error('npm.load() required')
      ^

Error: npm.load() required
    at Object.get (/usr/local/lib/node_modules/npm/lib/npm.js:61:13)
    at process.errorHandler (/usr/local/lib/node_modules/npm/lib/utils/error-handler.js:205:18)
    at process.emit (events.js:182:13)
    at process._fatalException (internal/bootstrap/node.js:448:27)

I am using MacOS High Sierra. I tried to set the NPM_TOKEN as an environment variable with following command:

set -x NPM_TOKEN = xyz

but it doesn't work. What is the problem?

Possible duplicate of [Failed to replace env in config using Bash & NPM](https://stackoverflow.com/questions/35483721/failed-to-replace-env-in-config-using-bash-npm) — Hemadri Dasari, Aug 25 '18 at 09:31
Did you find a solution to this problem? I've followed all the instructions in all the linked questions etc and I got nothin — JSilv, Nov 02 '18 at 16:00
@JSilv see my answer: https://stackoverflow.com/a/55610638/5922757 — Jezor, Apr 10 '19 at 10:47
Here you can find my solution https://stackoverflow.com/a/67648863/14178236 — Aman Gupta, May 22 '21 at 11:25

score 95 · Accepted Answer · answered Dec 10 '18 at 21:41

95

First Possible Solution:

Simple Solution: rm -f ./.npmrc (Deleting a .npmrc file)

Second Possible Solution:

However if you don't want to delete the file, you can simply remove this line of code in the .npmrc file.

Line of Code: //registry.npmjs.org/:_authToken=${NPM_TOKEN} (Remove this code)

Third Possible Solution

Worst case scenario:

nano ~/.bash_aliases or nano ~/.bash_profile
add export NPM_TOKEN="XXXXX-XXXXX-XXXXX-XXXXX"
CTRL + X to exit
Y to save

answered Dec 10 '18 at 21:41

accimeesterlin

3,816
1
24
18

37

This is not a solution, but a workaround. A proper solution would be to remove this line and update your CI deployment configuration like `npm config set '//registry.npmjs.org/:_authToken' "${NPM_TOKEN}" && npm publish`. – Jezor Apr 10 '19 at 10:36
7

I am missing the why of this solution, would have been nice to have it. – Andrea.cabral Dec 02 '19 at 13:10
12

If you remove this line from the file how then do you gain access to the private repo? – Kevin Genus May 22 '20 at 20:26
Have to reiterate that the above is not a solution and the *worst case scenario* as it is described, is a viable solution in some circumstances. – johnny Feb 11 '21 at 23:01
You might need to set your NPM_TOKEN in your environment (e.g. .zprofile, .bashrc) – Professor Todd Sep 09 '21 at 16:43
1

"Yeah, just delete the file or the line that causes problems" Great solution! /s – shakhbulatgaz Feb 07 '22 at 07:45

Jezor · Answer 2 · 2019-10-11T06:21:00.543

93

Actually proper solution

Update your CI deployment configuration:

npm config set '//registry.npmjs.org/:_authToken' "${NPM_TOKEN}"
npm publish

Remove this line from the .npmrc file:

//registry.npmjs.org/:_authToken=${NPM_TOKEN}

Example build config

You can see this solution used in practice in one of my GitHub repositories: https://github.com/Jezorko/lambda-simulator/blob/master/.travis.yml

The encrypted environment variable is an NPM token.

Why the other "solutions" are mere workarounds

I've seen answers here and under this question that recommend simply removing the variable setting line or .npmrc file entirely.

Thing is, the .npmrc file might not be ignored by your VCS system and modifying it might lead to accidental pushes to your project's repository. Additionally, the file may contain other important settings.

The problem here is that .npmrc does not allow defaults when setting up environment variables. For example, if the following syntax was allowed, the issue would be non-existent:

//registry.npmjs.org/:_authToken=${NPM_TOKEN:-undefined}

edited Oct 11 '19 at 06:21

answered Apr 10 '19 at 10:45

Jezor

2,838
1
16
41

2

Executing `npm config set '//registry.npmjs.org/:_authToken' "${NPM_TOKEN}"` threw the exact same error from title for me. Resolved only using the first workaround in the accepted answer. – alelom Aug 16 '19 at 09:39
5

This approach would leak "${NPM_TOKEN}" to any user on a machine able to list processes and their arguments, eg. with `ps`, `pgrep` etc. – Wade Jensen Aug 20 '19 at 02:18
1

added to Jenkinsfile and works like a charm! This is exactly what I was looking for! Cheers! – Kamil Janowski Sep 02 '19 at 05:58
@WadeJensen If you are afraid of passing sensitive information as command parameters, perhaps your CI/CD environment is not secure enough. What you described would require constant monitoring of processes and their arguments, `npm config set` executes rather quickly for a human to catch the exact moment it runs. This implies you have a user with malicious intentions with access to your machine… Anyhow, you can use some other command to write token to npm config file (one that doesn't use command line args). – Jezor Sep 09 '19 at 07:29
@alexlomba87 what are the contents of your `.npmrc` file? Perhaps you're setting literally `${NPM_TOKEN}` instead of an environment variable? – Jezor Sep 09 '19 at 07:30
4

@Jezor a lot of developers work on multi-tenant internal systems which are behind corporate firewalls, but are loosely secured from internal users. You want your security model to be "crunchy everywhere", not "hard shell outside, soft-gooey inside". – Wade Jensen Sep 10 '19 at 05:38
@WadeJensen I think we are agreeing, then! Only few admin users should have access to CI/CD internals (SSH / admin), devs should only see pipeline results. Still, you can commit a test that just reads `.npmrc` and fetches the token - there's a certain point where adding more restrictions doesn't increase security anymore. – Jezor Sep 10 '19 at 07:37
@funtik since this answer has received much support, could you please consider marking it as the accepted answer? The current accepted answer is quite misleading. – Jezor Jul 18 '21 at 09:47
1

This answer should go to the top. – oyalhi Aug 20 '21 at 23:39
Good stuff, worked over here! Nice to not have to use that file. – Jannik Oct 14 '21 at 16:28
this worked for me but every time I restart the computer I need to do it again. Any ideas why? – kilinkis Nov 04 '21 at 11:15
@kilinkis difficult to say without taking a look at your deployment script. Are you deploying from your machine instead of a CI server? – Jezor Nov 11 '21 at 11:28
@Jezor is not a CI context, is just my machine and I'm trying to run stuff like `yarn storybook`, then get the error in the question, and by doing this proposed solution it works after, until the next restart. Now I export the key in my zhsrc and removed that line from .npmrc. We'll see how that works next time I restart. – kilinkis Nov 11 '21 at 21:57

score 42 · Answer 3 · edited Oct 08 '20 at 16:06

42

I have an easy solution to this issue. After you set your NPM_TOKEN globally into your environment then replace

//registry.npmjs.org/:_authToken=${NPM_TOKEN}

with

//registry.npmjs.org/:_authToken=$NPM_TOKEN

It's worked well for me on macOS Catalina.

edited Oct 08 '20 at 16:06

Striped

2,477
3
24
30

answered Jan 20 '20 at 06:34

Rohman HM

2,224
3
21
38

3

This did fix running from command line (I'm macOS Catalina as well), however it did not work on a variety of CIs – yo.ian.g Jan 25 '20 at 02:20
1

I read that the recommended solution was just a "workaround", and even the second most recommended solution was insecure. I'm also running on macOS Catalina and your solution worked well for me. This seems the best solution, since it doesn't compromise security nor is it also just a temporary workaround. – pizzae Apr 23 '20 at 11:05
Solved an issue I was having with `yarn` https://stackoverflow.com/questions/70659269/vercel-deploy-of-my-nextjs-app-with-font-awesome-pro-is-returning-a-401-build-er – Isaac Tait Jan 27 '22 at 14:38

score 14 · Answer 4 · answered Jan 31 '19 at 14:03

14

If you just set your ~/.profile for the first time (OSX, Ubuntu) and added this line: export NPM_TOKEN="XXXXX-XXXXX-XXXXX-XXXXX". Then you must enter this line to the terminal afterward:

source ~/.profile

answered Jan 31 '19 at 14:03

dang

1,418
1
19
24

score 7 · Answer 5 · answered Apr 08 '20 at 16:48

7

Running npm install in an IDE (like WebStorm) was my problem. I added the NPM_TOKEN environment variable to .bash_profile and restarted my Terminal, but not my IDE! The IDE did not pick up the changes to the environment until I restarted it as well.

answered Apr 08 '20 at 16:48

Jordan Dodson

355
4
5

score 3 · Answer 6 · answered Dec 29 '20 at 20:43

The following worked for me. I had to place

export NVM_DIR="$HOME/.nvm"
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"  # This loads nvm
[ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"  # This loads nvm bash_completion

AFTER the line where i specify

export NPM_TOKEN='mytoken'

score 2 · Answer 7 · answered Jan 03 '21 at 21:43

2

Im my case moving the export of the token inside my .zsh (or .bash_profile) to the top of the file fixed the problem because it has been initialised too late before.

answered Jan 03 '21 at 21:43

chrisby

684
5
15

score 1 · Answer 8 · answered Feb 20 '21 at 08:44

1

https://www.runoob.com/linux/linux-shell-variable.html replace

'//registry.npmjs.org/:_authToken=${NPM_TOKEN}'

with

'//registry.npmjs.org/:_authToken='${NPM_TOKEN}

answered Feb 20 '21 at 08:44

summer

21
2

score 1 · Answer 9 · answered Jun 08 '21 at 13:43

1

I got this issue while trying to setup a CI/CD job in Gitlab. I eventually found out that the error was caused because the variable that was throwing the error was set to a protected variable.

I changed it under Settings > CI / CD > Variables.

answered Jun 08 '21 at 13:43

Jordi

2,766
2
14
31

Jineesh · Answer 10 · 2021-12-08T09:57:50.040

1

For mac

vim ~/.bash_profile

add export NPM_TOKEN=XXXXX-XXXXX-XXXXX-XXXXX

source ~/.bash_profile

also, add the below entry in the .zshrc file to apply the profile when a new terminal tab/window is opened.

if [ -f ~/.bash_profile ]; then
  . ~/.bash_profile
fi

edited Dec 08 '21 at 09:57

answered Dec 03 '21 at 11:17

Jineesh

10,829
5
23
25

score 0 · Answer 11 · answered Sep 28 '18 at 20:23

0

For people on Ubuntu coming from google:

nano ~/.bash_aliases
export NPM_TOKEN="PUT_YOUR_TOKEN_HERE"
CTRL+X to exit
Y to save

answered Sep 28 '18 at 20:23

fIwJlxSzApHEZIl

9,849
6
53
64

score 0 · Answer 12 · answered Jun 07 '21 at 12:58

I am also getting this problem but I find a solution when I am pushing my repo on Heroku so I notice that Heroku run the command react-script start or build

//registry.npmjs.org/:_authToken=${NPM_TOKEN}

so this syntax didn't give the error but when I use the same syntax in my system and run the command it gives me. Because usually when we run in our system we use cmd npm or yarn but if you use react-script then it will not gives an error

score 0 · Answer 13 · answered Sep 28 '21 at 16:53

0

On Windows while using git bash, setting a regular Windows environment variable worked for me. This answer helped setting an environment variable in Git Bash

answered Sep 28 '21 at 16:53

Gabriel Wamunyu

654
9
22

score 0 · Answer 14 · answered Nov 02 '21 at 09:49

In case of windows and visual studio code - just restart your visual studio, it helps.

Also, how to set this environment variable on windows?

open Registry Editor, and follow \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment, and create there another one "string value" with your token or whatever you need.

score 0 · Answer 15 · answered Dec 19 '21 at 21:52

0

I fixed it by setting NPM_TOKEN=""

In github action, i set the env:

jobs:
  build:
    runs-on: ubuntu-latest
    env:
      NPM_TOKEN: ""
    # ....

answered Dec 19 '21 at 21:52

Abdennour TOUMI

76,783
33
229
231

sidanmor · Answer 16 · 2022-02-16T10:44:46.603

Using AWS CODEARTIFACT

If you use docker, you need to add this to your Dockerfile

...
ARG CODEARTIFACT_AUTH_TOKEN
...
RUN export CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN
RUN npm i
...

This is the .npmrc file

registry=https://sidanmor-codeartifact-main-112233.d.codeartifact.eu-west-1.amazonaws.com/npm/js-utils/
//https://sidanmor-codeartifact-main-112233.d.codeartifact.eu-west-1.amazonaws.com/npm/js-utils/:always-auth=true
//https://sidanmor-codeartifact-main-112233.d.codeartifact.eu-west-1.amazonaws.com/npm/js-utils/:_authToken=${CODEARTIFACT_AUTH_TOKEN}
registry=http://registry.npmjs.org

And the build command will be:

docker build --build-arg CODEARTIFACT_AUTH_TOKEN=xxxyyyzzz . --tag my-tag

score 0 · Answer 17 · answered Mar 19 '22 at 20:01

0

you can also replace the ${NPM_TOKEN} with your own GitHub generated personal token

answered Mar 19 '22 at 20:01

Akki

1

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 20 '22 at 02:28

score -1 · Answer 18 · answered Jan 31 '21 at 14:08

-1

In my case I just add export NPM_TOKEN to ~/.bashrc export NPM_TOKEN=60______-69__-44__-be__-2f__________ This is for bash Ubuntu 20.04

answered Jan 31 '21 at 14:08

Frank Mendez

482
2
12
23