Skip to content

fix(lambda-nodejs): copy .npmrc for pnpm to enable private registry authentication #36587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sebastianplesciuc wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix(lambda-nodejs): copy .npmrc for pnpm to enable private registry authentication #36587

sebastianplesciuc wants to merge 4 commits into from
+47 −0

Conversation

@sebastianplesciuc
Copy link

@sebastianplesciuc sebastianplesciuc commented Jan 6, 2026

Issue # 36567

Closes #36567

Reason for this change

When using nodeModules with pnpm, CDK creates a pnpm-workspace.yaml in the bundling directory (added in #21911). This causes pnpm to treat the bundling directory as a standalone workspace root, which prevents it from inheriting .npmrc configuration from parent directories. This breaks authentication for packages from private registries.

Description of changes

When pnpm is detected and nodeModules is specified, copy the project's .npmrc (if it exists) to the bundling directory alongside pnpm-workspace.yaml. This allows pnpm to find auth tokens for private registries.

Describe any new or updated permissions being added

N/A

Description of how you validated changes

  • Added unit test 'pnpm with nodeModules copies .npmrc for private registry authentication'
  • All existing tests pass (120/120)

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@sebastianplesciuc
fix(lambda-nodejs): copy .npmrc for pnpm to enable private registry a…
6a169e9 
…uthentication

When using nodeModules with pnpm, CDK creates a pnpm-workspace.yaml which
prevents pnpm from inheriting .npmrc from parent directories. This fix
copies the project's .npmrc to the bundling directory when it exists.

Fixes aws#36567
@github-actions github-actions bot added beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. effort/medium Medium work item – several days of effort labels Jan 6, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team January 6, 2026 10:14
@github-actions github-actions bot added the p2 label Jan 6, 2026
aws-cdk-automation
aws-cdk-automation requested changes Jan 6, 2026
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

@sebastianplesciuc
Copy link
Author

sebastianplesciuc commented Jan 6, 2026

Exemption Request

This fix modifies the Docker bundling command to copy .npmrc when using pnpm with nodeModules. Integration test snapshots only capture CloudFormation templates, not bundling commands - the bundling command is executed at synth time and only the resulting asset hash appears in the snapshot.

The fix is covered by a unit test that verifies the bundling command includes cp .npmrc when .npmrc exists. The existing integ.dependencies-pnpm.ts test validates pnpm bundling works correctly.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Jan 6, 2026
This was referenced Jan 6, 2026
Open
Open
@sebastianplesciuc
Copy link
Author

sebastianplesciuc commented Jan 7, 2026

PR Update: Changed approach from file copy to base64 encoding

The initial implementation failed the integration test because it tried to copy .npmrc using a relative path. In Docker bundling, only projectRoot is mounted as /asset-input, so when .npmrc is outside projectRoot (common in pnpm monorepos where .npmrc is at workspace root), the file copy fails with "No such file or directory".

New approach

  • Read .npmrc content at CDK synth time
  • Base64 encode it and embed in the bundling command
  • Decode at runtime using echo '<base64>' | base64 -d > .npmrc

This works because:

  1. The file is read during synth (when it's accessible), not during Docker bundling
  2. Base64 avoids shell escaping issues with special characters in .npmrc (quotes, tokens, etc.)
  3. Works for both local and Docker bundling

Testing

  • Unit tests pass
  • Integration test (integ.dependencies-pnpm.js) ran successfully locally and snapshot is unchanged
  • Added .testnpmrc fixture file for unit testing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. effort/medium Medium work item – several days of effort p2 pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(lambda-nodejs): nodeModules with pnpm doesn't inherit project .npmrc for private registry authentication

2 participants

@sebastianplesciuc @aws-cdk-automation