diff --git a/docs/content/configuring-npm/npmrc.md b/docs/content/configuring-npm/npmrc.md index 83310ffa9c7f2..d252f09b81a68 100644 --- a/docs/content/configuring-npm/npmrc.md +++ b/docs/content/configuring-npm/npmrc.md @@ -91,6 +91,34 @@ consistent across updates. Set fields in here using the `./configure` script that comes with npm. This is primarily for distribution maintainers to override default configs in a standard and consistent manner. +### Auth related configuration + +The settings `_auth`, `_authToken`, `username` and `_password` must all be +scoped to a specific registry. This ensures that `npm` will never send +credentials to the wrong host. + +In order to scope these values, they must be prefixed by a URI fragment. +If the credential is meant for any request to a registry on a single host, +the scope may look like `//registry.npmjs.org/:`. If it must be scoped to a +specific path on the host that path may also be provided, such as +`//my-custom-registry.org/unique/path:`. + +``` +; bad config +_authToken=MYTOKEN + +; good config +@myorg:registry=https://somewhere-else.com/myorg +@another:registry=https://somewhere-else.com/another +//registry.npmjs.org/:_authToken=MYTOKEN +; would apply to both @myorg and @another +; //somewhere-else.com/:_authToken=MYTOKEN +; would apply only to @myorg +//somewhere-else.com/myorg/:_authToken=MYTOKEN1 +; would apply only to @another +//somewhere-else.com/another/:_authToken=MYTOKEN2 +``` + ### See also * [npm folders](/configuring-npm/folders) diff --git a/node_modules/@npmcli/config/lib/index.js b/node_modules/@npmcli/config/lib/index.js index 93fbcad72bc79..fe5cfd2aa9ed5 100644 --- a/node_modules/@npmcli/config/lib/index.js +++ b/node_modules/@npmcli/config/lib/index.js @@ -767,6 +767,11 @@ class Config { const nerfed = nerfDart(uri) const creds = {} + const deprecatedAuthWarning = [ + '`_auth`, `_authToken`, `username` and `_password` must be scoped to a registry.', + 'see `npm help npmrc` for more information.', + ].join(' ') + const email = this.get(`${nerfed}:email`) || this.get('email') if (email) { creds.email = email @@ -780,10 +785,13 @@ class Config { // cert/key may be used in conjunction with other credentials, thus no `return` } - const tokenReg = this.get(`${nerfed}:_authToken`) || - nerfed === nerfDart(this.get('registry')) && this.get('_authToken') + const defaultToken = nerfDart(this.get('registry')) && this.get('_authToken') + const tokenReg = this.get(`${nerfed}:_authToken`) || defaultToken if (tokenReg) { + if (tokenReg === defaultToken) { + log.warn('config', deprecatedAuthWarning) + } creds.token = tokenReg return creds } @@ -818,6 +826,7 @@ class Config { const userDef = this.get('username') const passDef = this.get('_password') if (userDef && passDef) { + log.warn('config', deprecatedAuthWarning) creds.username = userDef creds.password = Buffer.from(passDef, 'base64').toString('utf8') const auth = `${creds.username}:${creds.password}` @@ -832,6 +841,7 @@ class Config { return creds } + log.warn('config', deprecatedAuthWarning) const authDecode = Buffer.from(auth, 'base64').toString('utf8') const authSplit = authDecode.split(':') creds.username = authSplit.shift() diff --git a/node_modules/@npmcli/config/package.json b/node_modules/@npmcli/config/package.json index 275044e4ae48e..81c36228c6b4a 100644 --- a/node_modules/@npmcli/config/package.json +++ b/node_modules/@npmcli/config/package.json @@ -1,6 +1,6 @@ { "name": "@npmcli/config", - "version": "4.2.1", + "version": "4.2.2", "files": [ "bin/", "lib/" @@ -31,7 +31,7 @@ }, "devDependencies": { "@npmcli/eslint-config": "^3.0.1", - "@npmcli/template-oss": "3.5.0", + "@npmcli/template-oss": "3.6.0", "tap": "^16.0.1" }, "dependencies": { @@ -49,6 +49,6 @@ }, "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", - "version": "3.5.0" + "version": "3.6.0" } } diff --git a/package-lock.json b/package-lock.json index ce443bce578ac..f34578380f20b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -878,9 +878,9 @@ } }, "node_modules/@npmcli/config": { - "version": "4.2.1", - "resolved": "https://registry.npmjs.org/@npmcli/config/-/config-4.2.1.tgz", - "integrity": "sha512-iJEnXNAGGr7sGUcoKmeJNrc943vFiWrDWq6DNK/t+SuqoObmozMb3tN3G5T9yo3uBf5Cw4h+SWgoqSaiwczl0Q==", + "version": "4.2.2", + "resolved": "https://registry.npmjs.org/@npmcli/config/-/config-4.2.2.tgz", + "integrity": "sha512-5GNcLd+0c4bYBnFop53+26CO5GQP0R9YcxlernohpHDWdIgzUg9I0+GEMk3sNHnLntATVU39d283A4OO+W402w==", "inBundle": true, "dependencies": { "@npmcli/map-workspaces": "^2.0.2",