[BUG] npm 8 rewrites _auth field in config file
andham opened this issue · 1 comments
What / Why
While switching from former Node.js LTS 14.18.1 (npm 6.14.15) to new Node.js LTS 16.13.0 (npm 8.1.0) we've discovered that our authentication configuration in .npmrc for our ci/cd pipelines breaks.
With Node.js 14.x we did this:
npm config set _auth=XXXXXX
npm config set always-auth=true
which then added this to .npmrc:
_auth=XXXXXX
always-auth=true
But with Node.js 16.13.0 the second config set command will rewrite the _auth line in .npmrc file to this:
//nexus.acme.org/repository/npm-group/:username=yyyy
//nexus.acme.org/repository/npm-group/:_password="zzzz"
In the .npmrc file there is also a registry line specifying:
registry=https://nexus.acme.org/repository/npm-group/
So the _auth line is rewritten to registry specific username and _password config lines.
This breaks our pipelines as the _auth info applies to any registry (we publish to a different registry, but in the same Nexus instance and therefore with the same credentials) as it is now registry specific (for the wrong registry).
A workaround is to write a registry specific _auth line for the registry we publish to:
npm config set "//nexus.acme.org/repository/npm-releases/:_auth=XXXXXX"
npm config set "always-auth=true"
However, there could be use cases for a shared _auth config for any registry. Also, it's a breaking change between former Node.js LTS version and the new Node.js LTS version.
When
See steps above.
Where
See info provided above.
How
Current Behavior
See above.
Steps to Reproduce
See above.
Expected Behavior
I expected the same behavior as with Node.js 14.x/npm 6. See above.
Who
- n/a
References
- n/a
The "auth config applies to every registry" was explicity removed in npm7 because it represents a potential security issue. Yes this is a breaking change, and it is intentional.