Open everett1992 opened 1 year ago
if i'm understanding you correctly, i think i would rephrase this feature as supporting includes in config files - not necessarily supporting two project config files. we can maintain the single source of truth as being the .npmrc
in the project root, and that file could then include other files from another location. that would accomplish what you're looking for here without us having to actually support multiple files.
the thing to be careful about is where/what those files can be. we would need some way to ensure that a malicious user doesn't do something like extends=/etc/passwd
. this could be as simple as requiring a .npmrc
extension on the filename, or as complex as only allowing files to be included from specific locations like the project root or the root of the user's home directory.
Motivation ("The Why")
At my workplace npm projects have dynamic project specific configuration - such as registry and authentication. Previous internal build tools set this configuration in environment NPMCONFIG variables before executing npm, but we want to move to setting this configuration in a npmrc file so ide's and other tools can read them.
However we want to separate this dynamic configuration from static configuration (like setting legacy-peer-deps) so static config can be checked into source control while dynamic config can be excluded. So we want two project specific npmrc files.
Example
There are many ways to implement this idea, a new npmrc location, a .npmrc.d directory of files, but I propose a new npm configuration
extends=path/to/file
(naming up for discussion) that adds an additional additional npmrc file.Ideally npm config would be extended to support arbitrary file paths, either under the —location arg or another.
How
Current Behaviour
Currently there are project, user, global, and built-in npm configurations. Each location has one file. When projects use different registries or authentication there is contention over changes to the project npmrc because some values should be checked into source control while others should not while popular source control systems like git operate on files.
Desired Behaviour
Npm has at-least two project specific npmrc file so one can be checked in while the other is not.
References