Unresolved .npmrc auth placeholders crash config loading with "Invalid character"

### Verify latest release

- [x] I verified that the issue exists in the latest pnpm release

### pnpm version

11.0.0-rc.2

### Which area(s) of pnpm are affected? (leave empty if unsure)

CLI, Operating System (Windows, MacOS, Linux)

### Link to the code that reproduces this issue or a replay of the bug

_No response_

### Reproduction steps

1. Put an unresolved auth placeholder in the user-level `.npmrc`, for example:

   ```ini
   //registry.example.com/:_auth=${EXAMPLE_TOKEN}
   ```

2. Run pnpm in an environment where `EXAMPLE_TOKEN` is not defined.

   One easy way to do that is to launch pnpm from a child process with a reduced environment that keeps `PATH` but omits `EXAMPLE_TOKEN`.

3. Run a command that loads config, for example:

   ```sh
   pnpm install
   ```

4. Observe that pnpm fails before normal command execution.

    ```text
    ERROR Invalid character
    For help, run: pnpm help install
    ```
    
### Describe the Bug

On main, the config path does this (AI authored, NOT VERIFIED)

1. `config/reader/src/loadNpmrcFiles.ts` reads the `.npmrc` entry.
2. `envReplace()` cannot substitute the missing `${...}` token.
3. `substituteEnv()` records a warning and preserves the unresolved string.
4. `config/reader/src/getNetworkConfigs.ts` collects `_auth` / `_password` from that config.
5. `config/reader/src/parseCreds.ts` calls `parseBasicAuth()`.
6. `parseBasicAuth()` calls `atob('${EXAMPLE_TOKEN}')`.
7. `atob()` throws `InvalidCharacterError: Invalid character`.

The stack is:

- `parseBasicAuth()` in `config/reader/src/parseCreds.ts`
- `getNetworkConfigs()` in `config/reader/src/getNetworkConfigs.ts`
- `getConfig()` in `config/reader`

So this is not a CLI parsing problem. It is a config/auth parsing failure caused by unresolved placeholder text being preserved and then treated as base64 auth input. The problem is
- unresolved credential placeholders reach auth parsing,
- auth parsing crashes on them,
- and pnpm reports the result as a top-level CLI usage error.

### Expected Behavior

pnpm should not pass unresolved credential placeholders into base64 auth decoding.

At minimum, if `.npmrc` auth config still contains `${VAR}` placeholders, pnpm should surface a config/auth-specific outcome instead of:

- crashing in `atob()`, and
- printing `For help, run: pnpm help install`.

Possible policy choices include:

- keep the unresolved literal and continue,
- ignore that auth entry,
- or fail fast with a config error.

### Which Node.js version are you using?

24.11.1

### Which operating systems have you used?

- [ ] macOS
- [x] Windows
- [ ] Linux

### If your OS is a Linux based, which one it is? (Include the version if relevant)

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Unresolved .npmrc auth placeholders crash config loading with "Invalid character" #11298

Verify latest release

pnpm version

Which area(s) of pnpm are affected? (leave empty if unsure)

Link to the code that reproduces this issue or a replay of the bug

Reproduction steps

Describe the Bug

Expected Behavior

Which Node.js version are you using?

Which operating systems have you used?

If your OS is a Linux based, which one it is? (Include the version if relevant)

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

Unresolved .npmrc auth placeholders crash config loading with "Invalid character" #11298

Description

Verify latest release

pnpm version

Which area(s) of pnpm are affected? (leave empty if unsure)

Link to the code that reproduces this issue or a replay of the bug

Reproduction steps

Describe the Bug

Expected Behavior

Which Node.js version are you using?

Which operating systems have you used?

If your OS is a Linux based, which one it is? (Include the version if relevant)

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions