-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
config: accept auth tokens from environment variables #8
Conversation
An alternative more limited approach would be to duplicate this block of code that looks for the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I think we would much rather this be a single special-case for _authToken
and nothing else. Could you push that version instead?
As discussed on npm.community[1], the fact that npm registry authentication tokens cannot be defined using environment variables does not seem justified anymore. The restriction is caused by the config loader translating * all `_` to `-` * the whole variable name to lowercase while the credential checker expects a key ending in `:_authToken`. This change fixes the problem by having the credential checker try a key ending in `:-authtoken` after it tried `:_authToken`. Closes npm/npm#15565 [1]: https://npm.community/t/cannot-set-npm-config-keys-containing-underscores-registry-auth-tokens-for-example-via-npm-config-environment-variables/233
Of course, here you go. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! This looks great to me! 🎉
The windows environment is not case sensitive, so we should take care to ensure that this works regardless of the case of the env var. (I've not yet checked to see if this is or isn't addressed yet, I just wanted to make sure this requirement was stated.) |
Yes, thank you for bringing this up, it is one of the problems this change works around: With this change it also tries |
This feature is really great, but I can't seem to get it working. $ npm --version
6.7.0 env var gets read ok: $ env "npm_config_//registry.npmjs.org/:_authToken=my-secret-token" npm config ls
; cli configs
metrics-registry = "https://registry.npmjs.org/"
scope = ""
user-agent = "npm/6.7.0 node/v8.12.0 darwin x64"
; environment configs
//registry.npmjs.org/:-authtoken = "my-secret-token"
; userconfig /Users/trevorah/.npmrc
always-auth = true
; builtin config undefined
prefix = "/usr/local"
; node bin location = /usr/local/bin/node
; cwd = /Users/trevorah/Development/something
; HOME = /Users/trevorah
; "npm config ls -l" to show all defaults.
but valid token doesn't get used: $ env "npm_config_//registry.npmjs.org/:_authToken=my-secret-token" npm whoami
npm ERR! code E401
npm ERR! 401 Unauthorized - GET https://registry.npmjs.org/-/whoami
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/trevorah/.npm/_logs/2019-01-29T16_44_41_403Z-debug.log Am I doing something wrong? EDIT: $ npm whoami
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/trevorah/.npm/_logs/2019-01-29T16_52_19_586Z-debug.log |
Another issue is that (at least on OSX with bash) the variable name in invalid:
|
Npm's CLI is broken because it doesn't respect the auth token being provided via the environment when publishing despite npm/cli#8 GitHub's node action is broken because it doesn't respect the scope and registry config as provided via package.json. And npmjs.org registry is broken because it doesn't support named tokens, nor tokens that skip OTP. Ergo, in order to publish via github actions, my user profile 2fa must be downgraded to auth-only and the package 2fa must be disabled. OMFG
This is a retake on #130. Although npm/cli#8 claims to have support for `npm_config_//registry.npmjs.org/:_authToken=` usage, my tests and the reports on the internet says this still doesn't work, even with the latest npm (7.0.15 at the time). The only way to pass the token is to have the `authToken` line in an `.npmrc` file. The quick&dirty way would have been to create one in the project directory but that may collide with a potentially pre-existing project `.npmrc`. Trying to merge these seems more trouble than it is worth: https://github.com/actions/setup-node/blob/59e61b89511ed136a0b17773f07c349fa5c01e8b/src/authutil.ts (even worse as you'd need to revert these changes after the fact) The "better" solution I found is: 1. Create a temporary file as your npmrc 2. Put the token/registry line there 3. Tell npm to use that file as the user config 4. Use the `npm_config_userconfig` for the above to support yarn too This may still fail for yarn, see yarnpkg/yarn#4568.
This is a retake on #130. Although npm/cli#8 claims to have support for `npm_config_//registry.npmjs.org/:_authToken=` usage, my tests and the reports on the internet says this still doesn't work, even with the latest npm (7.0.15 at the time). The only way to pass the token is to have the `authToken` line in an `.npmrc` file. The quick&dirty way would have been to create one in the project directory but that may collide with a potentially pre-existing project `.npmrc`. Trying to merge these seems more trouble than it is worth: https://github.com/actions/setup-node/blob/59e61b89511ed136a0b17773f07c349fa5c01e8b/src/authutil.ts (even worse as you'd need to revert these changes after the fact) The "better" solution I found is: 1. Create a temporary file as your npmrc 2. Put the token/registry line there 3. Tell npm to use that file as the user config 4. Use the `npm_config_userconfig` for the above to support yarn too This may still fail for yarn, see yarnpkg/yarn#4568.
This is a retake on #130. Although npm/cli#8 claims to have support for `npm_config_//registry.npmjs.org/:_authToken=` usage, my tests and the reports on the internet says this still doesn't work, even with the latest npm (7.0.15 at the time). The only way to pass the token is to have the `authToken` line in an `.npmrc` file. The quick&dirty way would have been to create one in the project directory but that may collide with a potentially pre-existing project `.npmrc`. Trying to merge these seems more trouble than it is worth: https://github.com/actions/setup-node/blob/59e61b89511ed136a0b17773f07c349fa5c01e8b/src/authutil.ts (even worse as you'd need to revert these changes after the fact) The "better" solution I found is: 1. Create a temporary file as your npmrc 2. Put the token/registry line there 3. Tell npm to use that file as the user config 4. Use the `npm_config_userconfig` for the above to support yarn too
[![Mend Renovate logo banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@npmcli/arborist](https://github.com/npm/cli) | [`6.2.10` -> `6.5.0`](https://renovatebot.com/diffs/npm/@npmcli%2farborist/6.2.10/6.5.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@npmcli%2farborist/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@npmcli%2farborist/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@npmcli%2farborist/6.2.10/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@npmcli%2farborist/6.2.10/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>npm/cli (@​npmcli/arborist)</summary> ### [`v6.5.0`](https://github.com/npm/cli/releases/tag/v6.5.0) [Compare Source](https://github.com/npm/cli/compare/v6.4.0...v6.5.0) ##### NEW FEATURES - [`fc1a8d185`](https://github.com/npm/cli/commit/fc1a8d185fc678cdf3784d9df9eef9094e0b2dec) Backronym `npm ci` to `npm clean-install`. ([@​zkat](https://github.com/zkat)) - [`4be51a9cc`](https://github.com/npm/cli/commit/4be51a9cc65635bb26fa4ce62233f26e0104bc20) [#​81](https://github.com/npm/cli/pull/81) Adds 'Homepage' to outdated --long output. ([@​jbottigliero](https://github.com/jbottigliero)) ##### BUGFIXES - [`89652cb9b`](https://github.com/npm/cli/commit/89652cb9b810f929f5586fc90cc6794d076603fb) [npm.community#1661](https://npm.community/t/https://npm.community/t/1661) Fix sign-git-commit options. They were previously totally wrong. ([@​zkat](https://github.com/zkat)) - [`414f2d1a1`](https://github.com/npm/cli/commit/414f2d1a1bdffc02ed31ebb48a43216f284c21d4) [npm.community#1742](https://npm.community/t/npm-audit-making-non-rfc-compliant-requests-to-server-resulting-in-400-bad-request-pr-with-fix/1742) Set lowercase headers for npm audit requests. ([@​maartenba](https://github.com/maartenba)) - [`a34246baf`](https://github.com/npm/cli/commit/a34246bafe73218dc9e3090df9ee800451db2c7d) [#​75](https://github.com/npm/cli/pull/75) Fix `npm edit` handling of scoped packages. ([@​larsgw](https://github.com/larsgw))\* [`d3e8a7c72`](https://github.com/npm/cli/commit/d3e8a7c7240dd25379a5bcad324a367c58733c73) [npm.community#2303](https://npm.community/t/npm-ci-logs-success-to-stderr/2303) Make summary output for `npm ci` go to `stdout`, not `stderr`. ([@​alopezsanchez](https://github.com/alopezsanchez)) - [`71d8fb4a9`](https://github.com/npm/cli/commit/71d8fb4a94d65e1855f6d0c5f2ad2b7c3202e3c4) [npm.community#1377](https://npm.community/t/unhelpful-error-message-when-publishing-without-logging-in-error-eperm-operation-not-permitted-unlink/1377/3) Close the file descriptor during publish if exiting upload via an error. This will prevent strange error messages when the upload fails and make sure cleanup happens correctly. ([@​macdja38](https://github.com/macdja38)) ##### DOCS UPDATES - [`b1a8729c8`](https://github.com/npm/cli/commit/b1a8729c80175243fbbeecd164e9ddd378a09a50) [#​60](https://github.com/npm/cli/pull/60) Mention --otp flag when prompting for OTP. ([@​bakkot](https://github.com/bakkot)) - [`bcae4ea81`](https://github.com/npm/cli/commit/bcae4ea8173e489a76cc226bbd30dd9eabe21ec6) [#​64](https://github.com/npm/cli/pull/64) Clarify that git dependencies use the default branch, not just `master`. ([@​zckrs](https://github.com/zckrs)) - [`15da82690`](https://github.com/npm/cli/commit/15da8269032bf509ade3252978e934f2a61d4499) [#​72](https://github.com/npm/cli/pull/72) `bash_completion.d` dir is sometimes found in `/etc` not `/usr/local`. ([@​RobertKielty](https://github.com/RobertKielty)) - [`8a6ecc793`](https://github.com/npm/cli/commit/8a6ecc7936dae2f51638397ff5a1d35cccda5495) [#​74](https://github.com/npm/cli/pull/74) Update OTP documentation for `dist-tag add` to clarify `--otp` is needed right now. ([@​scotttrinh](https://github.com/scotttrinh)) - [`dcc03ec85`](https://github.com/npm/cli/commit/dcc03ec858bddd7aa2173b5a86b55c1c2385a2a3) [#​82](https://github.com/npm/cli/pull/82) Note that `prepare` runs when installing git dependencies. ([@​seishun](https://github.com/seishun)) - [`a91a470b7`](https://github.com/npm/cli/commit/a91a470b71e08ccf6a75d4fb8c9937789fa8d067) [#​83](https://github.com/npm/cli/pull/83) Specify that --dry-run isn't available in older versions of npm publish. ([@​kjin](https://github.com/kjin)) - [`1b2fabcce`](https://github.com/npm/cli/commit/1b2fabccede37242233755961434c52536224de5) [#​96](https://github.com/npm/cli/pull/96) Fix inline code tag issue in docs. ([@​midare](https://github.com/midare)) - [`6cc70cc19`](https://github.com/npm/cli/commit/6cc70cc1977e58a3e1ea48e660ffc6b46b390e59) [#​68](https://github.com/npm/cli/pull/68) Add semver link and a note on empty string format to `deprecate` doc. ([@​neverett](https://github.com/neverett)) - [`61dbbb7c3`](https://github.com/npm/cli/commit/61dbbb7c3474834031bce88c423850047e8131dc) Fix semver docs after version update. ([@​zkat](https://github.com/zkat)) - [`4acd45a3d`](https://github.com/npm/cli/commit/4acd45a3d0ce92f9999446226fe7dfb89a90ba2e) [#​78](https://github.com/npm/cli/pull/78) Correct spelling across various docs. ([@​hugovk](https://github.com/hugovk)) ##### DEPENDENCIES - [`4f761283e`](https://github.com/npm/cli/commit/4f761283e8896d0ceb5934779005646463a030e8) `[email protected]` ([@​zkat](https://github.com/zkat)) - [`3706db0bc`](https://github.com/npm/cli/commit/3706db0bcbc306d167bb902362e7f6962f2fe1a1) [npm.community#1764](https://npm.community/t/crash-invalid-config-key-requested-error/1764) `[email protected]` ([@​zkat](https://github.com/zkat)) - [`83c2b117d`](https://github.com/npm/cli/commit/83c2b117d0b760d0ea8d667e5e4bdfa6a7a7a8f6) `[email protected]` ([@​petkaantonov](https://github.com/petkaantonov)) - [`2702f46bd`](https://github.com/npm/cli/commit/2702f46bd7284fb303ca2119d23c52536811d705) `[email protected]` ([@​watson](https://github.com/watson)) - [`4db6c3898`](https://github.com/npm/cli/commit/4db6c3898b07100e3a324e4aae50c2fab4b93a04) `[email protected]`:2 ([@​dawsbot](https://github.com/dawbot)) - [`70bee4f69`](https://github.com/npm/cli/commit/70bee4f69bb4ce4e18c48582fe2b48d8b4aba566) `[email protected]` ([@​isaacs](https://github.com/isaacs)) - [`e469fd6be`](https://github.com/npm/cli/commit/e469fd6be95333dcaa7cf377ca3620994ca8d0de) `[email protected]`: Fix browser opening under Windows Subsystem for Linux (WSL). ([@​thijsputman](https://github.com/thijsputman)) - [`03840dced`](https://github.com/npm/cli/commit/03840dced865abdca6e6449ea030962e5b19db0c) `[email protected]` ([@​iarna](https://github.com/iarna)) - [`161dc0b41`](https://github.com/npm/cli/commit/161dc0b4177e76306a0e3b8660b3b496cc3db83b) `[email protected]` ([@​petkaantonov](https://github.com/petkaantonov)) - [`bb6f94395`](https://github.com/npm/cli/commit/bb6f94395491576ec42996ff6665df225f6b4377) `[email protected]`:5 ([@​isaacs](https://github.com/isaacs)) - [`43b1f4c91`](https://github.com/npm/cli/commit/43b1f4c91fa1d7b3ebb6aa2d960085e5f3ac7607) `[email protected]` ([@​isaacs](https://github.com/isaacs)) - [`ab62afcc4`](https://github.com/npm/cli/commit/ab62afcc472de82c479bf91f560a0bbd6a233c80) `[email protected]`:2 ([@​isaacs](https://github.com/isaacs)) - [`027f06be3`](https://github.com/npm/cli/commit/027f06be35bb09f390e46fcd2b8182539939d1f7) `[email protected]` ([@​watson](https://github.com/watson)) ##### MISCELLANEOUS - [`27217dae8`](https://github.com/npm/cli/commit/27217dae8adbc577ee9cb323b7cfe9c6b2493aca) [#​70](https://github.com/npm/cli/pull/70) Automatically audit dependency licenses for npm itself. ([@​kemitchell](https://github.com/kemitchell)) ### [`v6.4.0`](https://github.com/npm/cli/releases/tag/v6.4.0) [Compare Source](https://github.com/npm/cli/compare/v6.3.0...v6.4.0) ##### NEW FEATURES - [`6e9f04b0b`](https://github.com/npm/cli/commit/6e9f04b0baed007169d4e0c341f097cf133debf7) [npm/cli#8](https://github.com/npm/cli/pull/8) Search for authentication token defined by environment variables by preventing the translation layer from env variable to npm option from breaking `:_authToken`. ([@​mkhl](https://github.com/mkhl)) - [`84bfd23e7`](https://github.com/npm/cli/commit/84bfd23e7d6434d30595594723a6e1976e84b022) [npm/cli#35](https://github.com/npm/cli/pull/35) Stop filtering out non-IPv4 addresses from `local-addrs`, making npm actually use IPv6 addresses when it must. ([@​valentin2105](https://github.com/valentin2105)) - [`792c8c709`](https://github.com/npm/cli/commit/792c8c709dc7a445687aa0c8cba5c50bc4ed83fd) [npm/cli#31](https://github.com/npm/cli/pull/31) configurable audit level for non-zero exit `npm audit` currently exits with exit code 1 if any vulnerabilities are found of any level. Add a flag of `--audit-level` to `npm audit` to allow it to pass if only vulnerabilities below a certain level are found. Example: `npm audit --audit-level=high` will exit with 0 if only low or moderate level vulns are detected. ([@​lennym](https://github.com/lennym)) ##### BUGFIXES - [`d81146181`](https://github.com/npm/cli/commit/d8114618137bb5b9a52a86711bb8dc18bfc8e60c) [npm/cli#32](https://github.com/npm/cli/pull/32) Don't check for updates to npm when we are updating npm itself. ([@​olore](https://github.com/olore)) ##### DEPENDENCY UPDATES A very special dependency update event! Since the [release of `[email protected]`](https://github.com/nodejs/node-gyp/pull/1521), an awkward version conflict that was preventing `request` from begin flattened was resolved. This means two things: 1. We've cut down the npm tarball size by another 200kb, to 4.6MB 2. `npm audit` now shows no vulnerabilities for npm itself! Thanks, [@​rvagg](https://github.com/rvagg)! - [`866d776c2`](https://github.com/npm/cli/commit/866d776c27f80a71309389aaab42825b2a0916f6) `[email protected]` ([@​simov](https://github.com/simov)) - [`f861c2b57`](https://github.com/npm/cli/commit/f861c2b579a9d4feae1653222afcefdd4f0e978f) `[email protected]` ([@​rvagg](https://github.com/rvagg)) - [`32e6947c6`](https://github.com/npm/cli/commit/32e6947c60db865257a0ebc2f7e754fedf7a6fc9) [npm/cli#39](https://github.com/npm/cli/pull/39) `[email protected]`: REVERT REVERT, newer versions of this library are broken and print ansi codes even when disabled. ([@​iarna](https://github.com/iarna)) - [`beb96b92c`](https://github.com/npm/cli/commit/beb96b92caf061611e3faafc7ca10e77084ec335) `[email protected]` ([@​zkat](https://github.com/zkat)) - [`348fc91ad`](https://github.com/npm/cli/commit/348fc91ad223ff91cd7bcf233018ea1d979a2af1) `[email protected]`: Fixes errors with empty or string-only license fields. ([@​Gudahtt](https://github.com/Gudahtt)) - [`e57d34575`](https://github.com/npm/cli/commit/e57d3457547ef464828fc6f82ae4750f3e511550) `[email protected]` ([@​shesek](https://github.com/shesek)) - [`46f1c6ad4`](https://github.com/npm/cli/commit/46f1c6ad4b2fd5b0d7ec879b76b76a70a3a2595c) `[email protected]` ([@​isaacs](https://github.com/isaacs)) - [`50df1bf69`](https://github.com/npm/cli/commit/50df1bf691e205b9f13e0fff0d51a68772c40561) `[email protected]` ([@​iarna](https://github.com/iarna)) ([@​Erveon](https://github.com/Erveon)) ([@​huochunpeng](https://github.com/huochunpeng)) ##### DOCUMENTATION - [`af98e76ed`](https://github.com/npm/cli/commit/af98e76ed96af780b544962aa575585b3fa17b9a) [npm/cli#34](https://github.com/npm/cli/pull/34) Remove `npm publish` from list of commands not affected by `--dry-run`. ([@​joebowbeer](https://github.com/joebowbeer)) - [`e2b0f0921`](https://github.com/npm/cli/commit/e2b0f092193c08c00f12a6168ad2bd9d6e16f8ce) [npm/cli#36](https://github.com/npm/cli/pull/36) Tweak formatting in repository field examples. ([@​noahbenham](https://github.com/noahbenham)) - [`e2346e770`](https://github.com/npm/cli/commit/e2346e7702acccefe6d711168c2b0e0e272e194a) [npm/cli#14](https://github.com/npm/cli/pull/14) Used `process.env` examples to make accessing certain `npm run-scripts` environment variables more clear. ([@​mwarger](https://github.com/mwarger)) ### [`v6.3.0`](https://github.com/npm/cli/blob/HEAD/workspaces/arborist/CHANGELOG.md#630-2023-07-05) ##### Features - [`67459e7`](https://github.com/npm/cli/commit/67459e7b56a5e8d2b4f8eb3a0487183013c63b99) [#​6626](https://github.com/npm/cli/pull/6626) add `pkg fix` subcommand ([@​wraithgar](https://github.com/wraithgar)) ##### Bug Fixes - [`c61e037`](https://github.com/npm/cli/commit/c61e0376408240590bfc712fe9fdadd7dc9a48bc) [#​6626](https://github.com/npm/cli/pull/6626) use new load/create syntax for package-json ([@​wraithgar](https://github.com/wraithgar)) ##### Dependencies - [`b252164`](https://github.com/npm/cli/commit/b252164dd5c866bf2d25c96836ad829d4d6909ee) [#​6626](https://github.com/npm/cli/pull/6626) `@npmcli/[email protected]` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/redwoodjs/redwood). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuNDYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
[![Mend Renovate logo banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@npmcli/arborist](https://github.com/npm/cli) | [`6.2.10` -> `6.5.0`](https://renovatebot.com/diffs/npm/@npmcli%2farborist/6.2.10/6.5.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@npmcli%2farborist/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@npmcli%2farborist/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@npmcli%2farborist/6.2.10/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@npmcli%2farborist/6.2.10/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>npm/cli (@​npmcli/arborist)</summary> ### [`v6.5.0`](https://github.com/npm/cli/releases/tag/v6.5.0) [Compare Source](https://github.com/npm/cli/compare/v6.4.0...v6.5.0) ##### NEW FEATURES - [`fc1a8d185`](https://github.com/npm/cli/commit/fc1a8d185fc678cdf3784d9df9eef9094e0b2dec) Backronym `npm ci` to `npm clean-install`. ([@​zkat](https://github.com/zkat)) - [`4be51a9cc`](https://github.com/npm/cli/commit/4be51a9cc65635bb26fa4ce62233f26e0104bc20) [#​81](https://github.com/npm/cli/pull/81) Adds 'Homepage' to outdated --long output. ([@​jbottigliero](https://github.com/jbottigliero)) ##### BUGFIXES - [`89652cb9b`](https://github.com/npm/cli/commit/89652cb9b810f929f5586fc90cc6794d076603fb) [npm.community#1661](https://npm.community/t/https://npm.community/t/1661) Fix sign-git-commit options. They were previously totally wrong. ([@​zkat](https://github.com/zkat)) - [`414f2d1a1`](https://github.com/npm/cli/commit/414f2d1a1bdffc02ed31ebb48a43216f284c21d4) [npm.community#1742](https://npm.community/t/npm-audit-making-non-rfc-compliant-requests-to-server-resulting-in-400-bad-request-pr-with-fix/1742) Set lowercase headers for npm audit requests. ([@​maartenba](https://github.com/maartenba)) - [`a34246baf`](https://github.com/npm/cli/commit/a34246bafe73218dc9e3090df9ee800451db2c7d) [#​75](https://github.com/npm/cli/pull/75) Fix `npm edit` handling of scoped packages. ([@​larsgw](https://github.com/larsgw))\* [`d3e8a7c72`](https://github.com/npm/cli/commit/d3e8a7c7240dd25379a5bcad324a367c58733c73) [npm.community#2303](https://npm.community/t/npm-ci-logs-success-to-stderr/2303) Make summary output for `npm ci` go to `stdout`, not `stderr`. ([@​alopezsanchez](https://github.com/alopezsanchez)) - [`71d8fb4a9`](https://github.com/npm/cli/commit/71d8fb4a94d65e1855f6d0c5f2ad2b7c3202e3c4) [npm.community#1377](https://npm.community/t/unhelpful-error-message-when-publishing-without-logging-in-error-eperm-operation-not-permitted-unlink/1377/3) Close the file descriptor during publish if exiting upload via an error. This will prevent strange error messages when the upload fails and make sure cleanup happens correctly. ([@​macdja38](https://github.com/macdja38)) ##### DOCS UPDATES - [`b1a8729c8`](https://github.com/npm/cli/commit/b1a8729c80175243fbbeecd164e9ddd378a09a50) [#​60](https://github.com/npm/cli/pull/60) Mention --otp flag when prompting for OTP. ([@​bakkot](https://github.com/bakkot)) - [`bcae4ea81`](https://github.com/npm/cli/commit/bcae4ea8173e489a76cc226bbd30dd9eabe21ec6) [#​64](https://github.com/npm/cli/pull/64) Clarify that git dependencies use the default branch, not just `master`. ([@​zckrs](https://github.com/zckrs)) - [`15da82690`](https://github.com/npm/cli/commit/15da8269032bf509ade3252978e934f2a61d4499) [#​72](https://github.com/npm/cli/pull/72) `bash_completion.d` dir is sometimes found in `/etc` not `/usr/local`. ([@​RobertKielty](https://github.com/RobertKielty)) - [`8a6ecc793`](https://github.com/npm/cli/commit/8a6ecc7936dae2f51638397ff5a1d35cccda5495) [#​74](https://github.com/npm/cli/pull/74) Update OTP documentation for `dist-tag add` to clarify `--otp` is needed right now. ([@​scotttrinh](https://github.com/scotttrinh)) - [`dcc03ec85`](https://github.com/npm/cli/commit/dcc03ec858bddd7aa2173b5a86b55c1c2385a2a3) [#​82](https://github.com/npm/cli/pull/82) Note that `prepare` runs when installing git dependencies. ([@​seishun](https://github.com/seishun)) - [`a91a470b7`](https://github.com/npm/cli/commit/a91a470b71e08ccf6a75d4fb8c9937789fa8d067) [#​83](https://github.com/npm/cli/pull/83) Specify that --dry-run isn't available in older versions of npm publish. ([@​kjin](https://github.com/kjin)) - [`1b2fabcce`](https://github.com/npm/cli/commit/1b2fabccede37242233755961434c52536224de5) [#​96](https://github.com/npm/cli/pull/96) Fix inline code tag issue in docs. ([@​midare](https://github.com/midare)) - [`6cc70cc19`](https://github.com/npm/cli/commit/6cc70cc1977e58a3e1ea48e660ffc6b46b390e59) [#​68](https://github.com/npm/cli/pull/68) Add semver link and a note on empty string format to `deprecate` doc. ([@​neverett](https://github.com/neverett)) - [`61dbbb7c3`](https://github.com/npm/cli/commit/61dbbb7c3474834031bce88c423850047e8131dc) Fix semver docs after version update. ([@​zkat](https://github.com/zkat)) - [`4acd45a3d`](https://github.com/npm/cli/commit/4acd45a3d0ce92f9999446226fe7dfb89a90ba2e) [#​78](https://github.com/npm/cli/pull/78) Correct spelling across various docs. ([@​hugovk](https://github.com/hugovk)) ##### DEPENDENCIES - [`4f761283e`](https://github.com/npm/cli/commit/4f761283e8896d0ceb5934779005646463a030e8) `[email protected]` ([@​zkat](https://github.com/zkat)) - [`3706db0bc`](https://github.com/npm/cli/commit/3706db0bcbc306d167bb902362e7f6962f2fe1a1) [npm.community#1764](https://npm.community/t/crash-invalid-config-key-requested-error/1764) `[email protected]` ([@​zkat](https://github.com/zkat)) - [`83c2b117d`](https://github.com/npm/cli/commit/83c2b117d0b760d0ea8d667e5e4bdfa6a7a7a8f6) `[email protected]` ([@​petkaantonov](https://github.com/petkaantonov)) - [`2702f46bd`](https://github.com/npm/cli/commit/2702f46bd7284fb303ca2119d23c52536811d705) `[email protected]` ([@​watson](https://github.com/watson)) - [`4db6c3898`](https://github.com/npm/cli/commit/4db6c3898b07100e3a324e4aae50c2fab4b93a04) `[email protected]`:2 ([@​dawsbot](https://github.com/dawbot)) - [`70bee4f69`](https://github.com/npm/cli/commit/70bee4f69bb4ce4e18c48582fe2b48d8b4aba566) `[email protected]` ([@​isaacs](https://github.com/isaacs)) - [`e469fd6be`](https://github.com/npm/cli/commit/e469fd6be95333dcaa7cf377ca3620994ca8d0de) `[email protected]`: Fix browser opening under Windows Subsystem for Linux (WSL). ([@​thijsputman](https://github.com/thijsputman)) - [`03840dced`](https://github.com/npm/cli/commit/03840dced865abdca6e6449ea030962e5b19db0c) `[email protected]` ([@​iarna](https://github.com/iarna)) - [`161dc0b41`](https://github.com/npm/cli/commit/161dc0b4177e76306a0e3b8660b3b496cc3db83b) `[email protected]` ([@​petkaantonov](https://github.com/petkaantonov)) - [`bb6f94395`](https://github.com/npm/cli/commit/bb6f94395491576ec42996ff6665df225f6b4377) `[email protected]`:5 ([@​isaacs](https://github.com/isaacs)) - [`43b1f4c91`](https://github.com/npm/cli/commit/43b1f4c91fa1d7b3ebb6aa2d960085e5f3ac7607) `[email protected]` ([@​isaacs](https://github.com/isaacs)) - [`ab62afcc4`](https://github.com/npm/cli/commit/ab62afcc472de82c479bf91f560a0bbd6a233c80) `[email protected]`:2 ([@​isaacs](https://github.com/isaacs)) - [`027f06be3`](https://github.com/npm/cli/commit/027f06be35bb09f390e46fcd2b8182539939d1f7) `[email protected]` ([@​watson](https://github.com/watson)) ##### MISCELLANEOUS - [`27217dae8`](https://github.com/npm/cli/commit/27217dae8adbc577ee9cb323b7cfe9c6b2493aca) [#​70](https://github.com/npm/cli/pull/70) Automatically audit dependency licenses for npm itself. ([@​kemitchell](https://github.com/kemitchell)) ### [`v6.4.0`](https://github.com/npm/cli/releases/tag/v6.4.0) [Compare Source](https://github.com/npm/cli/compare/v6.3.0...v6.4.0) ##### NEW FEATURES - [`6e9f04b0b`](https://github.com/npm/cli/commit/6e9f04b0baed007169d4e0c341f097cf133debf7) [npm/cli#8](https://github.com/npm/cli/pull/8) Search for authentication token defined by environment variables by preventing the translation layer from env variable to npm option from breaking `:_authToken`. ([@​mkhl](https://github.com/mkhl)) - [`84bfd23e7`](https://github.com/npm/cli/commit/84bfd23e7d6434d30595594723a6e1976e84b022) [npm/cli#35](https://github.com/npm/cli/pull/35) Stop filtering out non-IPv4 addresses from `local-addrs`, making npm actually use IPv6 addresses when it must. ([@​valentin2105](https://github.com/valentin2105)) - [`792c8c709`](https://github.com/npm/cli/commit/792c8c709dc7a445687aa0c8cba5c50bc4ed83fd) [npm/cli#31](https://github.com/npm/cli/pull/31) configurable audit level for non-zero exit `npm audit` currently exits with exit code 1 if any vulnerabilities are found of any level. Add a flag of `--audit-level` to `npm audit` to allow it to pass if only vulnerabilities below a certain level are found. Example: `npm audit --audit-level=high` will exit with 0 if only low or moderate level vulns are detected. ([@​lennym](https://github.com/lennym)) ##### BUGFIXES - [`d81146181`](https://github.com/npm/cli/commit/d8114618137bb5b9a52a86711bb8dc18bfc8e60c) [npm/cli#32](https://github.com/npm/cli/pull/32) Don't check for updates to npm when we are updating npm itself. ([@​olore](https://github.com/olore)) ##### DEPENDENCY UPDATES A very special dependency update event! Since the [release of `[email protected]`](https://github.com/nodejs/node-gyp/pull/1521), an awkward version conflict that was preventing `request` from begin flattened was resolved. This means two things: 1. We've cut down the npm tarball size by another 200kb, to 4.6MB 2. `npm audit` now shows no vulnerabilities for npm itself! Thanks, [@​rvagg](https://github.com/rvagg)! - [`866d776c2`](https://github.com/npm/cli/commit/866d776c27f80a71309389aaab42825b2a0916f6) `[email protected]` ([@​simov](https://github.com/simov)) - [`f861c2b57`](https://github.com/npm/cli/commit/f861c2b579a9d4feae1653222afcefdd4f0e978f) `[email protected]` ([@​rvagg](https://github.com/rvagg)) - [`32e6947c6`](https://github.com/npm/cli/commit/32e6947c60db865257a0ebc2f7e754fedf7a6fc9) [npm/cli#39](https://github.com/npm/cli/pull/39) `[email protected]`: REVERT REVERT, newer versions of this library are broken and print ansi codes even when disabled. ([@​iarna](https://github.com/iarna)) - [`beb96b92c`](https://github.com/npm/cli/commit/beb96b92caf061611e3faafc7ca10e77084ec335) `[email protected]` ([@​zkat](https://github.com/zkat)) - [`348fc91ad`](https://github.com/npm/cli/commit/348fc91ad223ff91cd7bcf233018ea1d979a2af1) `[email protected]`: Fixes errors with empty or string-only license fields. ([@​Gudahtt](https://github.com/Gudahtt)) - [`e57d34575`](https://github.com/npm/cli/commit/e57d3457547ef464828fc6f82ae4750f3e511550) `[email protected]` ([@​shesek](https://github.com/shesek)) - [`46f1c6ad4`](https://github.com/npm/cli/commit/46f1c6ad4b2fd5b0d7ec879b76b76a70a3a2595c) `[email protected]` ([@​isaacs](https://github.com/isaacs)) - [`50df1bf69`](https://github.com/npm/cli/commit/50df1bf691e205b9f13e0fff0d51a68772c40561) `[email protected]` ([@​iarna](https://github.com/iarna)) ([@​Erveon](https://github.com/Erveon)) ([@​huochunpeng](https://github.com/huochunpeng)) ##### DOCUMENTATION - [`af98e76ed`](https://github.com/npm/cli/commit/af98e76ed96af780b544962aa575585b3fa17b9a) [npm/cli#34](https://github.com/npm/cli/pull/34) Remove `npm publish` from list of commands not affected by `--dry-run`. ([@​joebowbeer](https://github.com/joebowbeer)) - [`e2b0f0921`](https://github.com/npm/cli/commit/e2b0f092193c08c00f12a6168ad2bd9d6e16f8ce) [npm/cli#36](https://github.com/npm/cli/pull/36) Tweak formatting in repository field examples. ([@​noahbenham](https://github.com/noahbenham)) - [`e2346e770`](https://github.com/npm/cli/commit/e2346e7702acccefe6d711168c2b0e0e272e194a) [npm/cli#14](https://github.com/npm/cli/pull/14) Used `process.env` examples to make accessing certain `npm run-scripts` environment variables more clear. ([@​mwarger](https://github.com/mwarger)) ### [`v6.3.0`](https://github.com/npm/cli/blob/HEAD/workspaces/arborist/CHANGELOG.md#630-2023-07-05) ##### Features - [`67459e7`](https://github.com/npm/cli/commit/67459e7b56a5e8d2b4f8eb3a0487183013c63b99) [#​6626](https://github.com/npm/cli/pull/6626) add `pkg fix` subcommand ([@​wraithgar](https://github.com/wraithgar)) ##### Bug Fixes - [`c61e037`](https://github.com/npm/cli/commit/c61e0376408240590bfc712fe9fdadd7dc9a48bc) [#​6626](https://github.com/npm/cli/pull/6626) use new load/create syntax for package-json ([@​wraithgar](https://github.com/wraithgar)) ##### Dependencies - [`b252164`](https://github.com/npm/cli/commit/b252164dd5c866bf2d25c96836ad829d4d6909ee) [#​6626](https://github.com/npm/cli/pull/6626) `@npmcli/[email protected]` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/redwoodjs/redwood). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuNDYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
As discussed on npm.community, the fact that npm registry authentication tokens cannot be defined using environment variables does not seem justified anymore.
The restriction is caused by the config loader translating
_
to-
while the credential checker expects a key ending in
:_authToken
.As suggested, this change fixes the problem by limiting the translation by the config loader to the part before the first colon.
Closes npm/npm#15565