search

npm / rfcs

Public change requests/proposals & ideation
Other
727 stars 238 forks source link

[RRFC] Support multiple project npmrc file #641

Open everett1992 opened 1 year ago

everett1992 commented 1 year ago

Motivation ("The Why")

At my workplace npm projects have dynamic project specific configuration - such as registry and authentication. Previous internal build tools set this configuration in environment NPMCONFIG variables before executing npm, but we want to move to setting this configuration in a npmrc file so ide's and other tools can read them.

However we want to separate this dynamic configuration from static configuration (like setting legacy-peer-deps) so static config can be checked into source control while dynamic config can be excluded. So we want two project specific npmrc files.

Example

There are many ways to implement this idea, a new npmrc location, a .npmrc.d directory of files, but I propose a new npm configuration extends=path/to/file (naming up for discussion) that adds an additional additional npmrc file. 

# project .npmrc. Checked into source control.

# project settings
legacy-peer-deps=true

extends=.private-project-npmrc
# .private-project-npmrc. Ignored in source control.

registry=https://private.registry
//private.registry/:_auth=...

Ideally npm config would be extended to support arbitrary file paths, either under the —location arg or another.

How

Current Behaviour

Currently there are project, user, global, and built-in npm configurations. Each location has one file. When projects use different registries or authentication there is contention over changes to the project npmrc because some values should be checked into source control while others should not while popular source control systems like git operate on files.

Desired Behaviour

Npm has at-least two project specific npmrc file so one can be checked in while the other is not.

References

nlf commented 1 year ago

if i'm understanding you correctly, i think i would rephrase this feature as supporting includes in config files - not necessarily supporting two project config files. we can maintain the single source of truth as being the .npmrc in the project root, and that file could then include other files from another location. that would accomplish what you're looking for here without us having to actually support multiple files.

the thing to be careful about is where/what those files can be. we would need some way to ensure that a malicious user doesn't do something like extends=/etc/passwd. this could be as simple as requiring a .npmrc extension on the filename, or as complex as only allowing files to be included from specific locations like the project root or the root of the user's home directory.