Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot renovate repos with .npmrc that uses env vars #851

Closed
SpainTrain opened this issue Sep 28, 2017 · 5 comments · Fixed by #853
Closed

Cannot renovate repos with .npmrc that uses env vars #851

SpainTrain opened this issue Sep 28, 2017 · 5 comments · Fixed by #853
Assignees
@rarkins

Comments

@SpainTrain
Copy link
Contributor

.npmrc files allow use of env vars, e.g.,

//registry.npmjs.org/:_authToken=${NPM_TOKEN}

However, after #807 the environment is no longer passed to npm/yarn and when trying to renovate repos with .npmrc files like this, one receives

"err": {
  "name": "ChildProcessError",
  ...
  "stderr": "error An unexpected error occurred: \"Failed to replace env in config: ${NPM_TOKEN}\".\n"

Due to deployment requirements, it is not possible to remove .npmrc from the target repo.
@SpainTrain SpainTrain mentioned this issue Sep 28, 2017
Merged
@rarkins
Copy link
Collaborator

rarkins commented Sep 28, 2017

In your case is it just NPM_TOKEN needed right now? Maybe we can allow a server side white listing of variable names. I need to make sure this doesn't open any exploits for the hosted app.

@SpainTrain
Copy link
Contributor Author

While in my example the env var is being used for the npm registry token, note that the more general issue is that target repos may have .npmrc files that use arbitrary env vars.

In my case, my specific issue could be resolved in two ways I think:

  • your suggestion of passing process.env.NPM_TOKEN to yarn child process
  • renovate somehow ignoring the .npmrc file in the target repo (e.g., temporarily renaming it while running yarn child process). This should work because we set RENOVATE_NPMRC to pass the npm token for private modules.

An, arguably over-engineered, general solution to the problem would be supporting explicitly passing env vars to yarn, e.g., RENOVATE_YARN_MY_VAR is passed to yarn child process as MY_VAR

Outside of registry tokens, I am not really sure what folks use the env var interpolation for, so I can't really opine on which approach is best. Any of them solve our specific problem, though.

rarkins added a commit that referenced this issue Sep 29, 2017
@rarkins
feat: ignoreNpmrcFile
a54a8d0 
This feature adds support for ignoring .npmrc files in a repository. Set config option to true if you wish to ignore.

Closes #851
@rarkins rarkins mentioned this issue Sep 29, 2017
Merged
@rarkins rarkins self-assigned this Sep 29, 2017
rarkins added a commit that referenced this issue Sep 29, 2017
@rarkins
feat: ignoreNpmrcFile (#853)
8125c77 
This feature adds support for ignoring .npmrc files in a repository. Set config option to true if you wish to ignore.

Closes #851
@rarkins
Copy link
Collaborator

rarkins commented Sep 29, 2017

@SpainTrain please try the fix. you could set it using env if it can apply to all your repos, otherwise configure it in renovate.json or package.json

@SpainTrain
Copy link
Contributor Author

Thanks! Will test today!

@SpainTrain
Copy link
Contributor Author

Works great. Thank you ❤️

@ctaepper ctaepper mentioned this issue Jan 18, 2018
Merged
@moredhel moredhel mentioned this issue Mar 16, 2020
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rarkins rarkins

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: ignoreNpmrcFile renovatebot/renovate
2 participants
@SpainTrain @rarkins