Description
When running agentcore create in corporate/enterprise environments that use private npm registries (e.g., Nexus, Artifactory), the generated CDK project's package.json can reference dependency versions that are quarantined or unavailable in the internal registry. This causes npm install to fail with 403 errors during project scaffolding, and there's currently no way to influence the generated package.json before install runs.
Use Case:
Organizations using proxied npm registries with firewall policies that quarantine unreviewed package versions will hit failures during agentcore create. The CDK project template may pull in transitive dependencies that are blocked by the internal registry. The entire project creation fails at the npm install step with:
npm error 403 Requested item is quarantined
Currently there is no way to specify overrides, resolutions, or pin specific dependency versions before the install runs.
Proposed Solution
Add support for one or more of the following:
- A
--npm-overrides flag (or config file option) that injects overrides / resolutions into the generated package.json before npm install executes.
- A
--skip-install flag that creates the project scaffolding without running npm install, allowing users to modify package.json before installing manually.
- Support for a user-level or project-level config file (e.g.,
.agentcorerc) where registry-specific constraints can be defined and applied to all generated projects.
Acceptance Criteria
Additional Context
This is likely a common pain point for any enterprise team using agentcore-cli behind a corporate registry proxy. A --skip-install flag alone would be a low-effort, high-impact improvement.
Description
When running
agentcore createin corporate/enterprise environments that use private npm registries (e.g., Nexus, Artifactory), the generated CDK project'spackage.jsoncan reference dependency versions that are quarantined or unavailable in the internal registry. This causesnpm installto fail with 403 errors during project scaffolding, and there's currently no way to influence the generatedpackage.jsonbefore install runs.Use Case:
Organizations using proxied npm registries with firewall policies that quarantine unreviewed package versions will hit failures during
agentcore create. The CDK project template may pull in transitive dependencies that are blocked by the internal registry. The entire project creation fails at thenpm installstep with:Currently there is no way to specify overrides, resolutions, or pin specific dependency versions before the install runs.
Proposed Solution
Add support for one or more of the following:
--npm-overridesflag (or config file option) that injectsoverrides/resolutionsinto the generatedpackage.jsonbeforenpm installexecutes.--skip-installflag that creates the project scaffolding without runningnpm install, allowing users to modifypackage.jsonbefore installing manually..agentcorerc) where registry-specific constraints can be defined and applied to all generated projects.Acceptance Criteria
agentcore create --skip-installgenerates the full project scaffolding without executingnpm installoruv sync.agentcore create --npm-overrides '{"<package>": "<version>"}'(or equivalent syntax) injects the provided overrides into the generatedpackage.jsonbeforenpm installruns.overridesfield in the generatedpackage.jsonis valid and correctly merged if the template already contains overrides.--skip-installand--npm-overridesflags are documented inagentcore create --help.npm installanduv syncstill run by default.Additional Context
This is likely a common pain point for any enterprise team using agentcore-cli behind a corporate registry proxy. A
--skip-installflag alone would be a low-effort, high-impact improvement.