Add .npmrc file #1722
Add .npmrc file #1722
Conversation
Resolves a Security Supply Chain Violation Fix dotnet#1670
dotnet-issue-labeler
bot
added
the
needs-area-label
| @@ -0,0 +1,2 @@ | |||
| registry=https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/registry/ | |||
| always-auth=true | |||
There was a problem hiding this comment.
I think this line is specific to aspnet core, and not even sure it's required anymore.
Had to deal with it during the holidays. If you look at all the other dotnet repos they don't have it. It's supposed to allow azdo to authenticate to the feeds (all the upstream ones) using the tokens configured in azdo. But these are public and shouldn't require auth. That's what I understood.
There was a problem hiding this comment.
@sebastienros not exactly. other repos don't do this b/c they don't use npm or yarn. and, auth is for updating the feed when an authorized person like you grabs packages from the upstream feed and updates lock files
There was a problem hiding this comment.
Javier told me 2 weeks ago and I already had forgotten.
So I believe we don't need that here. There is nothing that requires the feed to be updated (packages.lock file), right @eerhardt ?
There was a problem hiding this comment.
I'm just following the docs from the error: https://aka.ms/cfs/npm. See Mitigation Steps section.
There was a problem hiding this comment.
I merged what I had to unblock the supply chain validation. We can tweak this as we go.
danmoseley
added
area-engineering-systems
and removed
needs-area-label
Resolves a Security Supply Chain Violation
I copied this file and approach from https://github.com/dotnet/aspnetcore/blob/main/.npmrc.
Fix #1670
Microsoft Reviewers: Open in CodeFlow