Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Using npm_config__auth environtment variable in v8 to authorize private repository #6406

Closed
2 tasks done
rittneje opened this issue Apr 28, 2023 · 6 comments
Closed
2 tasks done

[BUG] Using npm_config__auth environtment variable in v8 to authorize private repository #6406

rittneje opened this issue Apr 28, 2023 · 6 comments
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 9.x work is associated with a specific npm 9 release

Comments

@rittneje
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

Reopening #3985. The "solution" to go manually create an npmrc file is completely unacceptable.

Expected Behavior

The npm_config__auth env var specifies the credentials to use for the default registry, as specified by npm_config_registry env var. It is NOT for npm specifically.

Steps To Reproduce

No response

Environment

No response
@rittneje rittneje added Bug thing that needs fixing Needs Triage needs review for next steps Release 9.x work is associated with a specific npm 9 release labels Apr 28, 2023
@ljharb
Copy link
Contributor

ljharb commented Apr 28, 2023

I'm confused; why is an env var starting with "npm_" not for npm specifically?

@rittneje
Copy link
Author

https://docs.npmjs.com/cli/v9/using-npm/config#environment-variables

Any environment variables that start with npm_config_ will be interpreted as a configuration parameter.

They are configurations for npm the command line tool, which is distinct from npm the registry.

@ljharb
Copy link
Contributor

ljharb commented Apr 28, 2023

sure, this is about the npm client, which talks to the registry. The config isn't for the registry - it's for the CLI, so it applies to every registry the CLI talks to.

@rittneje
Copy link
Author

@ljharb I'm not sure what you are trying to say. Previously the npm_config__auth env var could be used to specify the credentials to use for interacting with the registry specified in the npm_config_registry env var. Then a breaking change was introduced such that npm_config__auth is only used for interacting with npmjs.org specifically. (That is, if npm_config_registry is configured to something other than npmjs.org, now it incorrectly sends unauthenticated requests to it instead of using npm_config__auth like it should.) I am asking for this change to be reverted.

@ljharb
Copy link
Contributor

ljharb commented Apr 29, 2023

ah, i believe this was intentional for security reasons, and that the best practice is to use scope-based registry settings (and auth), but I'll let the npm team weigh in.

@wraithgar
Copy link
Member

_auth will only ever be used to authenticate to the npm registry. This was a security concern. Your best option is to configure your auth to specify the registry it should go to. The linked issue has examples for how to do this.

@snyk-io snyk-io bot mentioned this issue Oct 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 9.x work is associated with a specific npm 9 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wraithgar @ljharb @rittneje