ncu ignores _auth in .npmrc

[ahoehn]

• I have searched for similar issues
• I am using the latest version of npm-check-updates
• I am using node >= 12

---

Steps to Reproduce

create an .npmrc file in your user folder to access a private repo. e.g. with a special _auth
run npm update and check that you have access to the private repo via _auth of .npmrc
run ncu and you won't have the rights to access the private repo

Current Behavior

settings in .npmrc are ignored

Expected Behavior

settings in .npmrc should be used as they are used in npm

[raineorshine]

There's a long history of getting npm-check-updates's auth to work as-is with the local npm config. This is due to differences between libnpmconfig and pacote. For past discussions see #556 and #878. There is also an open issue on pacote related to auth which may be related.

Can you try this workaround from #878 (comment)?

I found a fix / corrected my .npmrc to allow this

I had previously an .npmrc like

registry=https://example.jfrog.io/example/api/npm/
_auth=example
email=example@example.com
always-auth=true

This used to work, but now doesn't. My last update to global packages was sometime in the past couple of days, but uninstalling and downgrading npm-check-updates doesn't avoid the issue.

However, with an .npmrc like the following, it works

registry=https://example.jfrog.io/example/api/npm/
//example.jfrog.io/example/api/npm/:_auth=example
//example.jfrog.io/example/api/npm/:email=example@example.com
//example.jfrog.io/example/api/npm/:always-auth=true

I was clued in by formatting in npm/cli#2183

[jordwms]

I've been struggling with this issue for a couple weeks now and I found a solution + learned valuable information that I hope is helpful to everybody.

1. the workaround from Authorization headers are not sent #878 that you mention is absolutely necessary.
2. regardless of your userconfig value set in .npmrc (or in Windows by setting the user environment variable NPM_CONFIG_USERCONFIG), Pacote (I believe Pacote is responsible here) will only look for ~/.npmrc and load configs from there.

[raineorshine]

@jordwms

2. regardless of your userconfig value set in .npmrc (or in Windows by setting the user environment variable NPM_CONFIG_USERCONFIG), Pacote (I believe Pacote is responsible here) will only look for ~/.npmrc and load configs from there.

userconfig cannot be set in the global .npmrc, according to the npm docs. However I'm not sure what should happen if userconfig is set in the default userconfig file.

This may be overridden by the npm_config_userconfig environment variable or the --userconfig command line option, but may not be overridden by settings in the globalconfig file.

https://docs.npmjs.com/cli/v8/using-npm/config#userconfig

npm-check-updates uses https://github.com/npm/libnpmconfig to read the npm config. Looking into this, it seems like there is a bug in libnpmconfig where it always overrides process.env.npm_config_userconfig with the default builtin. Unfortunately there is no way to report this as the package is archived.

I patched it, so process.env.npm_config_userconfig or process.env.NPM_CONFIG_USERCONFIG should work in v12.5.3.

[raineorshine]

Closing due to inactivity from OP.