diff --git a/README.md b/README.md
index 1d469412..7a3d2d19 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@
 
 | Step               | Description |
 |--------------------|-------------|
-| `verifyConditions` | Verify the presence of the `NPM_TOKEN` environment variable, create or update the `.npmrc` file with the token and verify the token is valid. |
+| `verifyConditions` | Verify the presence of the `NPM_TOKEN` environment variable, or an `.npmrc` file, and verify the authentication method is valid. |
 | `prepare`          | Update the `package.json` version and [create](https://docs.npmjs.com/cli/pack) the npm package tarball. |
 | `addChannel`       | [Add a release to a dist-tag](https://docs.npmjs.com/cli/dist-tag). |
 | `publish`          | [Publish the npm package](https://docs.npmjs.com/cli/publish) to the registry. |
@@ -41,7 +41,9 @@ The npm authentication configuration is **required** and can be set via [environ
 
 Both the [token](https://docs.npmjs.com/getting-started/working_with_tokens) and the legacy (`username`, `password` and `email`) authentication are supported. It is recommended to use the [token](https://docs.npmjs.com/getting-started/working_with_tokens) authentication. The legacy authentication is supported as the alternative npm registries [Artifactory](https://www.jfrog.com/open-source/#os-arti) and [npm-registry-couchapp](https://github.com/npm/npm-registry-couchapp) only supports that form of authentication.
 
-**Note**: Only the `auth-only` [level of npm two-factor authentication](https://docs.npmjs.com/getting-started/using-two-factor-authentication#levels-of-authentication) is supported, **semantic-release** will not work with the default `auth-and-writes` level.
+**Notes**:
+- Only the `auth-only` [level of npm two-factor authentication](https://docs.npmjs.com/getting-started/using-two-factor-authentication#levels-of-authentication) is supported, **semantic-release** will not work with the default `auth-and-writes` level.
+- The presence of an `.npmrc` file will override any specified environment variables.
 
 ### Environment variables
 
diff --git a/test/set-npmrc-auth.test.js b/test/set-npmrc-auth.test.js
index ec42702c..52d427ac 100644
--- a/test/set-npmrc-auth.test.js
+++ b/test/set-npmrc-auth.test.js
@@ -212,3 +212,30 @@ test.serial('Throw error if "NPM_EMAIL" is missing', async (t) => {
   t.is(error.message, 'No npm token specified.');
   t.is(error.code, 'ENONPMTOKEN');
 });
+
+test.serial('Prefer .npmrc over environment variables', async (t) => {
+  process.env.HOME = tempy.directory();
+  const cwd = tempy.directory();
+  process.chdir(cwd);
+  const npmrc = tempy.file({name: '.npmrc'});
+  // Specify an NPM token environment variable
+  const env = {NPM_TOKEN: 'env_npm_token'};
+
+  await appendFile(path.resolve(cwd, '.npmrc'), '//registry.npmjs.org/:_authToken=npmrc_npm_token');
+
+  await require('../lib/set-npmrc-auth')(npmrc, 'http://registry.npmjs.org', {cwd, env, logger: t.context.logger});
+
+  t.is(
+    (await readFile(npmrc)).toString(),
+    // Assert did not write the token from environment variable
+    `//registry.npmjs.org/:_authToken=npmrc_npm_token`
+  );
+
+  // Assert reads from config
+  t.deepEqual(t.context.log.args[1], ['Reading npm config from %s', path.resolve(cwd, '.npmrc')]);
+
+  // Assert does not write NPM_TOKEN
+  for (const log of t.context.log.args) {
+    t.false(log.includes('Wrote NPM_TOKEN'));
+  }
+});