npm .npmrc always-auth Deprecated/Ignored - Fix Auth on Tarball Fetch in CI
The old global always-auth=true told npm to send credentials on every request, including tarball downloads. Newer npm deprecated/ignores it in favor of per-registry //host/:_authToken= config. Relying on always-auth alone can leave authenticated tarball fetches unauthenticated and 401ing.
What this error means
Metadata requests authenticate but a tarball download (or a redirect to a CDN host) returns 401, on a private registry where .npmrc still relies on always-auth=true. Newer npm no longer applies that flag the way older npm did.
# .npmrc (legacy)
registry=https://registry.internal/
always-auth=true
# tarball fetch still 401s under newer npm:
npm error code E401
npm error 401 Unauthorized - GET https://registry.internal/.../pkg.tgzCommon causes
always-auth is deprecated/ignored
Newer npm dropped the global always-auth behavior. A config that depended on it to authenticate downloads no longer does so reliably.
Credentials not bound per-registry
Without a //host/:_authToken= line for the registry (and any CDN host it redirects to), authenticated fetches fall back to anonymous and are rejected.
How to fix it
Bind auth per registry host
Replace reliance on always-auth with explicit per-host token config.
# .npmrc
registry=https://registry.internal/
//registry.internal/:_authToken=${NPM_TOKEN}
# if downloads redirect to a separate host, authenticate it too:
//downloads.internal/:_authToken=${NPM_TOKEN}Audit the effective auth config
- Run
npm config ls -lto see which auth keys are actually applied. - Add
_authTokenlines for every host npm contacts (registry and any download/CDN host). - Remove
always-authand confirm tarball fetches now succeed.
How to prevent it
- Use per-registry
_authTokenconfig, not global always-auth. - Authenticate every host the registry redirects downloads to.
- Verify effective config with npm config ls -l.