You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 14, 2026. It is now read-only.
Today the leftover placeholder comment at crates/config/src/npmrc_auth.rs:26 still lists "TLS" as not-yet-supported. Corporate environments that need a proxy (just shipped in #476) almost always need at least ca / cafile too, so this is the natural pairing PR.
What to do
Extend NpmrcAuth with ca, cafile, cert, key, strict_ssl, local_address fields. Parse them in from_ini::<Api> alongside the proxy keys.
Add a TlsConfig (and either reuse ProxyConfig's file as a network_config.rs or introduce a new crates/network/src/tls.rs). Wire it into ThrottledClient::for_installs via reqwest's:
cafile reads from a path; ca is the cert text inline. Same shape on the cert side. Pnpm reads cafile as a file path and ca as a literal or \n-delimited list (see pnpm/config/reader/src/index.ts).
Add a TlsError (load-time, ERR_PNPM_INVALID_CA / ERR_PNPM_INVALID_CERT / ERR_PNPM_INVALID_KEY — match upstream codes where they exist; otherwise something close).
Drop "TLS" from the placeholder comment at crates/config/src/npmrc_auth.rs:26 and from the Config::current docstring at crates/config/src/lib.rs:607-614. They were updated for proxy support; TLS should follow the same pattern.
Tests:
Parse arms in crates/config/src/npmrc_auth/tests.rs for each key.
Cascade-style test for ca (inline) vs cafile (path).
Build smoke tests in crates/network/src/tests.rs — for_installs builds with valid ca / cert / key, errors on malformed PEM.
One mockito integration test that pins strict_ssl: false accepting a self-signed cert? Hard with mockito's HTTPS plumbing; may be out of scope.
Out of scope
CLI flag versions of these keys (--ca, --strict-ssl). Tracked separately.
npm-style key:passphrase parsing if upstream doesn't do it.
Per-registry TLS (//host/:cafile) — same scoped-key shape as auth, may need its own follow-up.
Background
#476 landed proxy support but the TLS / local-address subset of pnpm's
isIniConfigKeyallow-list is still unparsed:ca,cafile,cert,key— TLS client/server cert configurationstrict-ssl— toggle fordanger_accept_invalid_certslocal-address— outbound interface pin (reqwest::ClientBuilder::local_address)Today the leftover placeholder comment at
crates/config/src/npmrc_auth.rs:26still lists "TLS" as not-yet-supported. Corporate environments that need a proxy (just shipped in #476) almost always need at leastca/cafiletoo, so this is the natural pairing PR.What to do
NpmrcAuthwithca,cafile,cert,key,strict_ssl,local_addressfields. Parse them infrom_ini::<Api>alongside the proxy keys.TlsConfig(and either reuseProxyConfig's file as anetwork_config.rsor introduce a newcrates/network/src/tls.rs). Wire it intoThrottledClient::for_installsvia reqwest's:Client::builder().add_root_certificate(Certificate::from_pem(...))Client::builder().identity(Identity::from_pem(...))—cert+keycombinedClient::builder().danger_accept_invalid_certs(!strict_ssl)Client::builder().local_address(IpAddr)cafilereads from a path;cais the cert text inline. Same shape on thecertside. Pnpm readscafileas a file path andcaas a literal or\n-delimited list (seepnpm/config/reader/src/index.ts).TlsError(load-time,ERR_PNPM_INVALID_CA/ERR_PNPM_INVALID_CERT/ERR_PNPM_INVALID_KEY— match upstream codes where they exist; otherwise something close).crates/config/src/npmrc_auth.rs:26and from theConfig::currentdocstring atcrates/config/src/lib.rs:607-614. They were updated for proxy support; TLS should follow the same pattern.crates/config/src/npmrc_auth/tests.rsfor each key.ca(inline) vscafile(path).crates/network/src/tests.rs—for_installsbuilds with validca/cert/key, errors on malformed PEM.strict_ssl: falseaccepting a self-signed cert? Hard with mockito's HTTPS plumbing; may be out of scope.Out of scope
--ca,--strict-ssl). Tracked separately.key:passphraseparsing if upstream doesn't do it.//host/:cafile) — same scoped-key shape as auth, may need its own follow-up.Upstream references
config/reader/src/Config.ts:120-140— field declarationsnetwork/fetch/src/dispatcher.ts—Agent-level TLS wiring (undici equivalents of reqwest's builder calls)Written by an agent (Claude Code, claude-opus-4-7).