npmrc file not respected by package-lock.json

What I Wanted to Do

Install packages from the specified URL in the package-lock.json file, using a global .npmrc file at the user’s home directory to specify the registry NPM should check.

What Happened Instead

Since the specified registry in the global .npmrc was unreachable, NPM decided to install the packages from the official NPM registry instead upon running npm install (or npm ci for our CI).

This was unexpected and unpredictable, since the package-lock.json should have failed the installation when the registry was unreachable.

Alternatively, moving the .npmrc to the project directory (instead of user’s home directory), the installation hangs, trying to resolve the registry indefinitely (visible step: fetchMetadata: sill install loadAllDepsIntoIdealTree).

The fields in the .npmrc are:

  • email
  • always-auth
  • _auth
  • registry

where always-auth is set to true, and the other fields are for authentication with the custom registry.

Reproduction Steps

  1. Host a mirror or custom NPM registry, and point a project to this repository (through a .npmrc file located at the user’s home directory)
  2. Run npm install inside of the project. This should produce a package-lock.json, which should have the custom NPM registry listed as the package locations upon further inspection.
  3. Make the custom NPM registry unreachable.
  4. Run npm ci for a full rebuild (or delete the node_modules directory and run npm install again).
  5. Installation should succeed (unexpected behavior)

Alternative steps using a project-based .npmrc file:

  1. Host a mirror or custom NPM registry, and point a project to this repository (through a .npmrc file located at the project root)
  2. Run npm install inside of the project. This should produce a package-lock.json, which should have the custom NPM registry listed as the package locations upon further inspection.
  3. Make the custom NPM registry unreachable.
  4. Run npm ci for a full rebuild (or delete the node_modules directory and run npm install again).
  5. Installation will hang, trying to resolve registry (unexpected behavior?)

Platform Info

npm --versions

{ 'component-project': '0.0.0',
  npm: '6.4.1',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.1',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.12',
  zlib: '1.2.11' 
}

node -p process.platform

darwin

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.