oven-sh / bun

Incredibly fast JavaScript runtime, bundler, test runner, and package manager – all in one
https://bun.sh
Other
74.03k stars 2.76k forks source link

bun install prints npmrc registry authentication credentials when npmrc options cant be parsed #14444

Open nelsonleblanc-rl opened 3 weeks ago

nelsonleblanc-rl commented 3 weeks ago

What version of Bun is running?

1.1.30+7996d06b8

What platform is your computer?

Darwin 23.6.0 arm64 arm This also happens on Linux / amd64

What steps can reproduce the bug?

running bun install prints npm registry authentication credentials when an .npmrc has registry options without an associated registry definition.

.npmrc example (redacted):

always-auth=true
registry=https://registry.********.***/*********/api/npm/npm-virtual/
//registry.********.***/*********/api/npm/npm-virtual/:_auth=${{inputs.npm_token}}
//legacy_registry.**.***/*********/api/npm/**************-npm-virtual/:_auth=${{inputs.npm_token}}
//legacy_registry.**.***/*********/**************/api/npm/**************-npm/:_auth=${{inputs.npm_token}}

Our .npmrc exists this way to support when a legacy registry needs to be used.

What is the expected behavior?

  1. Redact the auth values when warning/errors are printed
  2. Parse the aforementioned configuration file without throwing a warning

What do you see instead?

Bun prints a warning with the auth value when bun install is executed:

4 | pi/npm/***********-npm-virtual/:_auth=SUPER_SECRET_TOKEN
                                                                                    ^
warn: The following .npmrc registry option was not applied:

  //legacy_registry.*****.***/***********/api/npm/********-npm-virtual/:_auth=***

Because we couldn't find the registry: legacy_registry.*****.***/*********/api/npm/**********-npm-virtual/.
   at /home/user/.npmrc:4:81

Additional information

No response

Taoister39 commented 2 weeks ago

I also encountered the same problem

seitbekir commented 2 weeks ago

It seems like ignores the CA file.

mrbrianevans commented 2 weeks ago

I'm getting couldn't find the registry for the standard registry.npmjs.org. Why wouldn't that be recognised?

Full message:

1 | //registry.npmjs.org/:_authToken=npm_alsjdflkasjdhflaksjdhflaksjdhflkajs
                                     ^
warn: The following .npmrc registry option was not applied:

  //registry.npmjs.org/:_authToken=npm_alsjdflkasjdhflaksjdhflaksjdhflkajs

Because we couldn't find the registry: registry.npmjs.org/.
   at /home/username/.npmrc:1:34
bun install v1.1.30-canary.149 (7996d06b)

Checked 1 install across 2 packages (no changes) [3.00ms]

I'm sure this used to work no problem, broke in a recent release (last few months).

davidmatter commented 1 week ago

In one of my projects it works when I use https://... instead of //... But that notation doesn't work for (p)npm

hyrious commented 6 days ago

This might be a bug in bun where it incorrectly understands .npmrc. The npm cli strips _authToken's schema part by intention:

https://github.com/npm/cli/blob/780afc50e3a345feb1871a28e33fa48235bc3bd5/workspaces/config/lib/index.js#L396-L399

What it does is basically 1) grab the registry URL, 2) use the schema-less part (where it calls nerf) to match the token key, and extract the token.

dylan-conway commented 12 hours ago

14919 closes this issue and will be included in the v1.1.34 release tomorrow. The "Because we couldn't find the registry" warning has been fixed/removed, and bun will replace secrets with * if included in a log.

nelsonleblanc-rl commented 8 hours ago

Thanks Dylan!