Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

config: accept auth tokens from environment variables #8

Merged
merged 1 commit into from
Aug 3, 2018

Conversation

mkhl
Copy link
Contributor

@mkhl mkhl commented Jul 12, 2018

As discussed on npm.community, the fact that npm registry authentication tokens cannot be defined using environment variables does not seem justified anymore.

The restriction is caused by the config loader translating

  • all _ to -
  • the whole variable name to lowercase

while the credential checker expects a key ending in :_authToken.

As suggested, this change fixes the problem by limiting the translation by the config loader to the part before the first colon.

Closes npm/npm#15565

@mkhl mkhl requested a review from a team as a code owner July 12, 2018 15:46
@mkhl
Copy link
Contributor Author

mkhl commented Jul 12, 2018

An alternative more limited approach would be to duplicate this block of code that looks for the …:_authToken config key and letting the copy look for …:-authtoken (lowercase and with a hyphen instead of an underscore).

@zkat zkat added semver:major backwards-incompatible breaking changes needs-discussion labels Jul 18, 2018
Copy link
Contributor

@zkat zkat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think we would much rather this be a single special-case for _authToken and nothing else. Could you push that version instead?

As discussed on npm.community[1], the fact that
npm registry authentication tokens
cannot be defined using environment variables
does not seem justified anymore.

The restriction is caused by the config loader translating
* all `_` to `-`
* the whole variable name to lowercase
while the credential checker expects a key ending in `:_authToken`.

This change fixes the problem
by having the credential checker try
a key ending in `:-authtoken` after it tried `:_authToken`.

Closes npm/npm#15565

[1]: https://npm.community/t/cannot-set-npm-config-keys-containing-underscores-registry-auth-tokens-for-example-via-npm-config-environment-variables/233
@mkhl
Copy link
Contributor Author

mkhl commented Jul 23, 2018

Of course, here you go.

Copy link
Contributor

@zkat zkat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! This looks great to me! 🎉

@zkat zkat changed the base branch from latest to release-next July 30, 2018 21:45
@zkat zkat added semver:minor new backwards-compatible feature and removed semver:major backwards-incompatible breaking changes labels Jul 30, 2018
@zkat zkat changed the title config: Only translate environment variables up to the first colon config: accept auth tokens from environment variables Jul 30, 2018
@iarna
Copy link
Contributor

iarna commented Jul 31, 2018

The windows environment is not case sensitive, so we should take care to ensure that this works regardless of the case of the env var. (I've not yet checked to see if this is or isn't addressed yet, I just wanted to make sure this requirement was stated.)

@mkhl
Copy link
Contributor Author

mkhl commented Jul 31, 2018

The windows environment is not case sensitive, so we should take care to ensure that this works regardless of the case of the env var.

Yes, thank you for bringing this up, it is one of the problems this change works around:
The config loader translates all env var names to lower case,
then the credential checker looks for one ending in :_authToken
and fails in part due to the uppercase letter in there.

With this change it also tries :-authtoken, matching the behaviour of the config loader,
and the (already present) translation to lower case should ensure that the case of env var names doesn’t matter.

@zkat zkat merged commit 6e9f04b into npm:release-next Aug 3, 2018
@mkhl mkhl deleted the issue/15565 branch August 3, 2018 16:14
@zkat zkat mentioned this pull request Aug 15, 2018
4 tasks
@zkat zkat mentioned this pull request Aug 29, 2018
4 tasks
@trevorah
Copy link

trevorah commented Jan 29, 2019

This feature is really great, but I can't seem to get it working.
Latest npm:

$ npm --version
6.7.0

env var gets read ok:

$ env "npm_config_//registry.npmjs.org/:_authToken=my-secret-token" npm config ls
; cli configs
metrics-registry = "https://registry.npmjs.org/"
scope = ""
user-agent = "npm/6.7.0 node/v8.12.0 darwin x64"

; environment configs
//registry.npmjs.org/:-authtoken = "my-secret-token"

; userconfig /Users/trevorah/.npmrc
always-auth = true

; builtin config undefined
prefix = "/usr/local"

; node bin location = /usr/local/bin/node
; cwd = /Users/trevorah/Development/something
; HOME = /Users/trevorah
; "npm config ls -l" to show all defaults.

but valid token doesn't get used:

$ env "npm_config_//registry.npmjs.org/:_authToken=my-secret-token" npm whoami
npm ERR! code E401
npm ERR! 401 Unauthorized - GET https://registry.npmjs.org/-/whoami

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/trevorah/.npm/_logs/2019-01-29T16_44_41_403Z-debug.log

Am I doing something wrong?

EDIT:
something may be messing up the tokens, as it behaves differently if auth is completely missing:

$ npm whoami
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/trevorah/.npm/_logs/2019-01-29T16_52_19_586Z-debug.log

@pvdlg
Copy link

pvdlg commented Oct 3, 2019

Another issue is that (at least on OSX with bash) the variable name in invalid:

$ export npm_config_//registry.npmjs.org/:_authToken=my-secret-token

export: `npm_config_//registry.npmjs.org/:_authToken=my-secret-token': not a valid identifier

jasonkarns added a commit to nodenv/node-build that referenced this pull request Nov 29, 2019
Npm's CLI is broken because it doesn't respect the auth token being
provided via the environment when publishing despite npm/cli#8

GitHub's node action is broken because it doesn't respect the scope and
registry config as provided via package.json.

And npmjs.org registry is broken because it doesn't support named
tokens, nor tokens that skip OTP. Ergo, in order to publish via github
actions, my user profile 2fa must be downgraded to auth-only and the
package 2fa must be disabled.

OMFG
BYK added a commit to getsentry/craft that referenced this pull request Dec 2, 2020
This is a retake on #130. Although npm/cli#8 claims to have support
for `npm_config_//registry.npmjs.org/:_authToken=` usage, my tests
and the reports on the internet says this still doesn't work, even
with the latest npm (7.0.15 at the time).

The only way to pass the token is to have the `authToken` line in
an `.npmrc` file. The quick&dirty way would have been to create one
in the project directory but that may collide with a potentially
pre-existing project `.npmrc`. Trying to merge these seems more
trouble than it is worth:
https://github.com/actions/setup-node/blob/59e61b89511ed136a0b17773f07c349fa5c01e8b/src/authutil.ts
(even worse as you'd need to revert these changes after the fact)

The "better" solution I found is:

1. Create a temporary file as your npmrc
2. Put the token/registry line there
3. Tell npm to use that file as the user config
4. Use the `npm_config_userconfig` for the above to support yarn too

This may still fail for yarn, see yarnpkg/yarn#4568.
BYK added a commit to getsentry/craft that referenced this pull request Dec 2, 2020
This is a retake on #130. Although npm/cli#8 claims to have support
for `npm_config_//registry.npmjs.org/:_authToken=` usage, my tests
and the reports on the internet says this still doesn't work, even
with the latest npm (7.0.15 at the time).

The only way to pass the token is to have the `authToken` line in
an `.npmrc` file. The quick&dirty way would have been to create one
in the project directory but that may collide with a potentially
pre-existing project `.npmrc`. Trying to merge these seems more
trouble than it is worth:
https://github.com/actions/setup-node/blob/59e61b89511ed136a0b17773f07c349fa5c01e8b/src/authutil.ts
(even worse as you'd need to revert these changes after the fact)

The "better" solution I found is:

1. Create a temporary file as your npmrc
2. Put the token/registry line there
3. Tell npm to use that file as the user config
4. Use the `npm_config_userconfig` for the above to support yarn too

This may still fail for yarn, see yarnpkg/yarn#4568.
BYK added a commit to getsentry/craft that referenced this pull request Dec 3, 2020
This is a retake on #130. Although npm/cli#8 claims to have support
for `npm_config_//registry.npmjs.org/:_authToken=` usage, my tests
and the reports on the internet says this still doesn't work, even
with the latest npm (7.0.15 at the time).

The only way to pass the token is to have the `authToken` line in
an `.npmrc` file. The quick&dirty way would have been to create one
in the project directory but that may collide with a potentially
pre-existing project `.npmrc`. Trying to merge these seems more
trouble than it is worth:
https://github.com/actions/setup-node/blob/59e61b89511ed136a0b17773f07c349fa5c01e8b/src/authutil.ts
(even worse as you'd need to revert these changes after the fact)

The "better" solution I found is:

1. Create a temporary file as your npmrc
2. Put the token/registry line there
3. Tell npm to use that file as the user config
4. Use the `npm_config_userconfig` for the above to support yarn too
renovate bot added a commit to redwoodjs/redwood that referenced this pull request Nov 16, 2023
[![Mend Renovate logo
banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@npmcli/arborist](https://togithub.com/npm/cli) | [`6.2.10` ->
`6.5.0`](https://renovatebot.com/diffs/npm/@npmcli%2farborist/6.2.10/6.5.0)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@npmcli%2farborist/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@npmcli%2farborist/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@npmcli%2farborist/6.2.10/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@npmcli%2farborist/6.2.10/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>npm/cli (@&#8203;npmcli/arborist)</summary>

### [`v6.5.0`](https://togithub.com/npm/cli/releases/tag/v6.5.0)

[Compare Source](https://togithub.com/npm/cli/compare/v6.4.0...v6.5.0)

##### NEW FEATURES

-
[`fc1a8d185`](https://togithub.com/npm/cli/commit/fc1a8d185fc678cdf3784d9df9eef9094e0b2dec)
Backronym `npm ci` to `npm clean-install`.
([@&#8203;zkat](https://togithub.com/zkat))
-
[`4be51a9cc`](https://togithub.com/npm/cli/commit/4be51a9cc65635bb26fa4ce62233f26e0104bc20)
[#&#8203;81](https://togithub.com/npm/cli/pull/81) Adds 'Homepage' to
outdated --long output.
([@&#8203;jbottigliero](https://togithub.com/jbottigliero))

##### BUGFIXES

-
[`89652cb9b`](https://togithub.com/npm/cli/commit/89652cb9b810f929f5586fc90cc6794d076603fb)
[npm.community#1661](https://npm.community/t/https://npm.community/t/1661)
Fix sign-git-commit options. They were previously totally wrong.
([@&#8203;zkat](https://togithub.com/zkat))
-
[`414f2d1a1`](https://togithub.com/npm/cli/commit/414f2d1a1bdffc02ed31ebb48a43216f284c21d4)
[npm.community#1742](https://npm.community/t/npm-audit-making-non-rfc-compliant-requests-to-server-resulting-in-400-bad-request-pr-with-fix/1742)
Set lowercase headers for npm audit requests.
([@&#8203;maartenba](https://togithub.com/maartenba))
-
[`a34246baf`](https://togithub.com/npm/cli/commit/a34246bafe73218dc9e3090df9ee800451db2c7d)
[#&#8203;75](https://togithub.com/npm/cli/pull/75) Fix `npm edit`
handling of scoped packages.
([@&#8203;larsgw](https://togithub.com/larsgw))\*
[`d3e8a7c72`](https://togithub.com/npm/cli/commit/d3e8a7c7240dd25379a5bcad324a367c58733c73)
[npm.community#2303](https://npm.community/t/npm-ci-logs-success-to-stderr/2303)
Make summary output for `npm ci` go to `stdout`, not `stderr`.
([@&#8203;alopezsanchez](https://togithub.com/alopezsanchez))
-
[`71d8fb4a9`](https://togithub.com/npm/cli/commit/71d8fb4a94d65e1855f6d0c5f2ad2b7c3202e3c4)
[npm.community#1377](https://npm.community/t/unhelpful-error-message-when-publishing-without-logging-in-error-eperm-operation-not-permitted-unlink/1377/3)
Close the file descriptor during publish if exiting upload via an error.
This will prevent strange error messages when the upload fails and make
sure
cleanup happens correctly.
([@&#8203;macdja38](https://togithub.com/macdja38))

##### DOCS UPDATES

-
[`b1a8729c8`](https://togithub.com/npm/cli/commit/b1a8729c80175243fbbeecd164e9ddd378a09a50)
[#&#8203;60](https://togithub.com/npm/cli/pull/60) Mention --otp flag
when prompting for OTP. ([@&#8203;bakkot](https://togithub.com/bakkot))
-
[`bcae4ea81`](https://togithub.com/npm/cli/commit/bcae4ea8173e489a76cc226bbd30dd9eabe21ec6)
[#&#8203;64](https://togithub.com/npm/cli/pull/64) Clarify that git
dependencies use the default branch, not just `master`.
([@&#8203;zckrs](https://togithub.com/zckrs))
-
[`15da82690`](https://togithub.com/npm/cli/commit/15da8269032bf509ade3252978e934f2a61d4499)
[#&#8203;72](https://togithub.com/npm/cli/pull/72) `bash_completion.d`
dir is sometimes found in `/etc` not `/usr/local`.
([@&#8203;RobertKielty](https://togithub.com/RobertKielty))
-
[`8a6ecc793`](https://togithub.com/npm/cli/commit/8a6ecc7936dae2f51638397ff5a1d35cccda5495)
[#&#8203;74](https://togithub.com/npm/cli/pull/74) Update OTP
documentation for `dist-tag add` to clarify `--otp` is needed right now.
([@&#8203;scotttrinh](https://togithub.com/scotttrinh))
-
[`dcc03ec85`](https://togithub.com/npm/cli/commit/dcc03ec858bddd7aa2173b5a86b55c1c2385a2a3)
[#&#8203;82](https://togithub.com/npm/cli/pull/82) Note that `prepare`
runs when installing git dependencies.
([@&#8203;seishun](https://togithub.com/seishun))
-
[`a91a470b7`](https://togithub.com/npm/cli/commit/a91a470b71e08ccf6a75d4fb8c9937789fa8d067)
[#&#8203;83](https://togithub.com/npm/cli/pull/83) Specify that
--dry-run isn't available in older versions of npm publish.
([@&#8203;kjin](https://togithub.com/kjin))
-
[`1b2fabcce`](https://togithub.com/npm/cli/commit/1b2fabccede37242233755961434c52536224de5)
[#&#8203;96](https://togithub.com/npm/cli/pull/96) Fix inline code tag
issue in docs. ([@&#8203;midare](https://togithub.com/midare))
-
[`6cc70cc19`](https://togithub.com/npm/cli/commit/6cc70cc1977e58a3e1ea48e660ffc6b46b390e59)
[#&#8203;68](https://togithub.com/npm/cli/pull/68) Add semver link and a
note on empty string format to `deprecate` doc.
([@&#8203;neverett](https://togithub.com/neverett))
-
[`61dbbb7c3`](https://togithub.com/npm/cli/commit/61dbbb7c3474834031bce88c423850047e8131dc)
Fix semver docs after version update.
([@&#8203;zkat](https://togithub.com/zkat))
-
[`4acd45a3d`](https://togithub.com/npm/cli/commit/4acd45a3d0ce92f9999446226fe7dfb89a90ba2e)
[#&#8203;78](https://togithub.com/npm/cli/pull/78) Correct spelling
across various docs. ([@&#8203;hugovk](https://togithub.com/hugovk))

##### DEPENDENCIES

-
[`4f761283e`](https://togithub.com/npm/cli/commit/4f761283e8896d0ceb5934779005646463a030e8)
`[email protected]` ([@&#8203;zkat](https://togithub.com/zkat))
-
[`3706db0bc`](https://togithub.com/npm/cli/commit/3706db0bcbc306d167bb902362e7f6962f2fe1a1)
[npm.community#1764](https://npm.community/t/crash-invalid-config-key-requested-error/1764)
`[email protected]` ([@&#8203;zkat](https://togithub.com/zkat))
-
[`83c2b117d`](https://togithub.com/npm/cli/commit/83c2b117d0b760d0ea8d667e5e4bdfa6a7a7a8f6)
`[email protected]`
([@&#8203;petkaantonov](https://togithub.com/petkaantonov))
-
[`2702f46bd`](https://togithub.com/npm/cli/commit/2702f46bd7284fb303ca2119d23c52536811d705)
`[email protected]` ([@&#8203;watson](https://togithub.com/watson))
-
[`4db6c3898`](https://togithub.com/npm/cli/commit/4db6c3898b07100e3a324e4aae50c2fab4b93a04)
`[email protected]`:2 ([@&#8203;dawsbot](https://togithub.com/dawbot))
-
[`70bee4f69`](https://togithub.com/npm/cli/commit/70bee4f69bb4ce4e18c48582fe2b48d8b4aba566)
`[email protected]` ([@&#8203;isaacs](https://togithub.com/isaacs))
-
[`e469fd6be`](https://togithub.com/npm/cli/commit/e469fd6be95333dcaa7cf377ca3620994ca8d0de)
`[email protected]`: Fix browser opening under Windows Subsystem for Linux
(WSL). ([@&#8203;thijsputman](https://togithub.com/thijsputman))
-
[`03840dced`](https://togithub.com/npm/cli/commit/03840dced865abdca6e6449ea030962e5b19db0c)
    `[email protected]`  ([@&#8203;iarna](https://togithub.com/iarna))
-
[`161dc0b41`](https://togithub.com/npm/cli/commit/161dc0b4177e76306a0e3b8660b3b496cc3db83b)
`[email protected]`
([@&#8203;petkaantonov](https://togithub.com/petkaantonov))
-
[`bb6f94395`](https://togithub.com/npm/cli/commit/bb6f94395491576ec42996ff6665df225f6b4377)
`[email protected]`:5 ([@&#8203;isaacs](https://togithub.com/isaacs))
-
[`43b1f4c91`](https://togithub.com/npm/cli/commit/43b1f4c91fa1d7b3ebb6aa2d960085e5f3ac7607)
`[email protected]` ([@&#8203;isaacs](https://togithub.com/isaacs))
-
[`ab62afcc4`](https://togithub.com/npm/cli/commit/ab62afcc472de82c479bf91f560a0bbd6a233c80)
`[email protected]`:2 ([@&#8203;isaacs](https://togithub.com/isaacs))
-
[`027f06be3`](https://togithub.com/npm/cli/commit/027f06be35bb09f390e46fcd2b8182539939d1f7)
`[email protected]` ([@&#8203;watson](https://togithub.com/watson))

##### MISCELLANEOUS

-
[`27217dae8`](https://togithub.com/npm/cli/commit/27217dae8adbc577ee9cb323b7cfe9c6b2493aca)
[#&#8203;70](https://togithub.com/npm/cli/pull/70) Automatically audit
dependency licenses for npm itself.
([@&#8203;kemitchell](https://togithub.com/kemitchell))

### [`v6.4.0`](https://togithub.com/npm/cli/releases/tag/v6.4.0)

[Compare Source](https://togithub.com/npm/cli/compare/v6.3.0...v6.4.0)

##### NEW FEATURES

-
[`6e9f04b0b`](https://togithub.com/npm/cli/commit/6e9f04b0baed007169d4e0c341f097cf133debf7)
[npm/cli#8](https://togithub.com/npm/cli/pull/8) Search for
authentication token defined by environment variables by preventing the
translation layer from env variable to npm option from breaking
`:_authToken`. ([@&#8203;mkhl](https://togithub.com/mkhl))
-
[`84bfd23e7`](https://togithub.com/npm/cli/commit/84bfd23e7d6434d30595594723a6e1976e84b022)
[npm/cli#35](https://togithub.com/npm/cli/pull/35) Stop filtering out
non-IPv4 addresses from `local-addrs`, making npm actually use IPv6
addresses when it must.
([@&#8203;valentin2105](https://togithub.com/valentin2105))
-
[`792c8c709`](https://togithub.com/npm/cli/commit/792c8c709dc7a445687aa0c8cba5c50bc4ed83fd)
[npm/cli#31](https://togithub.com/npm/cli/pull/31) configurable audit
level for non-zero exit `npm audit` currently exits with exit code 1 if
any vulnerabilities are found of any level. Add a flag of
`--audit-level` to `npm audit` to allow it to pass if only
vulnerabilities below a certain level are found. Example: `npm audit
--audit-level=high` will exit with 0 if only low or moderate level vulns
are detected. ([@&#8203;lennym](https://togithub.com/lennym))

##### BUGFIXES

-
[`d81146181`](https://togithub.com/npm/cli/commit/d8114618137bb5b9a52a86711bb8dc18bfc8e60c)
[npm/cli#32](https://togithub.com/npm/cli/pull/32) Don't check for
updates to npm when we are updating npm itself.
([@&#8203;olore](https://togithub.com/olore))

##### DEPENDENCY UPDATES

A very special dependency update event! Since the [release of
`[email protected]`](https://togithub.com/nodejs/node-gyp/pull/1521), an
awkward version conflict that was preventing `request` from begin
flattened was resolved. This means two things:

1.  We've cut down the npm tarball size by another 200kb, to 4.6MB
2.  `npm audit` now shows no vulnerabilities for npm itself!

Thanks, [@&#8203;rvagg](https://togithub.com/rvagg)!

-
[`866d776c2`](https://togithub.com/npm/cli/commit/866d776c27f80a71309389aaab42825b2a0916f6)
`[email protected]` ([@&#8203;simov](https://togithub.com/simov))
-
[`f861c2b57`](https://togithub.com/npm/cli/commit/f861c2b579a9d4feae1653222afcefdd4f0e978f)
`[email protected]` ([@&#8203;rvagg](https://togithub.com/rvagg))
-
[`32e6947c6`](https://togithub.com/npm/cli/commit/32e6947c60db865257a0ebc2f7e754fedf7a6fc9)
[npm/cli#39](https://togithub.com/npm/cli/pull/39) `[email protected]`:
REVERT REVERT, newer versions of this library are broken and print ansi
codes even when disabled. ([@&#8203;iarna](https://togithub.com/iarna))
-
[`beb96b92c`](https://togithub.com/npm/cli/commit/beb96b92caf061611e3faafc7ca10e77084ec335)
`[email protected]` ([@&#8203;zkat](https://togithub.com/zkat))
-
[`348fc91ad`](https://togithub.com/npm/cli/commit/348fc91ad223ff91cd7bcf233018ea1d979a2af1)
`[email protected]`: Fixes errors with empty or
string-only license fields.
([@&#8203;Gudahtt](https://togithub.com/Gudahtt))
-
[`e57d34575`](https://togithub.com/npm/cli/commit/e57d3457547ef464828fc6f82ae4750f3e511550)
`[email protected]` ([@&#8203;shesek](https://togithub.com/shesek))
-
[`46f1c6ad4`](https://togithub.com/npm/cli/commit/46f1c6ad4b2fd5b0d7ec879b76b76a70a3a2595c)
`[email protected]` ([@&#8203;isaacs](https://togithub.com/isaacs))
-
[`50df1bf69`](https://togithub.com/npm/cli/commit/50df1bf691e205b9f13e0fff0d51a68772c40561)
`[email protected]` ([@&#8203;iarna](https://togithub.com/iarna))
([@&#8203;Erveon](https://togithub.com/Erveon))
([@&#8203;huochunpeng](https://togithub.com/huochunpeng))

##### DOCUMENTATION

-
[`af98e76ed`](https://togithub.com/npm/cli/commit/af98e76ed96af780b544962aa575585b3fa17b9a)
[npm/cli#34](https://togithub.com/npm/cli/pull/34) Remove `npm publish`
from list of commands not affected by `--dry-run`.
([@&#8203;joebowbeer](https://togithub.com/joebowbeer))
-
[`e2b0f0921`](https://togithub.com/npm/cli/commit/e2b0f092193c08c00f12a6168ad2bd9d6e16f8ce)
[npm/cli#36](https://togithub.com/npm/cli/pull/36) Tweak formatting in
repository field examples.
([@&#8203;noahbenham](https://togithub.com/noahbenham))
-
[`e2346e770`](https://togithub.com/npm/cli/commit/e2346e7702acccefe6d711168c2b0e0e272e194a)
[npm/cli#14](https://togithub.com/npm/cli/pull/14) Used `process.env`
examples to make accessing certain `npm run-scripts` environment
variables more clear. ([@&#8203;mwarger](https://togithub.com/mwarger))

###
[`v6.3.0`](https://togithub.com/npm/cli/blob/HEAD/workspaces/arborist/CHANGELOG.md#630-2023-07-05)

##### Features

-
[`67459e7`](https://togithub.com/npm/cli/commit/67459e7b56a5e8d2b4f8eb3a0487183013c63b99)
[#&#8203;6626](https://togithub.com/npm/cli/pull/6626) add `pkg fix`
subcommand ([@&#8203;wraithgar](https://togithub.com/wraithgar))

##### Bug Fixes

-
[`c61e037`](https://togithub.com/npm/cli/commit/c61e0376408240590bfc712fe9fdadd7dc9a48bc)
[#&#8203;6626](https://togithub.com/npm/cli/pull/6626) use new
load/create syntax for package-json
([@&#8203;wraithgar](https://togithub.com/wraithgar))

##### Dependencies

-
[`b252164`](https://togithub.com/npm/cli/commit/b252164dd5c866bf2d25c96836ad829d4d6909ee)
[#&#8203;6626](https://togithub.com/npm/cli/pull/6626)
`@npmcli/[email protected]`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/redwoodjs/redwood).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuNDYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
jtoar pushed a commit to redwoodjs/redwood that referenced this pull request Nov 17, 2023
[![Mend Renovate logo
banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@npmcli/arborist](https://togithub.com/npm/cli) | [`6.2.10` ->
`6.5.0`](https://renovatebot.com/diffs/npm/@npmcli%2farborist/6.2.10/6.5.0)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@npmcli%2farborist/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@npmcli%2farborist/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@npmcli%2farborist/6.2.10/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@npmcli%2farborist/6.2.10/6.5.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>npm/cli (@&#8203;npmcli/arborist)</summary>

### [`v6.5.0`](https://togithub.com/npm/cli/releases/tag/v6.5.0)

[Compare Source](https://togithub.com/npm/cli/compare/v6.4.0...v6.5.0)

##### NEW FEATURES

-
[`fc1a8d185`](https://togithub.com/npm/cli/commit/fc1a8d185fc678cdf3784d9df9eef9094e0b2dec)
Backronym `npm ci` to `npm clean-install`.
([@&#8203;zkat](https://togithub.com/zkat))
-
[`4be51a9cc`](https://togithub.com/npm/cli/commit/4be51a9cc65635bb26fa4ce62233f26e0104bc20)
[#&#8203;81](https://togithub.com/npm/cli/pull/81) Adds 'Homepage' to
outdated --long output.
([@&#8203;jbottigliero](https://togithub.com/jbottigliero))

##### BUGFIXES

-
[`89652cb9b`](https://togithub.com/npm/cli/commit/89652cb9b810f929f5586fc90cc6794d076603fb)
[npm.community#1661](https://npm.community/t/https://npm.community/t/1661)
Fix sign-git-commit options. They were previously totally wrong.
([@&#8203;zkat](https://togithub.com/zkat))
-
[`414f2d1a1`](https://togithub.com/npm/cli/commit/414f2d1a1bdffc02ed31ebb48a43216f284c21d4)
[npm.community#1742](https://npm.community/t/npm-audit-making-non-rfc-compliant-requests-to-server-resulting-in-400-bad-request-pr-with-fix/1742)
Set lowercase headers for npm audit requests.
([@&#8203;maartenba](https://togithub.com/maartenba))
-
[`a34246baf`](https://togithub.com/npm/cli/commit/a34246bafe73218dc9e3090df9ee800451db2c7d)
[#&#8203;75](https://togithub.com/npm/cli/pull/75) Fix `npm edit`
handling of scoped packages.
([@&#8203;larsgw](https://togithub.com/larsgw))\*
[`d3e8a7c72`](https://togithub.com/npm/cli/commit/d3e8a7c7240dd25379a5bcad324a367c58733c73)
[npm.community#2303](https://npm.community/t/npm-ci-logs-success-to-stderr/2303)
Make summary output for `npm ci` go to `stdout`, not `stderr`.
([@&#8203;alopezsanchez](https://togithub.com/alopezsanchez))
-
[`71d8fb4a9`](https://togithub.com/npm/cli/commit/71d8fb4a94d65e1855f6d0c5f2ad2b7c3202e3c4)
[npm.community#1377](https://npm.community/t/unhelpful-error-message-when-publishing-without-logging-in-error-eperm-operation-not-permitted-unlink/1377/3)
Close the file descriptor during publish if exiting upload via an error.
This will prevent strange error messages when the upload fails and make
sure
cleanup happens correctly.
([@&#8203;macdja38](https://togithub.com/macdja38))

##### DOCS UPDATES

-
[`b1a8729c8`](https://togithub.com/npm/cli/commit/b1a8729c80175243fbbeecd164e9ddd378a09a50)
[#&#8203;60](https://togithub.com/npm/cli/pull/60) Mention --otp flag
when prompting for OTP. ([@&#8203;bakkot](https://togithub.com/bakkot))
-
[`bcae4ea81`](https://togithub.com/npm/cli/commit/bcae4ea8173e489a76cc226bbd30dd9eabe21ec6)
[#&#8203;64](https://togithub.com/npm/cli/pull/64) Clarify that git
dependencies use the default branch, not just `master`.
([@&#8203;zckrs](https://togithub.com/zckrs))
-
[`15da82690`](https://togithub.com/npm/cli/commit/15da8269032bf509ade3252978e934f2a61d4499)
[#&#8203;72](https://togithub.com/npm/cli/pull/72) `bash_completion.d`
dir is sometimes found in `/etc` not `/usr/local`.
([@&#8203;RobertKielty](https://togithub.com/RobertKielty))
-
[`8a6ecc793`](https://togithub.com/npm/cli/commit/8a6ecc7936dae2f51638397ff5a1d35cccda5495)
[#&#8203;74](https://togithub.com/npm/cli/pull/74) Update OTP
documentation for `dist-tag add` to clarify `--otp` is needed right now.
([@&#8203;scotttrinh](https://togithub.com/scotttrinh))
-
[`dcc03ec85`](https://togithub.com/npm/cli/commit/dcc03ec858bddd7aa2173b5a86b55c1c2385a2a3)
[#&#8203;82](https://togithub.com/npm/cli/pull/82) Note that `prepare`
runs when installing git dependencies.
([@&#8203;seishun](https://togithub.com/seishun))
-
[`a91a470b7`](https://togithub.com/npm/cli/commit/a91a470b71e08ccf6a75d4fb8c9937789fa8d067)
[#&#8203;83](https://togithub.com/npm/cli/pull/83) Specify that
--dry-run isn't available in older versions of npm publish.
([@&#8203;kjin](https://togithub.com/kjin))
-
[`1b2fabcce`](https://togithub.com/npm/cli/commit/1b2fabccede37242233755961434c52536224de5)
[#&#8203;96](https://togithub.com/npm/cli/pull/96) Fix inline code tag
issue in docs. ([@&#8203;midare](https://togithub.com/midare))
-
[`6cc70cc19`](https://togithub.com/npm/cli/commit/6cc70cc1977e58a3e1ea48e660ffc6b46b390e59)
[#&#8203;68](https://togithub.com/npm/cli/pull/68) Add semver link and a
note on empty string format to `deprecate` doc.
([@&#8203;neverett](https://togithub.com/neverett))
-
[`61dbbb7c3`](https://togithub.com/npm/cli/commit/61dbbb7c3474834031bce88c423850047e8131dc)
Fix semver docs after version update.
([@&#8203;zkat](https://togithub.com/zkat))
-
[`4acd45a3d`](https://togithub.com/npm/cli/commit/4acd45a3d0ce92f9999446226fe7dfb89a90ba2e)
[#&#8203;78](https://togithub.com/npm/cli/pull/78) Correct spelling
across various docs. ([@&#8203;hugovk](https://togithub.com/hugovk))

##### DEPENDENCIES

-
[`4f761283e`](https://togithub.com/npm/cli/commit/4f761283e8896d0ceb5934779005646463a030e8)
`[email protected]` ([@&#8203;zkat](https://togithub.com/zkat))
-
[`3706db0bc`](https://togithub.com/npm/cli/commit/3706db0bcbc306d167bb902362e7f6962f2fe1a1)
[npm.community#1764](https://npm.community/t/crash-invalid-config-key-requested-error/1764)
`[email protected]` ([@&#8203;zkat](https://togithub.com/zkat))
-
[`83c2b117d`](https://togithub.com/npm/cli/commit/83c2b117d0b760d0ea8d667e5e4bdfa6a7a7a8f6)
`[email protected]`
([@&#8203;petkaantonov](https://togithub.com/petkaantonov))
-
[`2702f46bd`](https://togithub.com/npm/cli/commit/2702f46bd7284fb303ca2119d23c52536811d705)
`[email protected]` ([@&#8203;watson](https://togithub.com/watson))
-
[`4db6c3898`](https://togithub.com/npm/cli/commit/4db6c3898b07100e3a324e4aae50c2fab4b93a04)
`[email protected]`:2 ([@&#8203;dawsbot](https://togithub.com/dawbot))
-
[`70bee4f69`](https://togithub.com/npm/cli/commit/70bee4f69bb4ce4e18c48582fe2b48d8b4aba566)
`[email protected]` ([@&#8203;isaacs](https://togithub.com/isaacs))
-
[`e469fd6be`](https://togithub.com/npm/cli/commit/e469fd6be95333dcaa7cf377ca3620994ca8d0de)
`[email protected]`: Fix browser opening under Windows Subsystem for Linux
(WSL). ([@&#8203;thijsputman](https://togithub.com/thijsputman))
-
[`03840dced`](https://togithub.com/npm/cli/commit/03840dced865abdca6e6449ea030962e5b19db0c)
    `[email protected]`  ([@&#8203;iarna](https://togithub.com/iarna))
-
[`161dc0b41`](https://togithub.com/npm/cli/commit/161dc0b4177e76306a0e3b8660b3b496cc3db83b)
`[email protected]`
([@&#8203;petkaantonov](https://togithub.com/petkaantonov))
-
[`bb6f94395`](https://togithub.com/npm/cli/commit/bb6f94395491576ec42996ff6665df225f6b4377)
`[email protected]`:5 ([@&#8203;isaacs](https://togithub.com/isaacs))
-
[`43b1f4c91`](https://togithub.com/npm/cli/commit/43b1f4c91fa1d7b3ebb6aa2d960085e5f3ac7607)
`[email protected]` ([@&#8203;isaacs](https://togithub.com/isaacs))
-
[`ab62afcc4`](https://togithub.com/npm/cli/commit/ab62afcc472de82c479bf91f560a0bbd6a233c80)
`[email protected]`:2 ([@&#8203;isaacs](https://togithub.com/isaacs))
-
[`027f06be3`](https://togithub.com/npm/cli/commit/027f06be35bb09f390e46fcd2b8182539939d1f7)
`[email protected]` ([@&#8203;watson](https://togithub.com/watson))

##### MISCELLANEOUS

-
[`27217dae8`](https://togithub.com/npm/cli/commit/27217dae8adbc577ee9cb323b7cfe9c6b2493aca)
[#&#8203;70](https://togithub.com/npm/cli/pull/70) Automatically audit
dependency licenses for npm itself.
([@&#8203;kemitchell](https://togithub.com/kemitchell))

### [`v6.4.0`](https://togithub.com/npm/cli/releases/tag/v6.4.0)

[Compare Source](https://togithub.com/npm/cli/compare/v6.3.0...v6.4.0)

##### NEW FEATURES

-
[`6e9f04b0b`](https://togithub.com/npm/cli/commit/6e9f04b0baed007169d4e0c341f097cf133debf7)
[npm/cli#8](https://togithub.com/npm/cli/pull/8) Search for
authentication token defined by environment variables by preventing the
translation layer from env variable to npm option from breaking
`:_authToken`. ([@&#8203;mkhl](https://togithub.com/mkhl))
-
[`84bfd23e7`](https://togithub.com/npm/cli/commit/84bfd23e7d6434d30595594723a6e1976e84b022)
[npm/cli#35](https://togithub.com/npm/cli/pull/35) Stop filtering out
non-IPv4 addresses from `local-addrs`, making npm actually use IPv6
addresses when it must.
([@&#8203;valentin2105](https://togithub.com/valentin2105))
-
[`792c8c709`](https://togithub.com/npm/cli/commit/792c8c709dc7a445687aa0c8cba5c50bc4ed83fd)
[npm/cli#31](https://togithub.com/npm/cli/pull/31) configurable audit
level for non-zero exit `npm audit` currently exits with exit code 1 if
any vulnerabilities are found of any level. Add a flag of
`--audit-level` to `npm audit` to allow it to pass if only
vulnerabilities below a certain level are found. Example: `npm audit
--audit-level=high` will exit with 0 if only low or moderate level vulns
are detected. ([@&#8203;lennym](https://togithub.com/lennym))

##### BUGFIXES

-
[`d81146181`](https://togithub.com/npm/cli/commit/d8114618137bb5b9a52a86711bb8dc18bfc8e60c)
[npm/cli#32](https://togithub.com/npm/cli/pull/32) Don't check for
updates to npm when we are updating npm itself.
([@&#8203;olore](https://togithub.com/olore))

##### DEPENDENCY UPDATES

A very special dependency update event! Since the [release of
`[email protected]`](https://togithub.com/nodejs/node-gyp/pull/1521), an
awkward version conflict that was preventing `request` from begin
flattened was resolved. This means two things:

1.  We've cut down the npm tarball size by another 200kb, to 4.6MB
2.  `npm audit` now shows no vulnerabilities for npm itself!

Thanks, [@&#8203;rvagg](https://togithub.com/rvagg)!

-
[`866d776c2`](https://togithub.com/npm/cli/commit/866d776c27f80a71309389aaab42825b2a0916f6)
`[email protected]` ([@&#8203;simov](https://togithub.com/simov))
-
[`f861c2b57`](https://togithub.com/npm/cli/commit/f861c2b579a9d4feae1653222afcefdd4f0e978f)
`[email protected]` ([@&#8203;rvagg](https://togithub.com/rvagg))
-
[`32e6947c6`](https://togithub.com/npm/cli/commit/32e6947c60db865257a0ebc2f7e754fedf7a6fc9)
[npm/cli#39](https://togithub.com/npm/cli/pull/39) `[email protected]`:
REVERT REVERT, newer versions of this library are broken and print ansi
codes even when disabled. ([@&#8203;iarna](https://togithub.com/iarna))
-
[`beb96b92c`](https://togithub.com/npm/cli/commit/beb96b92caf061611e3faafc7ca10e77084ec335)
`[email protected]` ([@&#8203;zkat](https://togithub.com/zkat))
-
[`348fc91ad`](https://togithub.com/npm/cli/commit/348fc91ad223ff91cd7bcf233018ea1d979a2af1)
`[email protected]`: Fixes errors with empty or
string-only license fields.
([@&#8203;Gudahtt](https://togithub.com/Gudahtt))
-
[`e57d34575`](https://togithub.com/npm/cli/commit/e57d3457547ef464828fc6f82ae4750f3e511550)
`[email protected]` ([@&#8203;shesek](https://togithub.com/shesek))
-
[`46f1c6ad4`](https://togithub.com/npm/cli/commit/46f1c6ad4b2fd5b0d7ec879b76b76a70a3a2595c)
`[email protected]` ([@&#8203;isaacs](https://togithub.com/isaacs))
-
[`50df1bf69`](https://togithub.com/npm/cli/commit/50df1bf691e205b9f13e0fff0d51a68772c40561)
`[email protected]` ([@&#8203;iarna](https://togithub.com/iarna))
([@&#8203;Erveon](https://togithub.com/Erveon))
([@&#8203;huochunpeng](https://togithub.com/huochunpeng))

##### DOCUMENTATION

-
[`af98e76ed`](https://togithub.com/npm/cli/commit/af98e76ed96af780b544962aa575585b3fa17b9a)
[npm/cli#34](https://togithub.com/npm/cli/pull/34) Remove `npm publish`
from list of commands not affected by `--dry-run`.
([@&#8203;joebowbeer](https://togithub.com/joebowbeer))
-
[`e2b0f0921`](https://togithub.com/npm/cli/commit/e2b0f092193c08c00f12a6168ad2bd9d6e16f8ce)
[npm/cli#36](https://togithub.com/npm/cli/pull/36) Tweak formatting in
repository field examples.
([@&#8203;noahbenham](https://togithub.com/noahbenham))
-
[`e2346e770`](https://togithub.com/npm/cli/commit/e2346e7702acccefe6d711168c2b0e0e272e194a)
[npm/cli#14](https://togithub.com/npm/cli/pull/14) Used `process.env`
examples to make accessing certain `npm run-scripts` environment
variables more clear. ([@&#8203;mwarger](https://togithub.com/mwarger))

###
[`v6.3.0`](https://togithub.com/npm/cli/blob/HEAD/workspaces/arborist/CHANGELOG.md#630-2023-07-05)

##### Features

-
[`67459e7`](https://togithub.com/npm/cli/commit/67459e7b56a5e8d2b4f8eb3a0487183013c63b99)
[#&#8203;6626](https://togithub.com/npm/cli/pull/6626) add `pkg fix`
subcommand ([@&#8203;wraithgar](https://togithub.com/wraithgar))

##### Bug Fixes

-
[`c61e037`](https://togithub.com/npm/cli/commit/c61e0376408240590bfc712fe9fdadd7dc9a48bc)
[#&#8203;6626](https://togithub.com/npm/cli/pull/6626) use new
load/create syntax for package-json
([@&#8203;wraithgar](https://togithub.com/wraithgar))

##### Dependencies

-
[`b252164`](https://togithub.com/npm/cli/commit/b252164dd5c866bf2d25c96836ad829d4d6909ee)
[#&#8203;6626](https://togithub.com/npm/cli/pull/6626)
`@npmcli/[email protected]`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/redwoodjs/redwood).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40Ni4wIiwidXBkYXRlZEluVmVyIjoiMzcuNDYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
semver:minor new backwards-compatible feature
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants