Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Running npm config set expands all environment variables in .npmrc, permanently.
The documentation says you can do this:
All npm config files are an ini-formatted list of key = value parameters. Environment variables can be replaced using ${VARIABLE_NAME}. For example:
prefix = ${HOME}/.npm-packages
However if you do this, it gets expanded permanently the first time you run npm config:
$ cat .npmrc
prefix = ${HOME}/.npm-packages
$ npm config set dummy=true --location=project
$ cat .npmrc
prefix = /home/example/.npm-packages
dummy=true
Expected Behavior
Environment variables in .npmrc should be left alone. They are often placeholders for things like authentication tokens for private repositories, so replacing them with the current value is undesirable and breaks functionality.
Steps To Reproduce
echo 'prefix = ${HOME}/.npm-packages' >> .npmrccat .npmrc- Confirm
${HOME} is contained in the file
npm config set dummy=true --location=projectcat .npmrc- Observe
${HOME} has been replaced with the current user's actual home directory.
Environment
- npm: 8.18.0
- Node.js: 18.4.0
- OS Name: Arch Linux
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Running
npm config setexpands all environment variables in.npmrc, permanently.The documentation says you can do this:
However if you do this, it gets expanded permanently the first time you run
npm config:Expected Behavior
Environment variables in
.npmrcshould be left alone. They are often placeholders for things like authentication tokens for private repositories, so replacing them with the current value is undesirable and breaks functionality.Steps To Reproduce
echo 'prefix = ${HOME}/.npm-packages' >> .npmrccat .npmrc${HOME}is contained in the filenpm config set dummy=true --location=projectcat .npmrc${HOME}has been replaced with the current user's actual home directory.Environment