Problem
PR #7361 (Dependabot bump of minimatch + azure-pipelines-task-lib) has been blocked for 2 days by intermittent npm E401 errors in the "Build Azure DevOps plugin" CI step. The dependency changes are not the cause — it's a build infrastructure issue.
Error
npm error code E401
npm error Unable to authenticate, your authentication token seems to be invalid.
Occurs during npm ci in src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport.
Root Cause
The project .npmrc points to pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/registry/ — a public feed (confirmed: returns HTTP 200 without auth). However, some NetCore-Public pool agents have stale npm auth tokens in their user-level .npmrc (C:\Users\cloudtest\.npmrc). When npm finds matching credentials for the registry scope, it sends them instead of using anonymous access. The server rejects the stale token with E401.
Evidence: Two different agents failed across two separate builds, while other agents in the same builds succeeded:
| Build |
Agent |
Result |
| 20260306.1 |
NetCore-Public 109 |
❌ E401 |
| 20260306.1 |
NetCore-Public 126 |
✅ Passed |
| 20260305.12 |
NetCore-Public 68 |
❌ E401 |
All other recent builds (main, other PRs) succeeded because they happened to land on clean agents.
Suggested Fixes
Option A — Pipeline fix (recommended): Add an npmAuthenticate@0 task before the npm ci step in the pipeline YAML. This provides a fresh token on every build, overriding stale user-level credentials.
Option B — Project .npmrc fix: Add always-auth=false to the project .npmrc. Since the feed is public, this tells npm not to send credentials even if the agent has them.
Option C — Agent cleanup: Report agents NetCore-Public 68 and 109 to dnceng infra to clean stale C:\Users\cloudtest\.npmrc credentials. This fixes the symptom but not the underlying fragility.
Impact
PR #7361 is a Dependabot security fix (minimatch ReDoS vulnerability). It's been blocked for 2 days by this infra issue.
cc @dotnet/extensions-team
Problem
PR #7361 (Dependabot bump of minimatch + azure-pipelines-task-lib) has been blocked for 2 days by intermittent npm E401 errors in the "Build Azure DevOps plugin" CI step. The dependency changes are not the cause — it's a build infrastructure issue.
Error
Occurs during
npm ciinsrc/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport.Root Cause
The project
.npmrcpoints topkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/registry/— a public feed (confirmed: returns HTTP 200 without auth). However, someNetCore-Publicpool agents have stale npm auth tokens in their user-level.npmrc(C:\Users\cloudtest\.npmrc). When npm finds matching credentials for the registry scope, it sends them instead of using anonymous access. The server rejects the stale token with E401.Evidence: Two different agents failed across two separate builds, while other agents in the same builds succeeded:
All other recent builds (main, other PRs) succeeded because they happened to land on clean agents.
Suggested Fixes
Option A — Pipeline fix (recommended): Add an
npmAuthenticate@0task before thenpm cistep in the pipeline YAML. This provides a fresh token on every build, overriding stale user-level credentials.Option B — Project .npmrc fix: Add
always-auth=falseto the project.npmrc. Since the feed is public, this tells npm not to send credentials even if the agent has them.Option C — Agent cleanup: Report agents NetCore-Public 68 and 109 to dnceng infra to clean stale
C:\Users\cloudtest\.npmrccredentials. This fixes the symptom but not the underlying fragility.Impact
PR #7361 is a Dependabot security fix (minimatch ReDoS vulnerability). It's been blocked for 2 days by this infra issue.
cc @dotnet/extensions-team