npm: Impossible to publish packages locally

[fgatti675]

Select Topic Area

Bug

Body

This has been discussed in other threads but all the workarounds that I was suggested still do not solve my problem.

If I do npm login, follow the flow, and then npm publish I always get the prompt:
? This operation requires a one-time password:
Since it is impossible to get a OTP at the moment and that message is probably coming from an outdated implementation, I can only assume something is fundamentally broken.
I need to urge you to fix this issue as it is really affecting our company at this point.

Also, the workaround I was using before of having a token in .npmrc just stopped working
In case it helps, our setup is a monorepo with a few packages.

I have even tryed reinstalling npm but no luck.

If I log out and rely only on the token I get this error instead:

lerna WARN notice Package failed to publish: package_name
lerna ERR! E404 Not found
lerna ERR! errno "undefined" is not a valid exit code - exiting with code 1

Please help

Edit: ALSO now for some reason my access tokens are being removed automatically??

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[thevibingteen]

This is not an npm bug — it’s usually caused by 2FA enforcement changes and auth config conflicts.

Try these steps:

1. Check your npm 2FA mode

Run:

npm profile get --json

If it shows:

"twoFactorAuth": "auth-and-writes"

then publishing always requires OTP.

Fix options:

Switch to token-based publishing (recommended for CI/teams)

Or change to auth-only (not recommended for orgs)

To disable OTP for publish (if allowed):

npm profile set two-factor-auth=auth-only

2. Regenerate AUTOMATION token (important)

Normal tokens now often fail for publish.

Go to:
👉 npmjs.com → Profile → Access Tokens
Create a new token with type:

✅ Automation

Then update .npmrc:

registry.npmjs.org/:_authToken=YOUR_NEW_TOKEN

Delete old tokens — they may auto-revoke.

3. Clear broken npm auth cache

Run:

npm logout
npm cache clean --force

Then login again OR use only token.

4. Fix Lerna 404 publish error

This happens when auth fails silently.

Also verify:

npm whoami

If it doesn’t return your username → auth is broken.

5. Make sure packages are public (if not scoped private)

In package.json:

"publishConfig": {
"access": "public"
}

About tokens being removed:

npm recently auto-revokes insecure or legacy tokens. That’s why your tokens disappear.

👉 Solution: Use Automation token + scoped permissions.

If this still fails, check npm status:
https://status.npmjs.org/

But 95% of the time this is solved by switching to Automation token.

[fgatti675]

@thevibingteen I am sorry but that just doesn't work
Do you work for npm?

[fgatti675]

Hey, I am still stuck with the same problem

[Clawz-123]

Thanks for the detailed report — this is usually not an npm bug, but a 2FA + auth-token configuration issue (very common with Lerna + monorepos).

Below is a step-by-step fix that has worked reliably.

1. Check your 2FA mode
   npm profile get --json

If you see:

"twoFactorAuth": "auth-and-writes"

Then OTP is required only for password-based login.
Tokens bypass OTP completely, so you don’t need to change this.

2. Create a new token (important)

Go to:

npmjs.com → Profile → Access Tokens → Generate New Token

Choose one:

Publish → for local development

Automation → for CI

(Older / legacy tokens are often auto-revoked now.)

3. Configure token in the correct place

Edit your user npmrc:

~/.npmrc

Add:

registry=https://registry.npmjs.org/
//registry.npmjs.org/:_authToken=YOUR_NEW_TOKEN

Make sure:

No token is stored in project .npmrc

Remove old entries like _auth, username, email

Check which file npm uses:

npm config get userconfig

4. Stop using npm login

Run once:

npm logout

Then do not run npm login again — it overwrites token auth and re-enables OTP.

5. Verify auth
   npm whoami

Should print your username.

If not → npm is not reading your token.

6. Fix Lerna E404 during publish

This usually means auth failed silently.

Also ensure scoped packages are public:

"publishConfig": {
"access": "public"
}

or:

lerna publish --access public

7. About tokens being removed automatically

npm now auto-revokes:

legacy tokens

insecure tokens

over-privileged tokens

Creating a new Publish or Automation token fixes this.

8. (Optional) Change 2FA mode syntax (npm v11+)

If you really want to disable OTP for publishing:

npm profile set two-factor-auth auth-only

(Note: not recommended for org accounts.)

9. Final test
   npm whoami
   lerna publish --dry-run

If there’s no OTP prompt → setup is correct.

Hope this helps — this setup is currently the most reliable way to publish with 2FA + Lerna.

[fgatti675]

Thank you for your answer, I am carefully following your indications.
I get stuck at this step:

Verify auth
npm whoami
Should print your username.

If not → npm is not reading your token.

After creating a token and adding it to my user I get this error (while logged out):

➜  git:(main) ✗ npm whoami

npm error code ENEEDAUTH
npm error need auth This command requires you to be logged in.
npm error need auth You need to authorize this machine using `npm adduser`

and the log:

0 verbose cli /Users/MY_USER/.nvm/versions/node/v22.22.0/bin/node /Users/MY_USER/.nvm/versions/node/v22.22.0/bin/npm
1 info using npm@10.9.4
2 info using node@v22.22.0
3 silly config load:file:/Users/MY_USER/.nvm/versions/node/v22.22.0/lib/node_modules/npm/npmrc
4 silly config load:file:/Users/MY_USER/firecms/.npmrc
5 silly config load:file:/Users/MY_USER/.npmrc
6 silly config load:file:/Users/MY_USER/.nvm/versions/node/v22.22.0/etc/npmrc
7 verbose title npm whoami
8 verbose argv "whoami"
9 verbose logfile logs-max:10 dir:/Users/MY_USER/.npm/_logs/2026-01-29T16_26_42_076Z-
10 verbose logfile /Users/MY_USER/.npm/_logs/2026-01-29T16_26_42_076Z-debug-0.log
11 silly logfile start cleaning logs, removing 1 files
12 silly logfile done cleaning log files
13 verbose stack Error: This command requires you to be logged in.
13 verbose stack     at module.exports (/Users/MY_USER/.nvm/versions/node/v22.22.0/lib/node_modules/npm/lib/utils/get-identity.js:23:5)
13 verbose stack     at Whoami.exec (/Users/MY_USER/.nvm/versions/node/v22.22.0/lib/node_modules/npm/lib/commands/whoami.js:11:28)
13 verbose stack     at /Users/MY_USER/.nvm/versions/node/v22.22.0/lib/node_modules/npm/lib/npm.js:255:63
13 verbose stack     at Object.start (/Users/MY_USER/.nvm/versions/node/v22.22.0/lib/node_modules/npm/node_modules/proc-log/lib/index.js:101:21)
13 verbose stack     at #exec (/Users/MY_USER/.nvm/versions/node/v22.22.0/lib/node_modules/npm/lib/npm.js:254:17)
13 verbose stack     at async Npm.exec (/Users/MY_USER/.nvm/versions/node/v22.22.0/lib/node_modules/npm/lib/npm.js:207:9)
13 verbose stack     at async module.exports (/Users/MY_USER/.nvm/versions/node/v22.22.0/lib/node_modules/npm/lib/cli/entry.js:74:5)
14 error code ENEEDAUTH
15 error need auth This command requires you to be logged in.
16 error need auth You need to authorize this machine using `npm adduser`
17 verbose cwd /Users/MY_USER/firecms
18 verbose os Darwin 25.2.0
19 verbose node v22.22.0
20 verbose npm  v10.9.4
21 verbose exit 1
22 verbose code 1
23 error A complete log of this run can be found in: /Users/MY_USER/.npm/_logs/2026-01-29T16_26_42_076Z-debug-0.log

by the wa, my profile says:

➜  git:(main) ✗ npm profile get --json

{
  "tfa": {
    "pending": null,
    "mode": "auth-and-writes"
  },
  "name": "...",
  "email": "...",
  "email_verified": true,
  "created": "...",
  "updated": "...",
  "fullname": "...",
  "github": "..."
}

I guess this is fine:

➜  git:(main) ✗ npm config get userconfig
/Users/MY_USER/.npmrc

I really need to get this fixed ASAP

[fgatti675]

@Clawz-123

[fgatti675]

We still have this issue, this is causing a lot of harm to our company, and have customers complaining.
It is 3 weeks since we have been unable to deploy a bugfix.
The solutions you are providing seem just copy pasted, and are likely updated. For example, this path is wrong:
npmjs.com → Profile → Access Tokens → Generate New Token

I need help urgently, is there any one I can talk to or anything else to try?