Support reading from .npmrc

[privatenumber]

What is the problem this feature will solve?

npm is configured by a .npmrc, but currently, bun seems to require the configuration to be duplicated to a bunfig.toml file.

What is the feature you are proposing to solve the problem?

For bun install to support reading from the .npmrc file.

What alternatives have you considered?

No response

[pimentelleo]

Is there any workaround?

[boldurean]

Waiting to this feature to try bun on my current project. Is there any workarounds?

[peacecwz]

@Jarred-Sumner do you have any plan about reading .npmrc file. It's most important thing if bun is working as a package manager

[Fordi]

+1 for me. Particularly, I need support for registry= and @group:registry=. Without 'em, I can't really use it.

Incidentally, I duplicated my config in bunfig.toml (can't share; private registries), but got a segfault on bun install.

[peacecwz]

As a @Trendyol (https://github.com/trendyol) We would like to use bun in PoC but It doesn't work with private registry 😢

[lukebars]

This is very important if we want bun to succeed as a package manager

[markusbkk]

Same problem here. I just installed bun for one of two speed-up PoCs at my day-job. The project depends on a private repository though.

[sayjeyhi]

+1 support this plz

[drabelo]

@sayjeyhi There is a tweet by one of the creators showing steps to include a private registry and it worked!

https://twitter.com/jarredsumner/status/1555832429276827648?s=20&t=coxDA6eH02_3REEZBRwr-A

[postpersonality]

@drabelo That doesn't work for me (bun 0.4 & private nexus repository). Is there a way to find out that bun even sees the ~/.bunfig.toml? On my side it still tries to find all the packages at registry.npmjs.org

[postpersonality]

However if I override each individual private package like this:

[install.scopes]
"<my-private-package-name>" = { url = "https://<my-private-repo-url>/:_authToken=<my-private-repo-auth-token>" }
"<my-private-package-name2>" = { url = "https://<my-private-repo-url>/:_authToken=<my-private-repo-auth-token>" }
"<my-private-package-name3>" = ...

It seem to be working fine. Thanks, @drabelo !
It's inconvenient but ok for tinkering.

[lukeed]

Supporting the global ~/.npmrc file (in addition to locals) would be really helpful for those who have a long history of private/client projects. While the workaround exists (🙏) it'd be a lot easier to not have to slice up & duplicate the registry urls for each project

[johngrimsey]

Preventing my organisation from experimenting with bun. Would appreciate this.

[markusbkk]

Preventing my organisation from experimenting with bun. Would appreciate this.

@drabelo 's solution works and has the added benefit of being safer than local .npmrc files

https://twitter.com/jarredsumner/status/1555832429276827648?s=20&t=coxDA6eH02_3REEZBRwr-A

[ciprianglg]

Does somebody has any idea how install.scopes section should look for azure devops artifact feed? I tried each possible solution i was think of, and i always end up with 403 for get of the artifact.

[martinothamar]

Running into the same issue as you @ciprianglg at the same time it looks like. The URL in the error logs when doing bun install is actually for the tar compressed file for the package. In ADO registry case this is hosted in blob storage in Azure. The URL has a SAS key (so I can't share it here), but curiously when I click the link I actually am able to download the file in a browser (just ctrl-clicking the link output in the error logs by bun). So the URL looks correct, not sure why Bun gets 403 but my browser gets a 200

[martinothamar]

Btw I also use the install.scopes workaround, and since bun ends up with a link containing a SAS key I think the credentials there are correct in my case

[ciprianglg]

@martinothamar the same behavior on my side, if i click the link i can download it.

[martinothamar]

The error message looks like this one to me, if that helps: https://github.com/oven-sh/bun/blob/bun-v0.5.9/src/install/install.zig#L3858

I'm on version v0.5.9

[jamiehaywood]

@martinothamar have you managed to get Bun working with Azure Artifacts?

[martinothamar]

No, this was a PoC for me so didnt have much time to debug unfortunately

[vkorn]

Anyone was able to figure it out? Looks like bun sometimes completely ignores the bunfig. Moreover if I use @company it sometimes tries to use the registry from the install.scopes, if I use the actual company name -- it always goes to the default registry.

==EDIT

Ok, spent a bit more time looking through logs/versions. I have a gcp artifact registry, defining it as follows in the config

[install.scopes]
"@COMPANY_NAME" = {url = "https://us-central1-npm.pkg.dev/COMPANY_NAME/fw-npm", token = $TOKEN }

then do the rm -rf ~/.bun/ && rm rm bun.lockb

And trying to install

TOKEN=SECRET install --verbose
bun install v0.6.0 (7f25aa9e)
Enqueue package manifest for download: @COMPANY_NAME/mobile-common
  🔍 Resolving [1/1] Request: GET /COMPANY_NAME/fw-npm/@COMPANY_NAME/mobile-common
	Authorization: Bearer SECRET
	npm-auth-type: legacy
	Accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*
	Connection: keep-alive
	User-Agent: Bun/0.6.0
	Host: us-central1-npm.pkg.dev
	Accept-Encoding: gzip, deflate

Request: GET /COMPANY_NAME/fw-npm/@COMPANY_NAME/mobile-common
	Authorization: Bearer SECRET
	npm-auth-type: legacy
	Accept: application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*
	Connection: keep-alive
	User-Agent: Bun/0.6.0
	Host: us-central1-npm.pkg.dev
	Accept-Encoding: gzip, deflate

Response: < 200 OK
< 	Content-Type: application/json; charset=utf-8
< 	X-Content-Type-Options: nosniff
< 	X-Frame-Options: SAMEORIGIN
< 	X-Xss-Protection: 0
< 	Date: Sat, 13 May 2023 02:26:52 GMT
< 	Transfer-Encoding: chunked
< 	Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

    [346.99ms]
 Downloaded @COMPANY_NAME/mobile-common versions
   - "@COMPANY_NAME/mobile-common": "1.0.0-df23950" - @COMPANY_NAME/mobile-common@1.0.0-df23950
  🔍 @COMPANY_NAME/mobile-common [3/3]
GET https://registry.yarnpkg.com/@COMPANY_NAME/mobile-common/-/@COMPANY_NAME/mobile-common-1.0.0-df23950.tgz - 404

-- BEGIN SHA512/256(`${alphabetize(name)}@${order(version)}`) --
@COMPANY_NAME/mobile-common@1.0.0-df23950
-- END HASH--
Saving 1 trees
Saving 1 hoisted_dependencies
Saving 1 resolutions
Saving 1 dependencies
Saving 0 extern_strings
Saving 162 string_bytes

So it looks like even tho bun downloaded the package, it still tries to resolve it through the default registry and fails. In fact, w/o clearing the has the same thing happens. Am I doing something wrong? Tried older versions to no avail

[vkorn]

ok, nvm, totally my fault: yarn publish for some reason botches tarball location and even tho it publishes to the private registry, it puts yarnpkg into manifest. Publishing with npm works.

[ReneWerner87]

workaround
.bunfig.toml in $HOME or bunfig.toml in project root

with

[install]
registry = "https://yourPrivateRegistry.io"

see
https://bun.sh/docs/runtime/configuration#private-scopes-and-registries
https://bun.sh/docs/install/registries

[davioliveira-dev]

There are a solution for azure arctifacts ? It still not working 😢

[artob]

@Electroid Will .npmrc be supported in Bun 1.0, to be released a week from now?

[sashalavron]

I faced issues while trying to setup .npmrc with private registry (jfrog) as well.
always have 401 or 403.

UPD:
Decoding of the password helped ✅

But supporting .npmrc by default would be a killer feature.

[AndriiZelenskyi]

@sashalavron Try to use the access token instead. It works fine for me. However, not all the artifacts are going to be downloaded because of the issues mentioned here and here

[Katalam]

Run into an error while installing font awesome pro.
bunfig.toml [install.scopes] "@fontawesome" = { token = "XXX", url = "https://npm.fontawesome.com/" }
Output: bun install bun install v1.0.0 (822a00c4) 🔍 @fortawesome/fontawesome-pro [1/1] error: package "@fortawesome/fontawesome-pro" not found registry.npmjs.org/@fortawesome/fontawesome-pro 404 error: @fortawesome/fontawesome-pro@^6.4.2 failed to resolve

this works for me:

~/.bunfig.toml

[install.scopes]
"@fortawesome" = { token = "XXX", url = "https://npm.fontawesome.com/" }

@it-can Sorry to ping you, but I'm uncertain if you monitor that issue. Did you try that in a GitHub action? That works locally for me, but the runner always gets a 401 response, doesn't matter what I'm doing

[it-can]

Run into an error while installing font awesome pro.
bunfig.toml [install.scopes] "@fontawesome" = { token = "XXX", url = "https://npm.fontawesome.com/" }
Output: bun install bun install v1.0.0 (822a00c4) 🔍 @fortawesome/fontawesome-pro [1/1] error: package "@fortawesome/fontawesome-pro" not found registry.npmjs.org/@fortawesome/fontawesome-pro 404 error: @fortawesome/fontawesome-pro@^6.4.2 failed to resolve

this works for me:
~/.bunfig.toml

[install.scopes]
"@fortawesome" = { token = "XXX", url = "https://npm.fontawesome.com/" }

@it-can Sorry to ping you, but I'm uncertain if you monitor that issue. Did you try that in a GitHub action? That works locally for me, but the runner always gets a 401 response, doesn't matter what I'm doing

no only using this locally

[razvantrufin]

For some reason it doesn't seem like it's replacing env variables when used in a URL.

[install.scopes]

"@org" = { url = "https://nexus.private.com/repository/group/:_auth=$NEXUS_TOKEN" }

this results in:

Request: GET /repository/group/@org/package
        Authorization: Basic $NEXUS_TOKEN
        npm-auth-type: legacy
...

Has anyone managed to get past this?

[giri-jeedigunta]

+1 to support the .npmrc No luck with Gihub packages. I'm running into error: error: ERR_TLS_CERT_ALTNAME_INVALID downloading package manifest @company-group/package

[sekwah41]

As others have noted, even when I move the details from npmrc the repo we have is expecting %2f rather than /

[jbidston]

As others have noted, even when I move the details from npmrc the repo we have is expecting %2f rather than /

I've created #5076 to call this out specifically.

[Maxssobolev]

@drabelo That doesn't work for me (bun 0.4 & private nexus repository). Is there a way to find out that bun even sees the ~/.bunfig.toml? On my side it still tries to find all the packages at registry.npmjs.org

Same issue.
I have a package in my organization i have to install.
This is my .bunfig.toml :

[install.scopes]
"@stud-log/news-types" = { url = "https://npm.pkg.github.com/:_authToken=TOKEN", "username" = "maxssobolev" }

but bun install still search it in registry.npmjs.org...
ERROR: package "@stud-log/news-types" not found registry.npmjs.org/@stud-log/news-types 404

[sekwah41]

@drabelo That doesn't work for me (bun 0.4 & private nexus repository). Is there a way to find out that bun even sees the ~/.bunfig.toml? On my side it still tries to find all the packages at registry.npmjs.org

Same issue. I have a package in my organization i have to install. This is my .bunfig.toml :

[install.scopes]
"@stud-log/news-types" = { url = "https://npm.pkg.github.com/:_authToken=TOKEN", "username" = "maxssobolev" }

but bun install still search it in registry.npmjs.org... ERROR: package "@stud-log/news-types" not found registry.npmjs.org/@stud-log/news-types 404

This may be due to the same issue I am having where it encodes /'s different to how NPM does.

There is already an issue raised for this which @jbidston has mentioned

[sydcanem]

Sharing this working bunfig.toml we used in our project. Works for private npm registries.

[install]
registry = { url = "https://registry.npmjs.org/:_authToken=$token"}

[install.scopes]
"@private" = { token = "$token", url = "https://registry.npmjs.org/" }

[lukeed]

Also posting my working solution: #4654 (comment)

[GerbenRampaart]

Is this still on the list? In companies with on-prem private registries and lots and lots of projects with a npmrc this is so annoying.

Pretty please with sugar on top?

[tkow]

I recently made a tool to set repository's credentials for gcp's artifact registries in this repo.
It has potential to convert .npmrc into bun.toml though it still only supports registry configuration now. If bun's supporters want this features, I can make this library more generally to read all bun compatible parameters and merge them to bunfig.toml. But, in my opinion, It should be better to make bun read .npmrc if it exits and merge with bunfig.toml parameters and I may be able to implement it if I learn how to map bunfig.toml parameters to config values in bun runtime. Is there what I can help?

[hussain-nz]

Sharing some gotchas in case it can help resolve someone's errors (404/401) : #4654 (comment)

[zackradisic]

I am working on this right now (WIP PR here)

[Jarred-Sumner]

Support for reading .npmrc files lands in Bun v1.1.18, thanks to @zackradisic.

If you want to try it before Bun v1.1.18 is released:

bun upgrade --canary

If reading .npmrc files doesn't work as expected, please open a new issue showing what went wrong and ideally include a reproduction.

[andreasvh-conceto]

@Jarred-Sumner would be great to adjust the documentation, since the following is not valid anymore: https://bun.sh/docs/install/registries#npmrc

[Barzi-Ahmed]

@Jarred-Sumner please update the docs so that new users know it's supported. It took me to search web to realise i can use npmrc. thank you.

https://bun.sh/docs/install/registries#npmrc

[tobowers]

it apparently doesn't read from $HOME/.npmrc though