-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] npm config set unpacks _auth into username/password #4763
Comments
That looks conceptually the same even if the contents are different. Does it authenticate properly with the registry? also have you tried with npm v8.7? |
No, it does not authenticate properly since the I expected running the latest node also using the latest npm, but that was not the case. Version 8.7.0 has the same issue. |
The latest node is node 17, not 16, but also npm publishes more frequently than node releases :-) |
I was able to reproduce, thank you for the reproduction steps. |
That's right. I picked the latest LTS. |
This is the correct behavior. the It's a little jarring I'm sure to see it change from |
Thanks for your explanation.
I don't think that's correct since an .npmrc like below authenticates just fine against our self-hosted Jfrog npm registry.
It is breaking because it now sets authentication explicit to registry.npmjs.com where before it was using _auth to npm.example.com before
As a workaround I just have the contents of .npmrc defined instead of generating it. I'm fine accepting this change since it's a regression between major versions v14 and v15/v16/v17. |
Ok so this is very helpful. I just added tests yesterday that I thought clarified this behavior but there is a difference between setting a registry via scope and setting the The reason it's doing what it's doing here is because the "config cleanup" code happens before the It's still weird because it's unpacking it to username/password but functionally those are the same. |
It's a little goofy but I think if you did |
Why is that intentional? It seems pretty bad to do something the user didn’t ask for. |
The nerf darting is what the config actually is, having it as the legacy bare |
What i mean is, if i have something in npmrc, and i npm config set something else, the something should never change, because that’s not what i asked npm to do. Whether it’s misleading or not is none of npm’s business because i didn’t ask npm to touch it. |
This worked for us |
Historically, a bare npm has no way of knowing what you intended your registry for that auth token to be, other than what's in the config at the time it encounters the The only workaround is to ensure that the This is 100% working as designed, and the confusion is an unfortunate byproduct of a very old mistake. Changing this behavior would be a very bad idea. |
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
npm config set registry <url>
messed up pre-existing~/.npmrc
containing _authExpected Behavior
Steps To Reproduce
npm
~/.npmrc
containing_auth
:npm config set registry https://npm.example.com
.npmrc
is messed upcat ~/.npmrc
:Environment
v8.5.0v8.7.0v16.14.2v17.9.0v3.11v3.15The text was updated successfully, but these errors were encountered: