[BUG](libnpmpublish) About 4.0.1 upgrade npm-registry-fetch from 9.0.0 to 10.0.0

[gaokun]

What / Why

npm-registry-fetch version shows there are incompatible API changes.
And libnpmpublish use opts as params, not generate & use it inside.
So libnpmpublish just released above change as patch, is this ok?

What am I facing

In a word: I use lerna to publish packages, but failed by authorization.

Root Cause

Here are dependencies:

lerna@^4.0.0
   ┗━━ @lerna/publish@^4.0.0
          ┣━━npm-registry-fetch@^9.0.0
          ┗━━@lerna/npm-publish@^4.0.0
                ┗━━libnpmpublish@^4.0.0
                       ┗━━npm-registry-fetch@^10.0.0

lerna publishes package chain: @lerna/publish -> @lerna/npm-publish -> libnpmpublish
In fact, yarn installed libnpmpublish@4.0.1 coz ^4.0.0, it make sense.
So I have two version npm-registry-fetch,

@lerna/publish build opts via npm-registry-fetch@^9.0.0
and
libnpmpublish@4.0.1 get auth failed from opts via npm-registry-fetch@^10.0.0

Finally, I got error:
lerna ERR! E401 Unable to authenticate, need: BASIC realm="Sonatype Nexus Repository Manager"

Workaround

add this to package.json

{
  "resolutions": {
    "libnpmpublish": "4.0.0"
  },
}

Who

• @ruyadorno

I think we should release 4.0.2 to downgrade npm-registry-fetch to 9
then release 5.0.0 to upgrade it to 10

[gaokun]

@ruyadorno
Please check this when you are available.

Thank you
Ken

[dptoot]

This issue is essentially disallowing Lerna v4 from being used via private npm repos. Is there anyway we can address this?

[gaokun]

@nlf
Hi, could you please help to check this issue,

I notice that 4.0.2 was published, and upgrade npm-registry-fetch to 11

[lukekarrys]

This is handled by #4427.