From ca029d4747c478546c328688bfba4c24324bdb08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Caleb=20=E3=83=84=20Everett?= Date: Wed, 22 Sep 2021 12:54:09 -0700 Subject: [PATCH] docs: document special meaning of registry.npmjs.com This behavior has been present in npm for a while, but I haven't found where it's documented. This is my attempt at documenting the behavior based on my understanding of it. I think a SME should contribute to this so the documentation is correct. npm/feedback#544 npm/cli#3783 https://github.com/npm/arborist/blob/478871bf0a44a8ec516b9057585b8707e60b0349/lib/arborist/reify.js#L687-L693 --- docs/content/configuring-npm/package-lock-json.md | 6 ++++-- docs/content/using-npm/registry.md | 8 ++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/docs/content/configuring-npm/package-lock-json.md b/docs/content/configuring-npm/package-lock-json.md index c06540fb3ffae..7f38de2e1e359 100644 --- a/docs/content/configuring-npm/package-lock-json.md +++ b/docs/content/configuring-npm/package-lock-json.md @@ -138,7 +138,8 @@ Package descriptors have the following fields: the case of packages fetched from the registry, this will be a url to a tarball. In the case of git dependencies, this will be the full git url with commit sha. In the case of link dependencies, this will be the - location of the link target. + location of the link target. registry.npmjs.org is a magic value meaning "the + currently configured registry". * integrity: A `sha512` or `sha1` [Standard Subresource Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) @@ -201,7 +202,8 @@ Dependency objects have the following fields: * resolved: For registry sources this is path of the tarball relative to the registry URL. If the tarball URL isn't on the same server as the - registry URL then this is a complete URL. + registry URL then this is a complete URL. registry.npmjs.org is a magic value + meaning "the currently configured registry". * bundled: If true, this is the bundled dependency and will be installed by the parent module. When installing, this module will be extracted diff --git a/docs/content/using-npm/registry.md b/docs/content/using-npm/registry.md index 3b07ab11c5bdc..934013b748ad1 100644 --- a/docs/content/using-npm/registry.md +++ b/docs/content/using-npm/registry.md @@ -30,6 +30,14 @@ The registry URL used is determined by the scope of the package (see supplied by the `registry` config parameter. See [`npm config`](/commands/npm-config), [`npmrc`](/configuring-npm/npmrc), and [`config`](/using-npm/config) for more on managing npm's configuration. +When the default registry is used in a package-lock or shrinkwrap is has the +special meaning of "the currently configured registry". If you create a lock +file while using the default registry you can switch to another registry and +npm will install packages from the new registry, but if you create a lock +file while using a custom registry packages will be installed from that +registry even after you change to another registry. To update the registry in a +lock file you can remove the file or remove or modify the resolved key. + ### Does npm send any information about me back to the registry? Yes.