[BUG] npm install resolved https with PAT as git+ssh

[koooge]

Hi there,

Current Behavior:

npm@7 install from https://github with PAT resolved as git+ssh://. Is this intended?

pacakge.json

"foo": "git+https://github.com/bar/baz.git",

package-lock.json

... 
  "resolved": "git+ssh://git@github.com/bar/baz.git#..."
...

Expected Behavior:

package-lock.json

... 
  "resolved": "git+https://github.com/bar/baz.git#..."
...

It's because I have some hacks to keep the PAT a secret. like:

git config --global url."https://${GITHUB_TOKEN}@github.com".insteadOf "https://github.com"

This hack worked in npm@6, but npm@7 didn't.

Steps To Reproduce:

1. Create a private repository of npm on GitHub
2. npm install above 1 with PAT. 
3. npm ci on another env with above GITHUB_TOKEN hack.  #=> error

Environment:

• OS: macOS 11.2
• Node: 14.15.4
• npm: 7.5.2

[morficus]

Just spent an hour debugging this in my CI environment, just to finally relaize that npm-7 was the issue.

The reason this is a problem is because github seems to not allow cloning public repos using git+ssh with out a security key, it requieres it to be git+https

npm ERR! /usr/bin/git ls-remote -h -t ssh://git@github.com/morficus/serverless-plugin-split-stacks.git
npm ERR! 
npm ERR! git@github.com: Permission denied (publickey).
npm ERR! fatal: Could not read from remote repository.

By npm-7 changing everything to git+ssh... this means that it is not possible to use direct GitHub repositories as dependencies in your package.json

[wraithgar]

This was fixed in this pr npm/pacote#61 and went into the cli as of v7.4.3. Can you try explicitly using git+https? I don't know if that will solve it for sure but that's a good first step before we investigate this further.

[themightychris]

I'm seeing this issue in vpm v7.5.4,

I can manually edit package-lock.json to replace the git+ssh refs with git+https and then npm ci works

But then every run of npm install incessantly edits package-lock.json to change node_modules/mymodule->resolved and mymodule->version back to git+ssh

NPM then executes ls-remote against it which fails in a CI environment with no github SSH key, and is immune to Git's normal URL rewriting :-(

[themightychris]

This and #2610 appear to be dupes

[wraithgar]

Yes, with the added info it does appear to be a dupe.