bwbuchanan
commented
2 years ago registry-auth-token successfully removed this dependency: https://github.com/rexxars/registry-auth-token/issues/39
Open bwbuchanan opened 2 years ago
bwbuchanan
commented
2 years ago registry-auth-token successfully removed this dependency: https://github.com/rexxars/registry-auth-token/issues/39
silverwind
commented
2 years ago Consider not using @pnpm/npm-conf as per https://github.com/rexxars/registry-auth-token/issues/39#issuecomment-1171928845.
Kytech
commented
2 years ago If you want some more context in deciding whether using @pnpm/npm-conf makes sense for this project and why registry-auth-token is currently using it, see my follow-up comment on the issue in registry-auth-token that describes the thought process behind the change. (I am the original PR author of the changes that moved registry-auth-token off of rc to PNPM's package)
fregante
commented
3 months ago I think this is the official way to load .npmrc: https://github.com/npm/cli/tree/4e81a6a4106e4e125b0eefda042b75cfae0a5f23/workspaces/config
But I reckon it’s just an INI file so it can be read with npm’s own ini package after locating it: https://github.com/npm/ini
silverwind
commented
3 months ago @npmcli/config looks too overengineered to me, some simple ini parser will probably be best. Stuff like auth parsing will be a bit more involved. BTW I don't see an issue still depending on rc as long as the version is locked down, but a more modern parser package will be better.
fregante
commented
3 months ago a more modern parser package will be better.
So we agree 😅
The problem is just that it's outdated and so are its subdependencies. Since it's reading npm config, it makes sense to use the same logic npm uses. I suppose the package by pnpm is good enough though and also used by registry-auth-token so it would be deduped where both packages are used.
silverwind
commented
3 months ago From what I understand, the requirements to parse npmrc are:
key=value, ignore lines starting with ;${HOME} in valuesHonstely, this is probably 10 lines of code at most.
Bun also has a implementation of this parser, might be good to check how they do it.
The package depends on the unmaintained "rc" package, recently compromised on npm.
It would be great if this dependency could be eliminated. At a minimum, unmaintained dependencies ought to be pinned to an exact version number to help mitigate supply chain attacks.