fix(ui-scripts): route publish-private to the private registry even when ~/.npmrc has an @instructure scope mapping#2560
Draft
balzss wants to merge 1 commit into
Draft
Conversation
…hen ~/.npmrc has an @instructure scope mapping The publish was leaking to npmjs when the operator's ~/.npmrc had a prior @instructure:registry=https://registry.npmjs.org/ scope mapping (common after a previous `npm login`). The temp .npmrc only set the default `registry=` line, so pnpm's scoped-package resolution found the operator's npmjs mapping first, silently retargeted the publish to npmjs, and the upload failed with ENEEDAUTH against npmjs while the configured private registry never saw the request. Two defenses: - Write `@instructure:registry=<INSTUI_PRIVATE_REGISTRY>` into the temp .npmrc, so pnpm's scoped lookup also points at the private registry - Pass `--registry=<INSTUI_PRIVATE_REGISTRY>` explicitly to both `pnpm publish` and the `pnpm info` already-published check. CLI flags beat every config source, so the publish lands at the right host even if any other config layer behaves unexpectedly Auth still resolves from the temp .npmrc (matched by host in the `//host/:_authToken=` line). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
balzss
force-pushed
the
fix-publish-private-scoped-registry
branch
from
920ff40 to
46872f4
Compare
|
Visual regression report✅ No changes.
Baselines come from the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ui-scripts publish-privatewas routing publishes to npmjs when the operator's~/.npmrchad an@instructure:registry=https://registry.npmjs.org/mapping (common after any priornpm loginagainst npmjs).The temp
.npmrcthatpublish-privatewrites only set the default registry (registry=...). It did not set the scoped mapping (@instructure:registry=...). pnpm's scoped-package resolution checks the scope-specific mapping first, found the operator's npmjs one (inherited from the operator's~/.npmrc), and silently retargeted the publish to npmjs — where auth then failed withENEEDAUTH.Fix
Two defenses in
packages/ui-scripts/lib/commands/publish-private.js:@instructure:registry=<INSTUI_PRIVATE_REGISTRY>to the temp.npmrcso pnpm's scoped lookup also points at the private registry. This is the correct fix — it matches the resolution path pnpm actually uses for scoped packages.--registry=<INSTUI_PRIVATE_REGISTRY>explicitly topnpm publishandpnpm info. CLI flags override every config source, so the publish lands at the right host even if some other config layer behaves unexpectedly. Belt-and-suspenders.Auth still flows through the temp
.npmrcviaNPM_CONFIG_USERCONFIG, matched by host in the//host/:_authToken=line — unchanged.Test Plan
@instructure:registry=https://registry.npmjs.org/into a.npmrcand pointingNPM_CONFIG_GLOBALCONFIGat it. Unpatchedpublish-privaterouted the publish to npmjs (matching the original failure).publish-privateunder the same simulated config routed to the configuredINSTUI_PRIVATE_REGISTRYinstead.@instructure:registry=https://registry.npmjs.org/in its~/.npmrc— confirm the publish lands at the private registry, not npmjs.🤖 Generated with Claude Code