fix(npm-publish): Allows disabling of strict SSL checks

[10hendersonm]

Description

Alias strict-ssl npm configuration setting to strictSSL publish opts.

Motivation and Context

Since lerna 4, npm_config_strict_ssl=false is not respected by the publish process. My team publishes to an internal private registry for CI builds to avoid polluting our npm view [package] versions unnecessarily, but we don't (currently?) have SSL working on that garbage heap.

While strict-ssl is resolved out of environment and npm settings in @lerna/npm-conf, there's nothing downstream looking for that. libnpmpublish passes all extra arguments directly down to npm-registry-fetch, but npm-registry-fetch is reading for strictSSL rather than strict-ssl.

closes #2942

How Has This Been Tested?

I monkey patched* the changes into a monorepo I was previously unable to publish to our private registry.

Prior to implementing the changes, adding npm_config_strict_ssl=false either A) prepended on the command line (npm_config_strict_ssl=false npx lerna publish ....) as environment; or B) applied in a root-level .npmrc file would have no impact. This can be validated by running the lerna command in VS Code's JavaScript Debug Terminal and placing a breakpoint on this line:

lerna/utils/npm-publish/npm-publish.js

Line 91 in a47fc29

return otplease((innerOpts) => publish(manifest, tarData, innerOpts), opts, otpCache).catch((err) => {

When in the un-aliased state, the opts / innerOpts will still show a strict-ssl value, but if you Go to Definition or step into libnpmpublish's publish method and follow down through to npm-registry-fetch's default export method, you'll find that it's passing the opts.strictSSL property through to make-fetch-happen's fetch method:

https://github.com/npm/npm-registry-fetch/blob/8954f61d8d703e5eb7f3d93c9b40488f8b1b62ac/index.js#L126

After implementing the alias change to npm-publish.js and re-running, the breakpoint will now show strict-ssl AND strictSSL in the opts. You can follow them down the function calls and see the value get passed correctly all the way to fetch.

I've included a unit test to validate this functionality performs the aliasing as expected.

* You could probably do the same with npm link. I just forgot to.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.
  • A number of tests failed because I am Marty Henderson, not Git McGitterson

[planetmalone]

This is happening for all commands. It might be worth elevating this to a root configuration or at least adding it as an option for each command if we want to be able to pick and choose when to use it.

Also, this PR is 8 months old. Can we get someone to review it?

[ozkey]

i can confirm this solution works for what is worth ... surprised not approved and merged!

[ozkey]

is there a workaround ?

[krzysztof-raciniewski]

is there a workaround ?

npm config set strictSSL false is working

[JamesHenry]

Thanks a lot for patience on this folks, happy to get this in! 🙏