What I Wanted to Do
I had a problem on my remote CI. So I decided to take the credentials of our private npm repository (via nexus) and test a local publish. I logged in with user + password by using
npm adduser (which is an alias for
What Happened Instead
- I forgot to provide the registry when I executed
- This created a new user on the public npm repository instead of authenticating me.
- During the publish I provided the registry url again. So the publish failed and brought me to the conclusion that I just created a new user with the user + password credentials of my internal npm registry.
npm adduser Username: <choose a random string> Password: <choose a random string> Email: email@example.com
Logged in as on https://registry.npmjs.org/.
This behaviour is really dangerous. If the registry url is not set (by accident or env failure) you could end up creating a new npm account followed by a publish of your internal artefact to the public npm.
The solution is easy - separate authentication and registration.
- Remove registration functionality from npm adduser/login
- Provide a separate cli action like npm register or npm registeruser
What are the motives to combine both concerns into npm adduser?