When a yarn command is getting executed, it gives an security error as an unauthorized access.
yarn : File %FILEPATH%yarn.ps1 cannot be loaded because running scripts is disabled on this
system. For more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ yarn start
+ ~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
But it can be by bypassed using the command shown below.
powershell -ExecutionPolicy Bypass -File '%FILEPATH%yarn.ps1' yarn start
All the npm commands are working fine and the errors only occurred when executing the yarn commands. And the commands were run on windows 10 operating system.
Is there way to execute the yarn commands in regular way? ( just executing only the command as yarn start)
asked Jan 2, 2022 at 6:39
It seems a bug in PowerShell
Have you installed node on your system?
try to uninstall yarn
and try to install it with the installer
This will give you a .msi file that when run will walk you through installing Yarn on Windows.
If you use the installer you will first need to install Node.js.
If it does not work, you can use a command described in this link
link
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted
also this link could help you
answered Jan 2, 2022 at 7:05
5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
Sign in
to your account
Closed
mmieluch opened this issue
Sep 4, 2017
· 8 comments
Comments
Do you want to request a feature or report a bug?
Bug
What is the current behavior?
yarn install reports 401 Unauthorized error when trying to install public packages. I tried running yarn login and yarn cache clean — to no effect. NPM is able to install without any issues.
HOWEVER Yarn doesn’t always fail on the same package. It seems to get stuck periodically on one, and then complain about another package (also public) some time later.
Here’s the example of yarn-error.log.
If the current behavior is a bug, please provide the steps to reproduce.
git clone https://github.com/nuxt/example-auth0.git
cd example-auth0
yarn install
Please mention your node.js, yarn and operating system version.
Node: 8.4.0 (installed using NVM)
NPM: 5.3.0 (installed using NVM)
OS: macOS 10.12.6
Yarn: 0.27.5 (installed using Homebrew)
Also tried with yarn v0.28.4, but it fails with the same response.
Can you try one of the latest nightlies? I just landed a patch that affects git fetches.
Unfortunately — no success 
Unless I installed an outdated nightly.
$ yarn --version 1.0.0-20170905.1031 $ which yarn /Users/michal/.yarn/bin/yarn $ yarn install --verbose yarn install v1.0.0-20170905.1031 verbose 0.615 Checking for configuration file "/Users/michal/tmp/example-auth0/.npmrc". verbose 0.616 Checking for configuration file "/Users/michal/.npmrc". verbose 0.616 Found configuration file "/Users/michal/.npmrc". verbose 0.616 Checking for configuration file "/Users/michal/.nvm/versions/node/v8.4.0/etc/npmrc". verbose 0.617 Checking for configuration file "/Users/michal/tmp/example-auth0/.npmrc". verbose 0.617 Checking for configuration file "/Users/michal/tmp/.npmrc". verbose 0.617 Checking for configuration file "/Users/michal/.npmrc". verbose 0.617 Found configuration file "/Users/michal/.npmrc". verbose 0.617 Checking for configuration file "/Users/.npmrc". verbose 0.619 Checking for configuration file "/Users/michal/tmp/example-auth0/.yarnrc". verbose 0.62 Checking for configuration file "/Users/michal/.yarnrc". verbose 0.62 Found configuration file "/Users/michal/.yarnrc". verbose 0.62 Checking for configuration file "/Users/michal/.nvm/versions/node/v8.4.0/etc/yarnrc". verbose 0.626 Checking for configuration file "/Users/michal/tmp/example-auth0/.yarnrc". verbose 0.626 Checking for configuration file "/Users/michal/tmp/.yarnrc". verbose 0.626 Checking for configuration file "/Users/michal/.yarnrc". verbose 0.626 Found configuration file "/Users/michal/.yarnrc". verbose 0.626 Checking for configuration file "/Users/.yarnrc". verbose 0.63 current time: 2017-09-05T11:38:38.323Z [1/4] 🔍 Resolving packages... [2/4] 🚚 Fetching packages... verbose 1.335 Performing "GET" request to "https://repository.neo9.pro/content/groups/global-npm/auth0-js/-/auth0-js-8.6.0.tgz". verbose 1.343 Performing "GET" request to "https://repository.neo9.pro/content/groups/global-npm/blueimp-md5/-/blueimp-md5-2.3.1.tgz". verbose 1.345 Performing "GET" request to "https://repository.neo9.pro/content/groups/global-npm/immutable/-/immutable-3.8.1.tgz". verbose 1.372 Performing "GET" request to "https://repository.neo9.pro/content/groups/global-npm/auth0-lock/-/auth0-lock-10.15.1.tgz". verbose 1.374 Performing "GET" request to "https://repository.neo9.pro/content/groups/global-npm/fbjs/-/fbjs-0.3.2.tgz". verbose 1.377 Performing "GET" request to "https://repository.neo9.pro/content/groups/global-npm/jsonp/-/jsonp-0.2.1.tgz". verbose 1.7 Performing "GET" request to "https://repository.neo9.pro/content/groups/global-npm/idtoken-verifier/-/idtoken-verifier-1.0.1.tgz". verbose 1.702 Performing "GET" request to "https://repository.neo9.pro/content/groups/global-npm/password-sheriff/-/password-sheriff-1.1.0.tgz". verbose 1.788 Error: https://repository.neo9.pro/content/groups/global-npm/auth0-js/-/auth0-js-8.6.0.tgz: Request failed "401 Unauthorized" at Request.<anonymous> (/Users/michal/.yarn/lib/cli.js:57615:26) at emitOne (events.js:115:13) at Request.emit (events.js:210:7) at Request.module.exports.Request.onRequestResponse (/Users/michal/.yarn/lib/cli.js:118162:10) at emitOne (events.js:115:13) at ClientRequest.emit (events.js:210:7) at HTTPParser.parserOnIncomingClient (_http_client.js:565:21) at HTTPParser.parserOnHeadersComplete (_http_common.js:116:23) at TLSSocket.socketOnData (_http_client.js:454:20) at emitOne (events.js:115:13) error An unexpected error occurred: "https://repository.neo9.pro/content/groups/global-npm/auth0-js/-/auth0-js-8.6.0.tgz: Request failed "401 Unauthorized"". info If you think this is a bug, please open a bug report with the information provided in "/Users/michal/tmp/example-auth0/yarn-error.log". info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
Here’s the yarn-error.log
@BYK There’s something funny going on with packages in that repository. It wasn’t only that package that was causing the installer command to fail. I’m gonna do a bit more digging and get back to you. Thanks for your help, I’ll keep you posted.
@BYK Something’s definitely not right. Package in this version should be available publicly. NPM has no issues fetching the archive, and it resolves it to
https://registry.npmjs.org/auth0-lock/-/auth0-lock-10.15.1.tgz
whereas Yarn resolves it to the file in Neo9 you quoted.
The package in 10.15.1 version is not that old — it was published on 25 April 2017: link.
The newer version downloads correctly, but it has a dependency, that has not been updated in some time — and that dependency is also publicly unavailable via Yarn, but is fetchable just fine by NPM.
So if the package is publicly available in NPM, shouldn’t it also be in the same state in Yarn repositories? I’m not gonna lie, I know virtually nothing about mirroring mechanisms that Yarn implements, so if there’s an obvious user error I’m making here — let me know.
Huge thank you for your patience.
@mmieluch the weird part is Yarn resolving it to something with https://repository.neo9.pro. Either you have a proxy or have an interesting configuration or this is in your yarn.lock file from a previous person. I suggest checking your yarn.lock file and replacing references to this domain with either https://registry.yarnpkg.com/ or https://registry.npmjs.org/.
If that doesn’t help, please share your yarn configuration (yarn config list) so we can investigate more. Be careful when you’re sharing your config since it may contain sensitive information like auth codes etc. Make sure to redact them from the output before sharing.
Huge thank you for your patience.
Not at all! Thanks for sticking and helping with debugging!
@BYK You’re absolutely right, can’t believe I missed that… Flushing the lock file and updating dependecies ran flawlessly, resolving to ()[https://registry.yarnpkg.com/). I’m not behind a proxy, but the project author probably was — and he committed the proxied lock file.
Thanks again for all the help. I’ll file an issue with the original repository I mentioned in my first post. Cheers!
Closing.
2 participants
security bug: ‘yarn add compression’ bounces off ssl firewall. ‘npm add compression’ succeeds through the firewall.
the steps to reproduce
- access internet through a firewall permitting only https.
- execute ‘yarn add compression’ or any other packages dependent on compression.
What is the expected behavior?
‘yarn add’ retrieves all packages using ssl.
N.B.) Regression work around: ‘yarn add compression@1.7.1’
$ yarn add compression
yarn add v1.6.0
[1/4] Resolving packages…
[2/4] Fetching packages…
error An unexpected error occurred: «http://registry.npmjs.org/compression/-/compression-1.7.2.tgz: connect EHOSTUNREACH 151.110.252.111:80».
info If you think this is a bug, please open a bug report with the information provided in «/home/user/foo/yarn-error.log».
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.
yarn-error.log:
Arguments:
/usr/bin/node /usr/local/bin/yarn add compression
PATH:
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
Yarn version:
1.6.0
Node version:
9.11.1
Platform:
linux x64
Trace:
Error: connect EHOSTUNREACH 151.110.252.111:80
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1174:14)
npm manifest:
{
«name»: «foo»,
«version»: «1.0.0»,
«description»: «»,
«main»: «index.js»,
«dependencies»: {},
«devDependencies»: {},
«scripts»: {
«test»: «echo «Error: no test specified» && exit 1″
},
«author»: «»,
«license»: «ISC»
}
yarn manifest:
No manifest
Lockfile:
THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
yarn lockfile v1
Versions
nodejs=9.11.1-1nodesource1
yarn=1.6.0-1
OS=debian-9
If you run into an error with your brand new machine when trying to run any custom scripts like npm, yarn or any node modules you might run into an error similar to below.
yarn : File C:Program Filesnodejsyarn.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at
https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1 + yarn + ~~~~ + CategoryInfo : SecurityError: (:) [], PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccessTo fix it, open PowerShell as administrator, again make sure to run this in PowerShell, not with the regular command prompt (cmd). Copy and paste the code below and run it.
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy UnrestrictedThis will grant you the necessary permission to run any executable scripts in your PC’s terminal. You only have to do this once and any future yarn or npm commands will run successfully.
Hope this helps with your quick tip on solve why yarn or npm not running on your PC. The same will be true for Ruby’s bundler to manage gems, or Python’s pip package manager.
The post Fix Unable to Run Yarn in Windows Terminal – PowerShell appeared first on Next of Windows.
May 13, 2020
javascript npm yarn security vulnerability english
Intro
Not so long ago Github introduced security alerts:
So lot of developers started to use in their applications to make them secure. However we still facing with issues that 3rd party packages from your package.json dependecies have vulnerabilities. So it that case it’s not so obvious how to fix that issues.
But we have some options how to fix them.
NPM/Yarn update
npm update or yarn update
This is the simplest way to fix security issue, but sometimes it will doesn’t work because it may cause updates to many packages and as result deep testing of your app.
NPM packages
If you are using npm greater than 6 version, so you can use pretty good intrument like:
Show only potential vulnerabilities in your dependecies:
npm audit
Execute vulnerabilities fix mechanism:
npm audit fix
- remove
node_modulesbefore run this command - Do not recomend you to use
--forceflag here, because in that casenpm auditwill override some deps which might be not compatible with existing ones.
Yarn packages
Yarn also has yarn audit mechanism, but it hasn’t yarn audit fix mechanism. So in most cases you have to fix these issues manually. So how it works. As example will demonstrate it for minimist package:
-
Add a resolutions key in your
package.jsonfile:- This resolution will override minimist entirely your project.
{ "resolutions": { "minimist": "^1.2.5" } }- But in most cases that changes could break your app, so I would suggest to use better case. Let’s see how it works on example of
package-merge-lodash-4package. Audit says that[email protected]has vulnerabilities.
Also we can check them here https://snyk.io/test/npm/lodash/3.9.3. And this resource suggest us to upgrade[email protected] -> 4.17.12. So let’s do it:
{ "resolutions": { "package-merge-lodash-4/*/lodash": "4.17.12" }, }
- Use
npm-force-resolutions(https://www.npmjs.com/package/npm-force-resolutions) by addingpreinstallcommand under"script"category:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
- Run
npm install.
That’s it. It will update your package-lock.json/yarn.lock files accordingly. That solves the dependency issues which can not be updated using either npm update or by uninstalling and reinstalling a new dependency.
In case of overriding all version of minimist to v1.2.5 yarn.lock will look like:
[email protected], [email protected], minimist@^1.1.0, minimist@^1.1.1, minimist@^1.1.3, minimist@^1.2.0, minimist@^1.2.5, minimist@~0.0.1:
version "1.2.5"
resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==
In case of lodash our yarn.lock will contains following lines:
[email protected], lodash@^3.9.3:
version "4.17.12"
resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.12.tgz#a712c74fdc31f7ecb20fe44f157d802d208097ef"
integrity sha512-+CiwtLnsJhX03p20mwXuvhoebatoh5B3tt+VvYlrPgZC1g36y+RRbkufX95Xa+X4I59aWEacDFYwnJZiyB
Please keep in mind if some packages are only compatible with an older version, then this change might break your app. So be careful while resolving to a particular version and test your app before releasing this change.
Useful links
- npm audit
- yarn audit
- Detailed information and remediation guidance for known vulnerabilities
Happy fix vulnerabilities and make your code safe! ✌🏼