npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

401 & scoped packages

Update: We rolled back this change around 2pm PST today, but will be rolling it out again soon.

Did you recently get a 401 or an EINVALIDNPMTOKEN error when trying to interact with scoped packages? This is the result of some recent changes we made and is not related to any security incidents. Yesterday we deployed a change to the Registry that made invalid tokens return 401 responses when used to lookup scoped packages, whether they are publicly visible or not.

There was also a bug that caused the tokens created via npm token create to report EAUTHIP errors when used, but it was fixed last night. Note that tokens created via npm login or the website were not affected by this issue. You may also recall that we invalidated all user tokens in July, so that may be the reason you are getting a 401.

How to fix the issue

First, you can verify your token by running npm whoami. If it’s invalid or you got the 401 previously mentioned, run npm login to create a new token and you are good to go.

What’s next

This change is part of many we plan to bring to our authorization flow to help us scale the Registry and make invalid tokens clearer for users. We are planning to roll this behaviour out to all package reads — scoped and unscoped. Additionally, we will no longer support Basic auth used in conjunction with 2FA (two-factor authentication). Our recommendation is to use tokens, which are safer and support usage restrictions.

Watch this space for future updates about our infrastructure changes.