[BUG] no way to npm publish a tarball whose package.json includes publishConfig.registry to a private registry

[thw0rted]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

You can download the original TGZ format of a package using npm pack some-package. You can then re-publish this to a different registry using npm publish some-package*.tgz --registry=https://path/to/my/registry.

This works great for almost every public package, but there are a few that specify a registry with publishConfig.registry in their package.json. The problem is that npm publish peeks inside the tarball it's publishing to compute the final config used before uploading. I found this ancient, unresolved issue -- auto-closed while tagged "patch-welcome" -- about allowing the --registry command line option to overrule publishConfig.registry. As far as I can tell, nothing was ever done about it, so there seems to be no way to override this value without editing the TGZ, but that will change its integrity.

Expected Behavior

It should be possible to publish a TGZ package to any registry using some version of npm publish. The simplest solution is probably to fix precedence for --registry but any other workaround would also be acceptable.

Steps To Reproduce

1. npm pack yargs, then npm publish yargs*.tgz --registry=https://path/to/my/other/registry
2. npm pack zone.js, then npm publish zone.js*.tgz --registry=https://path/to/my/other/registry

The first commands should succeed while the second one fails with the error

npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in to https://wombat-dressing-room.appspot.com
npm ERR! need auth You need to authorize this machine using `npm adduser`

due to the custom registry here.

Environment

• npm: 9.6.2
• Node.js: 18.16.0
• OS Name: Windows 11

[ilichigor]

Maybe someone will come in handy, here is an example for npm 8.19.3.
You need to edit the publish.js file from the /usr/lib/node_modules/npm/lib/commands directory using any editor. Find the getManifest function and comment out the if (manifest.publishConfig) condition. Sample code for this action:

  async getManifest (spec, opts) {
    let manifest
    if (spec.type === 'directory') {
      manifest = await readJson(`${spec.fetchSpec}/package.json`)
    } else {
      manifest = await pacote.manifest(spec, {
        ...opts,
        fullmetadata: true,
        fullReadJson: true,
      })
    }
    //if (manifest.publishConfig) {
    //  flatten(manifest.publishConfig, opts)
    //}
    return manifest
  }

[GideonMax]

We have ran into this problem as well, as we need to publish packages to a private repo, and for some reason some packages have publishConfig.registry point to npm.
We have a workaround for it but it's time consuming and there is no reason why this bug should exist.
From a brief overview of the code, this can probably be fixed with a single line of code.
I might make a pr soon if this isn't fixed.

[EshginGuluzade]

@GideonMax, just wondering what was your workaround for this issue? of course, if your workaround doesn't involve editing *.tgz files)

[roni-berlin]

@thw0rted I've opened this PR for this issue
#7306

[wraithgar]

Fixed by #7321