Verify latest release
pnpm version
No response
Which area(s) of pnpm are affected? (leave empty if unsure)
CLI
Link to the code that reproduces this issue or a replay of the bug
N/A (requires a registry with self-signed cert)
Reproduction steps
- Set up a registry with a self-signed certificate (e.g., Sonatype Nexus)
- Configure pnpm-workspace.yaml:
packages:
- "."
strictSsl: false
- Configure .npmrc with a valid auth token:
registry=https://my-registry/
//my-registry/:_authToken=<valid-token>
strict-ssl=false
- Run
pnpm publish --no-git-checks --tag snapshot
- The command hangs and eventually fails with
UNABLE_TO_VERIFY_LEAF_SIGNATURE
Using npm publish with the same .npmrc works fine.
Describe the Bug
pnpm publish ignores the strictSsl: false configuration when publishing packages. The setting is correctly applied for pnpm install and other fetch operations, but the publish code path uses libnpmpublish → npm-registry-fetch which never receives the strictSSL: false option.
The publish command hangs for several minutes (the default 5-minute timeout in npm-registry-fetch) and then fails with:
[UNABLE_TO_VERIFY_LEAF_SIGNATURE] request to https://my-registry/my-package failed, reason: unable to verify the first certificate
Expected Behavior
pnpm publish should respect strictSsl: false (from pnpm-workspace.yaml or .npmrc) and successfully publish to registries with self-signed certificates, the same way pnpm install does.
Which Node.js version are you using?
24.16.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
Ubuntu (WSL2)
Verify latest release
pnpm version
No response
Which area(s) of pnpm are affected? (leave empty if unsure)
CLI
Link to the code that reproduces this issue or a replay of the bug
N/A (requires a registry with self-signed cert)
Reproduction steps
pnpm publish --no-git-checks --tag snapshotUNABLE_TO_VERIFY_LEAF_SIGNATUREUsing
npm publishwith the same.npmrcworks fine.Describe the Bug
pnpm publishignores thestrictSsl: falseconfiguration when publishing packages. The setting is correctly applied forpnpm installand other fetch operations, but the publish code path useslibnpmpublish→npm-registry-fetchwhich never receives thestrictSSL: falseoption.The publish command hangs for several minutes (the default 5-minute timeout in npm-registry-fetch) and then fails with:
Expected Behavior
pnpm publishshould respectstrictSsl: false(frompnpm-workspace.yamlor.npmrc) and successfully publish to registries with self-signed certificates, the same waypnpm installdoes.Which Node.js version are you using?
24.16.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
Ubuntu (WSL2)