[BUG] `install-strategy=linked` rejects registry-resolved tarball URLs with EALLOWREMOTE

[manzoorwanijk]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Perhaps it could have been fixed by #9473, but isolated mode is not used/expected by everyone 😄

With allow-remote defaulting to none, a fresh npm install under the linked install strategy fails with EALLOWREMOTE on an ordinary registry dependency whose resolved is a full registry tarball URL:

npm error code EALLOWREMOTE
npm error Fetching packages of type "remote" have been disabled
npm error Refusing to fetch "minimatch@https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz"

The tarball host equals the configured registry and the path is under the registry path, so this is a registry-mediated install — exactly the case the reify-layer exemption (#isRegistryResolvedTarball) is meant to allow. The standard (hoisted) reifier installs the same dependency fine under allow-remote=none; only the linked strategy fails.

Expected Behavior

Same-origin, registry-path tarball URLs from the lockfile should install under allow-remote=none in the linked strategy, identically to the hoisted reifier — which exempts them at reify.js:715 via #isRegistryResolvedTarball.

Steps To Reproduce

rm -rf /tmp/eallow-repro
mkdir -p /tmp/eallow-repro
cd /tmp/eallow-repro

echo 'install-strategy=linked' > .npmrc

cat > package.json << 'EOF'
{
  "name": "eallow-repro",
  "version": "1.0.0",
  "dependencies": { "minimatch": "3.1.5" }
}
EOF

npm install --allow-remote=none   # → EALLOWREMOTE on a registry tarball URL
npm install --allow-remote=all    # → succeeds (confirms the cause)

# the hoisted strategy is NOT affected:
npm install --install-strategy=hoisted --allow-remote=none   # → succeeds

Environment

• npm: 12.0.0-pre.0
• Node.js: v24.15.0
• OS Name: Darwin 25.5.0 (macOS, arm64)
• Relevant config: install-strategy=linked, allow-remote=none (new default)