"Host key verification failed." for github npm package, lockfileVersion@2

This seems specifically related to the package-lock.json lockfileVersion. Downgrading to lockfileVersion@1 resolved this, but hoping it can be fixed on the eas build server:

  • Our build at commit 4902e47 failed with the below error
  • Our build at commit 14f9b3b succeeded - the only change in between was the lockfileVersion

eas build logs:

Running npm in the root dir of your repository 
[stderr] npm
[stderr] WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I'll try to do my best with it!
[stderr] npm ERR! Error while executing:
[stderr] npm ERR! /usr/bin/git ls-remote -h -t ssh://git@github.com/[redacted].git
[stderr] npm ERR! 
[stderr] npm ERR! Host key verification failed.
[stderr] npm ERR! fatal: Could not read from remote repository.
[stderr] npm ERR! 
[stderr] npm ERR! Please make sure you have the correct access rights
[stderr] npm ERR! and the repository exists.
[stderr] npm ERR! 
[stderr] npm ERR! exited with error code: 128
[stderr] 
[stderr] npm ERR! A complete log of this run can be found in:
[stderr] npm ERR!     /root/.npm/_logs/2021-12-02T06_34_58_696Z-debug.log
npm exited with non-zero code: 1

Note: The GH repo is public, so that’s not the issue, just redacting for privacy.

Thanks!

you can upgrade version of node (and npm) via node field in eas.json to version that supports new lockfiles

1 Like

That fixed it, thank you wkozyra!

Hey @wkozyra @markstreich ! I’m getting the exact same error, but I tried adding the node version to my eas.json file, but that still gave the same error. My file just looks like this:

{
  "cli": {
    "version": ">= 3.4.1"
  },
  "build": {
    "base": {
      "node": "16.14.0",
      "yarn": "1.22.15",
      "android": {
        "image": "default",
        "env": {
          "PLATFORM": "android"
        }
      },
      "ios": {
        "image": "latest",
        "env": {
          "PLATFORM": "ios"
        }
      }
    },
    "development": {
      "developmentClient": true,
      "distribution": "internal",
      "ios": {
        "resourceClass": "m1-medium"
      }
    },
    "preview": {
      "distribution": "internal",
      "ios": {
        "resourceClass": "m1-medium"
      }
    },
    "production": {
      "ios": {
        "resourceClass": "m1-medium"
      }
    }
  },
  "submit": {
    "production": {}
  }
}

What am I missing?

I think you need the npm (not just node) version, this is what I used:

    "build_defaults": {
      "node": "16.13.0",
      "npm": "8.1.0"
    },

Thanks! I just tried that, but I’m getting the following error: InvalidEasJsonError: eas.json is not valid. - "build.base.npm" is not allowed

This is the eas.json file now (removed the other parts here to just show what’s relevant)

"build": {
    "base": {
      "node": "16.14.0",
      "npm": "8.3.1",
      "yarn": "1.22.15",
      "android": {
        "image": "default",
        "env": {
          "PLATFORM": "android"
        }
      },
      "ios": {
        "image": "latest",
        "env": {
          "PLATFORM": "ios"
        }
      }
    },

I tried renaming things to build_defaults and moving the lines to another section, but it gives the similar flavor of something.something.npm not allowed or build_defaults not allowed.

Sorry, I see now that npm isn’t listed in the eas-json docs (I removed it later and don’t recall why), and I also removed the node version when upgrading to Expo 45. My commit history is vague and my memory is fuzzy, so I might not be much help.

Are you getting the “This version of npm is compatible with lockfileVersion” message, or just the “Host key verification failed” error?

1 Like

I realized my error message is slightly different (yarn vs. npm), but still shows a similar result of “Host key verification failed”:

Running "yarn install" in the root dir of your repository 
yarn install v1.22.17
[stderr] warning package-lock.json found. Your project contains lock files generated by tools other than Yarn. It is advised not to mix package managers in order to avoid resolution inconsistencies caused by unsynchronized lock files. To clear this warning, remove package-lock.json.
[1/4] Resolving packages...
[2/4] Fetching packages...
[stderr] warning mini-css-extract-plugin@0.5.0: Invalid bin field for "mini-css-extract-plugin".
[stderr] error Command failed.
[stderr] Exit code: 128
[stderr] Command: git
[stderr] Arguments: ls-remote --tags --heads ssh://git@github.com/[public repository].git
[stderr] Directory: /home/expo/workingdir/build
[stderr] Output:
[stderr] Host key verification failed.
[stderr] fatal: Could not read from remote repository.
[stderr] 
[stderr] Please make sure you have the correct access rights
[stderr] and the repository exists.
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
yarn exited with non-zero code: 128

Just purely guessing at this point, but would try deleting package-lock.json, and/or switching from yarn to npm :man_shrugging:

If the repo is fetched via ssh you need to have your ssh key configured even for public repo. You need to change that dependency to clone over https instead to do that without credentials.

2 Likes

This means that SSH could not verify the server’s (github.com) host key. Most likely because there’s no ~/.ssh/known_hosts file on the build worker.

The known_hosts file can be generated using ssh-keyscan as shown in the Git Submodule docs: Use Git Submodules - Expo Documentation

There is a risk that someone will be able to get between the build worker and github.com and intercept the traffic (and potentially modify it) if you do this. There are ways around this (e.g. store the host key in an EAS Secret and write it from there to the ~/.ssh/known_hosts file during the build.) That would sort out the “Host key verification failed” error, but you’d still need to use a client key to fetch from the repository.

So as wkozyra says, since this is a public repository, you’d be better off just switching to https instead of ssh.

1 Like