This article suggests adding configuration to .npmrc in your project to associate a scope with a private registry to reduce the risk of a npm substitution attack (where someone might deliberately publish a malicious public package with the same name).

How can we achieve a similar effect in a Yarn 2 project? I've tried adding a .yarnrc.yml file in my project root:

    npmRegistryServer: https://npm.pkg.github.com

We also have a home-directory ~/.yarnrc.yml for each developer with similar configuration, but additionally with an appropriate npmAuthToken to authenticate.

However, when I do a yarn install, I get an Invalid authentication (as an anonymous user) error for packages in that scope. Presumably the project-specific .yarnrc.yml is overriding the settings from the per-user ~/.yarnrc.yml, so the auth information is no longer present?

The mitigation I'm after is that if a developer forgets to run yarn npm login, then it won't check the public registry for packages in a particular scope. Is there a way to do this in Yarn 2?

1 Answer 1


I just had the same problem. The problem is that you have to define the authentication per section (like pointed out in this issue comment). This also applies to npmRegistries.

    npmRegistryServer: <your-registry-server>
    npmAuthToken: <your-token>
    npmAlwaysAuth: true

Mind that duplicated configurations in hierarchical definitions of .yarnrc.yml won't be merged but replaced (see this comment). Thus, if npmScopes is already declared in the home directory it is overwritten by the declaration in the project.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.