Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] npm config set replaces environment variables in .npmrc #6183

Closed
2 tasks done
ghost opened this issue Feb 17, 2023 · 3 comments
Closed
2 tasks done

[BUG] npm config set replaces environment variables in .npmrc #6183

ghost opened this issue Feb 17, 2023 · 3 comments
Assignees
@wraithgar
Labels
Bug thing that needs fixing Priority 1 high priority issue Release 8.x work is associated with a specific npm 8 release

Comments

@ghost
Copy link

ghost commented Feb 17, 2023

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

npm config replaces all environment variables variables in ~/.npmrc, e.g.:

root@ab19aeb5ad2d:/# export ANOTHER_NPM_TOKEN=foo
root@ab19aeb5ad2d:/# export NPM_DEPLOY_TOKEN=bar
root@ab19aeb5ad2d:/# cat ~/.npmrc
@mycompany:registry=https://git.mycompany.com/api/v4/projects/8/packages/npm/
//git.mycompany.com/api/v4/projects/8/packages/npm/:_authToken=${NPM_DEPLOY_TOKEN}
@someprivaterepo:registry=https://registry.npmjs.org
//registry.npmjs.org/:_authToken=${ANOTHER_NPM_TOKEN}

root@ab19aeb5ad2d:/# npm config set -- '//git.mycompany.com/api/v4/projects/8/packages/npm/:_authToken' '${NPM_DEPLOY_TOKEN}'

root@ab19aeb5ad2d:/# cat ~/.npmrc
@mycompany:registry=https://git.mycompany.com/api/v4/projects/8/packages/npm/
//git.mycompany.com/api/v4/projects/8/packages/npm/:_authToken=${NPM_DEPLOY_TOKEN}
@someprivaterepo:registry=https://registry.npmjs.org
//registry.npmjs.org/:_authToken=foo                                   <============= HERE

As you can see this line (completely unrelated to the invoked npm config command):

//registry.npmjs.org/:_authToken=${ANOTHER_NPM_TOKEN}

for some reason is being replaced with an actual variable value:

//registry.npmjs.org/:_authToken=foo

Expected Behavior

npm config should not touch variables and lines of config completely unrelated to the invoked command, so line

//registry.npmjs.org/:_authToken=${ANOTHER_NPM_TOKEN}

should remain intact.

Steps To Reproduce

No response

Environment

  • npm: I've tried both 8.19.4 and 9.5.0 - they both show exactly same behaviour.
  • Node.js: v18.12.0
  • OS Name: debian:bullseye docker image.
  • System Model Name:
  • npm config:
; "user" config from /root/.npmrc

@mycompany:registry = "https://git.mycompany.com/api/v4/projects/8/packages/npm/"
@someprivaterepo:registry = "https://registry.npmjs.org"
//git.mycompany.com/api/v4/projects/8/packages/npm/:_authToken = (protected)
//registry.npmjs.org/:_authToken = (protected)

; node bin location = /usr/local/bin/node
; node version = v18.12.0
; npm local prefix = /app
; npm version = 8.19.4
; cwd = /app
; HOME = /root
; Run `npm config ls -l` to show all defaults.
@ghost ghost added Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release labels Feb 17, 2023
@wraithgar
Copy link
Member

This is not an npm problem it is a shell problem. You need to escape the $ so that what npm actually gets is the literal string with the $ and not the environment variable.

bash-3.2$ npm config set //custom-server/:_authToken "${FOO}"
bash-3.2$ tail -1 ~/.npmrc
//custom-server/:_authToken=test
bash-3.2$ npm config set //custom-server/:_authToken "\${FOO}"
bash-3.2$ tail -1 ~/.npmrc
//custom-server/:_authToken=${FOO}

@ghost
Copy link
Author

ghost commented Apr 4, 2023

@wraithgar unfortunatelly it doesn't fix anything - it still replaces a completely unrelated value in the config:

root@1a751f575fd0:/# export ANOTHER_NPM_TOKEN=foo
root@1a751f575fd0:/# export NPM_DEPLOY_TOKEN=bar
root@1a751f575fd0:/# cat > ~/.npmrc
@mycompany:registry=https://git.mycompany.com/api/v4/projects/8/packages/npm/
//git.mycompany.com/api/v4/projects/8/packages/npm/:_authToken=${NPM_DEPLOY_TOKEN}
@someprivaterepo:registry=https://registry.npmjs.org
//registry.npmjs.org/:_authToken=${ANOTHER_NPM_TOKEN}

root@1a751f575fd0:/# npm config set -- '//git.mycompany.com/api/v4/projects/8/packages/npm/:_authToken' "\${NPM_DEPLOY_TOKEN}"

root@1a751f575fd0:/# cat ~/.npmrc
@mycompany:registry=https://git.mycompany.com/api/v4/projects/8/packages/npm/
//git.mycompany.com/api/v4/projects/8/packages/npm/:_authToken=${NPM_DEPLOY_TOKEN}
@someprivaterepo:registry=https://registry.npmjs.org
//registry.npmjs.org/:_authToken=foo                                      < ======================== HERE

@wraithgar wraithgar reopened this Apr 4, 2023
@wraithgar wraithgar added Priority 1 high priority issue and removed Needs Triage needs review for next steps labels Apr 4, 2023
@ymatsiuk
Copy link

ymatsiuk commented Apr 4, 2023
edited
Loading

I can confirm that the problem described exists

/tmp # npm config set //custom-server-0/:_authToken "\${FOO}"
/tmp # cat .npmrc
//custom-server-0/:_authToken=${FOO}

/tmp # export FOO=foo
/tmp # npm config set //custom-server-1/:_authToken "\${BAR}"
/tmp # cat .npmrc
//custom-server-0/:_authToken=foo
//custom-server-1/:_authToken=${BAR}

/tmp # npm config set //custom-server-0/:_authToken "\${FOO}"
/tmp # cat .npmrc
//custom-server-0/:_authToken=${FOO}
//custom-server-1/:_authToken=${BAR}

npm is substituting variables that are present in environment with their values

@wraithgar wraithgar self-assigned this Apr 5, 2023
wraithgar added a commit that referenced this issue Apr 5, 2023
@wraithgar
fix: save raw data to file, not parsed data
8e074f0 
When ${X} values are read from an rc file, those values should be written back as-is when config is re-saved

Fixes #6183
wraithgar added a commit that referenced this issue Apr 12, 2023
@wraithgar
fix: save raw data to file, not parsed data
a7fadc2 
When ${X} values are read from an rc file, those values should be written back as-is when config is re-saved

Fixes #6183
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wraithgar wraithgar

Labels
Bug thing that needs fixing Priority 1 high priority issue Release 8.x work is associated with a specific npm 8 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wraithgar @ymatsiuk