Skip to content

strictSsl: false not applied to pnpm publish #12012

Description

@aholtkamp

Verify latest release

  • I verified that the issue exists in the latest pnpm release

pnpm version

No response

Which area(s) of pnpm are affected? (leave empty if unsure)

CLI

Link to the code that reproduces this issue or a replay of the bug

N/A (requires a registry with self-signed cert)

Reproduction steps

  1. Set up a registry with a self-signed certificate (e.g., Sonatype Nexus)
  2. Configure pnpm-workspace.yaml:
    packages:
      - "."
    strictSsl: false
  3. Configure .npmrc with a valid auth token:
    registry=https://my-registry/
    //my-registry/:_authToken=<valid-token>
    strict-ssl=false
  4. Run pnpm publish --no-git-checks --tag snapshot
  5. The command hangs and eventually fails with UNABLE_TO_VERIFY_LEAF_SIGNATURE

Using npm publish with the same .npmrc works fine.

Describe the Bug

pnpm publish ignores the strictSsl: false configuration when publishing packages. The setting is correctly applied for pnpm install and other fetch operations, but the publish code path uses libnpmpublishnpm-registry-fetch which never receives the strictSSL: false option.

The publish command hangs for several minutes (the default 5-minute timeout in npm-registry-fetch) and then fails with:

[UNABLE_TO_VERIFY_LEAF_SIGNATURE] request to https://my-registry/my-package failed, reason: unable to verify the first certificate

Expected Behavior

pnpm publish should respect strictSsl: false (from pnpm-workspace.yaml or .npmrc) and successfully publish to registries with self-signed certificates, the same way pnpm install does.

Which Node.js version are you using?

24.16.0

Which operating systems have you used?

  • macOS
  • Windows
  • Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

Ubuntu (WSL2)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions