Skip to content

[BUG] npm config set replaces environment variables in .npmrc #6183

New issue
New issue
Closed
Closed
[BUG] npm config set replaces environment variables in .npmrc#6183
Assignees
wraithgar
Labels
Bugthing that needs fixingPriority 1high priority issueRelease 8.xwork is associated with a specific npm 8 release
@ghost

Description

@ghost
ghost
opened on Feb 17, 2023

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

npm config replaces all environment variables variables in ~/.npmrc, e.g.:

root@ab19aeb5ad2d:/# export ANOTHER_NPM_TOKEN=foo
root@ab19aeb5ad2d:/# export NPM_DEPLOY_TOKEN=bar
root@ab19aeb5ad2d:/# cat ~/.npmrc
@mycompany:registry=https://git.mycompany.com/api/v4/projects/8/packages/npm/
//git.mycompany.com/api/v4/projects/8/packages/npm/:_authToken=${NPM_DEPLOY_TOKEN}
@someprivaterepo:registry=https://registry.npmjs.org
//registry.npmjs.org/:_authToken=${ANOTHER_NPM_TOKEN}

root@ab19aeb5ad2d:/# npm config set -- '//git.mycompany.com/api/v4/projects/8/packages/npm/:_authToken' '${NPM_DEPLOY_TOKEN}'

root@ab19aeb5ad2d:/# cat ~/.npmrc
@mycompany:registry=https://git.mycompany.com/api/v4/projects/8/packages/npm/
//git.mycompany.com/api/v4/projects/8/packages/npm/:_authToken=${NPM_DEPLOY_TOKEN}
@someprivaterepo:registry=https://registry.npmjs.org
//registry.npmjs.org/:_authToken=foo                                   <============= HERE

As you can see this line (completely unrelated to the invoked npm config command):

//registry.npmjs.org/:_authToken=${ANOTHER_NPM_TOKEN}

for some reason is being replaced with an actual variable value:

//registry.npmjs.org/:_authToken=foo

Expected Behavior

npm config should not touch variables and lines of config completely unrelated to the invoked command, so line

//registry.npmjs.org/:_authToken=${ANOTHER_NPM_TOKEN}

should remain intact.

Steps To Reproduce

No response

Environment

  • npm: I've tried both 8.19.4 and 9.5.0 - they both show exactly same behaviour.
  • Node.js: v18.12.0
  • OS Name: debian:bullseye docker image.
  • System Model Name:
  • npm config:
; "user" config from /root/.npmrc

@mycompany:registry = "https://git.mycompany.com/api/v4/projects/8/packages/npm/"
@someprivaterepo:registry = "https://registry.npmjs.org"
//git.mycompany.com/api/v4/projects/8/packages/npm/:_authToken = (protected)
//registry.npmjs.org/:_authToken = (protected)

; node bin location = /usr/local/bin/node
; node version = v18.12.0
; npm local prefix = /app
; npm version = 8.19.4
; cwd = /app
; HOME = /root
; Run `npm config ls -l` to show all defaults.

Metadata

Metadata

Assignees

Labels

Bugthing that needs fixingPriority 1high priority issueRelease 8.xwork is associated with a specific npm 8 release

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions