fix(config): honor NPM_CONFIG_USERCONFIG as a low-priority fallback

[zkochan]

Summary

• Honor NPM_CONFIG_USERCONFIG (and lowercase npm_config_userconfig) as the lowest-priority fallback when locating the user-level .npmrc.
• Restores compatibility with actions/setup-node, which writes registry credentials to ${runner.temp}/.npmrc and exports NPM_CONFIG_USERCONFIG to point at it. This silently broke in pnpm v11 because the env var loader only honors PNPM_CONFIG_* / pnpm_config_* prefixes, leaving GitHub Actions workflows that authenticate to private registries unable to install.
• PNPM_CONFIG_USERCONFIG, PNPM_CONFIG_NPMRC_AUTH_FILE, and npmrcAuthFile in the global config.yaml continue to take precedence — the npm-prefixed env var only kicks in when nothing pnpm-native is set.

Priority order (highest → lowest):

1. --npmrc-auth-file / --userconfig CLI flags
2. PNPM_CONFIG_NPMRC_AUTH_FILE / pnpm_config_npmrc_auth_file
3. PNPM_CONFIG_USERCONFIG / pnpm_config_userconfig
4. npmrcAuthFile in global ~/.config/pnpm/config.yaml (pnpm-native)
5. npm_config_userconfig / NPM_CONFIG_USERCONFIG (new npm-compat fallback)
6. ~/.npmrc (default)

Closes #11539.

Test plan

• New unit test: NPM_CONFIG_USERCONFIG is read from env
• New unit test: npm_config_userconfig (lowercase) is read from env
• New unit test: PNPM_CONFIG_USERCONFIG wins over NPM_CONFIG_USERCONFIG when both set
• New unit test: npmrcAuthFile from global config.yaml wins over NPM_CONFIG_USERCONFIG
• Manual verification with the reporter's reproduction repo (https://github.com/aulonm/pnpm-11-repro-bug) once the PR builds a preview artifact

---

Written by an agent (Claude Code, claude-opus-4-7).

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • pnpm now respects NPM_CONFIG_USERCONFIG and npm_config_userconfig when locating the user-level .npmrc, improving authentication in CI/CD environments that set these vars. Existing pnpm-prefixed env vars and the global config setting for auth file remain higher priority, and empty values are treated as unset so defaults (e.g., ~/.npmrc) are used.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 032e696e-b641-44dd-9ca1-e0385a6eeebe

📥 Commits

Reviewing files that changed from the base of the PR and between 7ea4108 and e96d50f.

📒 Files selected for processing (2)

• config/reader/src/index.ts
• config/reader/test/index.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• config/reader/test/index.ts

---

📝 Walkthrough

Walkthrough

pnpm now honors the NPM_CONFIG_USERCONFIG and npm_config_userconfig environment variables as low-priority fallbacks when resolving the user-level .npmrc, enabling compatibility with CI tools like actions/setup-node. Higher-priority sources such as PNPM-prefixed variables and global config.yaml settings remain unchanged. Tests verify the precedence ordering.

Changes

NPM_CONFIG_USERCONFIG Fallback Support

Layer / File(s)	Summary
Changeset & Release Documentation .changeset/honor-npm-config-userconfig.md	Patch release for @pnpm/config.reader and pnpm documenting the addition of NPM_CONFIG_USERCONFIG / npm_config_userconfig as a low-priority fallback for .npmrc resolution, with precedence clarification.
Config Resolution Logic config/reader/src/index.ts	Expands npmrcAuthFile resolution fallback chain to explicitly check npm_config_userconfig and NPM_CONFIG_USERCONFIG environment variables after higher-priority sources, and adds readNpmEnvVar helper.
Tests & Precedence Verification config/reader/test/index.ts	Adds test coverage for NPM_CONFIG_USERCONFIG and npm_config_userconfig recognition, PNPM_CONFIG_USERCONFIG precedence over NPM-prefixed vars, empty-value handling and home fallback, and global config.yaml precedence.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• pnpm/pnpm#11468: Modifies config/reader's getConfig/env handling and userconfig/npmrc auth-file resolution with similar test patterns for environment variable precedence.
• pnpm/pnpm#11470: Touches config/reader and global config.yaml / userconfig resolution paths, related to precedence and env-var handling.

Poem

🐰 Hops with glee through env-var trees,
npm_config now bows with ease,
Actions align, GitHub stays fine,
Fallbacks flow in perfect line,
Precedence clear—PNPM wins the game!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(config): honor NPM_CONFIG_USERCONFIG as a low-priority fallback' clearly and specifically summarizes the primary change—adding support for the NPM_CONFIG_USERCONFIG environment variable as a low-priority fallback in config resolution.
Linked Issues check	✅ Passed	The PR fully addresses the objectives in issue #11539: it restores compatibility with actions/setup-node by honoring NPM_CONFIG_USERCONFIG and npm_config_userconfig as low-priority fallbacks, fixing the GitHub Actions authentication regression in pnpm v11.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to resolving issue #11539: the changeset metadata, config reader implementation with the new readNpmEnvVar helper, and comprehensive test coverage for NPM env var handling and precedence rules are all aligned with the stated objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/11539

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/reader/src/index.ts`:
- Around line 234-235: The code uses the nullish coalescing operator with
env.npm_config_userconfig and env.NPM_CONFIG_USERCONFIG, which treats an empty
string as a valid value and can short-circuit fallbacks; change the selection
logic so empty strings are treated as unset (e.g., test for truthiness or coerce
empty strings to undefined) when resolving the auth-file path, updating the
expression that currently uses "env.npm_config_userconfig ??
env.NPM_CONFIG_USERCONFIG" to explicitly ignore '' and allow subsequent
fallbacks to run.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 41857bd7-dab0-4571-965a-1bcda7479651

📥 Commits

Reviewing files that changed from the base of the PR and between 6836547 and 7ea4108.

📒 Files selected for processing (3)

• .changeset/honor-npm-config-userconfig.md
• config/reader/src/index.ts
• config/reader/test/index.ts

[Copilot]

Pull request overview

This PR restores npm-compat behavior in @pnpm/config.reader by treating NPM_CONFIG_USERCONFIG / npm_config_userconfig as a lowest-priority fallback for selecting the user-level .npmrc, fixing authentication flows in CI environments (notably actions/setup-node) that rely on these env vars.

Changes:

• Add npm_config_userconfig / NPM_CONFIG_USERCONFIG as a low-priority fallback when computing which user .npmrc to load.
• Add unit tests covering the new fallback and precedence vs PNPM-prefixed env vars and global config.yaml.
• Add a changeset for patch releases of @pnpm/config.reader and pnpm.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
config/reader/src/index.ts	Extends early .npmrc path resolution to include npm-prefixed *_USERCONFIG env vars as the lowest-priority fallback.
config/reader/test/index.ts	Adds tests validating npm-prefixed env var support and correct precedence behavior.
.changeset/honor-npm-config-userconfig.md	Documents the behavior change and ships patch bumps.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.