You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: support URL-scoped registry auth via npm_config_// and pnpm_config_// env vars (#12338)
* feat: support URL-scoped registry auth via npm_config_// and pnpm_config_// env vars
Adds a file-free way to configure registry authentication, e.g.
npm_config_//registry.npmjs.org/:_authToken=<token>
pnpm_config_//registry.npmjs.org/:_authToken=<token>
These are host-scoped by construction — the registry the value applies to is
encoded in the (trusted) variable name — so they cannot be redirected to
another host by repository-controlled config. The env value is trusted: it
overrides a project/workspace .npmrc but is still overridden by CLI options.
pnpm_config_ wins over npm_config_ for the same key.
* feat(pacquet): support URL-scoped registry auth via npm_config_// and pnpm_config_// env vars
Pacquet parity for the same feature on the JS side: read URL-scoped registry
credentials from npm_config_//… and pnpm_config_//… environment variables
(e.g. npm_config_//registry.npmjs.org/:_authToken=<token>).
These are trusted (sourced from the environment, not the repository) and
host-scoped by construction, so they sit at the top of the .npmrc precedence
chain — above the project .npmrc. pnpm_config_ wins over npm_config_ for the
same key. Adds an EnvVar::vars() enumeration capability (default empty, so
existing fakes keep compiling; production providers override it).
* fix(pacquet): avoid Unicode ellipsis in a line comment (dylint)
* fix: exclude tokenHelper from URL-scoped env auth; add case-insensitive tests
Address review feedback on #12338:
- A `//host/:tokenHelper` env var would land in authConfig but trip the
TOKEN_HELPER_IN_PROJECT_CONFIG guard (which only trusts the user .npmrc),
incorrectly failing. tokenHelper names an executable, so it is now excluded
from the env-scoped layer entirely.
- Add tests for case-insensitive prefix matching and the tokenHelper exclusion.
- Add a 'text' language hint to the changeset's fenced block (MD040).
* fix(pacquet): avoid panics on non-UTF-8 / non-ASCII env var names
Address CodeRabbit review on the pacquet env-auth code:
- EnvVar::vars() used std::env::vars(), which panics if any env var name or
value is not valid UTF-8. Iterate vars_os() and skip non-UTF-8 entries,
matching var()'s .ok() behavior. (SystemEnv and Host.)
- parse_url_scoped_env_name sliced with name[..prefix.len()], which panics
when the byte index lands inside a multi-byte char. Use boundary-checked
name.get(..) instead.
- Add a regression test with non-ASCII env var names.
* test: cover env-auth precedence and pacquet end-to-end wiring
Fill the coverage gaps in the URL-scoped env-auth feature:
- JS: assert a CLI-provided //host/:_authToken still beats the same env var
(workspace < env < CLI), and that non-token cred fields work while a
non-URL-scoped env key is ignored.
- pacquet: add end-to-end tests through the full config load — that a
npm_config_//… var is honored and outranks a project .npmrc token for the
same host, and that the prefix is matched case-insensitively. FakeEnv now
enumerates via vars() so the env-scoped reader sees the fixture.
This provides a file-free way to supply registry authentication. Because the registry a value applies to is encoded in the (trusted) environment variable name, it is host-scoped by construction and cannot be redirected to another registry by repository-controlled config. The environment value is treated as trusted config: it takes precedence over a project/workspace `.npmrc` but is still overridden by command-line options. When the same key is provided through both prefixes, `pnpm_config_` wins.
0 commit comments