Auth & Registry Settings (.npmrc)
The settings on this page must be configured via .npmrc files. pnpm uses the npm CLI under the hood for publishing, so these settings need to be in a format that npm can read.
For details on how .npmrc files are loaded, see the pnpm config command.
For settings that can be configured in pnpm-workspace.yaml, see Settings (pnpm-workspace.yaml).
Environment variables
Values in .npmrc files may reference environment variables using the ${NAME} syntax.
Since v10.34.2, environment variables are not expanded in the project and workspace .npmrc files (those checked out together with the repository) for the following settings:
- registry and proxy URLs (
registry,@scope:registry,proxy,https-proxy,http-proxy); - URL-scoped keys (keys starting with
//); - credential values (
_authToken,_auth,_password,username,tokenHelper,cert,key).
A setting that contains a ${...} placeholder in any of these positions is ignored, and pnpm prints a warning. Repository-controlled .npmrc files must not be able to expand environment variables into the URLs pnpm sends requests to, or into the credentials attached to those requests — otherwise a malicious repository could exfiltrate secrets from your environment (such as CI tokens) to an attacker-controlled registry during installation (GHSA-3qhv-2rgh-x77r).
If your project relied on a committed .npmrc containing a line like //registry.npmjs.org/:_authToken=${NPM_TOKEN}, move the token to a trusted location instead:
-
Write the token to the global config file before installing (for example, in a CI step):
pnpm config set //registry.npmjs.org/:_authToken "$NPM_TOKEN"pnpm config setwrites to the global config file by default, not to the project.npmrc, so the token never ends up in the repository. -
Or keep the
${NPM_TOKEN}placeholder line, but put it in the user-level~/.npmrcinstead of the repository — environment variables are still expanded there. -
Or set the value via an environment variable directly, without any
.npmrcentry:npm_config_//registry.npmjs.org/:_authToken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -
In GitHub Actions,
actions/setup-nodewith theregistry-urlinput writes the auth setting to a user-level.npmrc(referenced by theNPM_CONFIG_USERCONFIGenvironment variable, which pnpm honors), so authentication via theNODE_AUTH_TOKENenvironment variable continues to work. -
If you cannot easily modify each CI pipeline, you may declare the project
.npmrctrusted by setting a single environment variable in the CI environment (for example, at the organization or workspace level):NPM_CONFIG_USERCONFIG=.npmrcThis makes pnpm read the project's
.npmrcas the user-level config file (a relative path is resolved against the working directory), so environment variables in it are expanded as before. Because the trust declaration comes from the environment — not from the repository — a malicious repository cannot set it for you.dangerOnly use this in environments that exclusively build trusted repositories. It disables this protection entirely for the checked-out repository, including the restriction that
tokenHelpermay only be set in user-level config.
The same rule applies to registry and proxy URLs in a project or workspace .npmrc (registry, @scope:registry, proxy, https-proxy, http-proxy). If you used an environment variable to build a registry URL, move the setting to a trusted source — your user-level ~/.npmrc, the global config (pnpm config set "<key>" <value>), a CLI option, or an environment variable. If the URL is not secret, you can also write the resolved value directly in the project .npmrc, since only ${...} placeholders are ignored.
Registry Settings
registry
- Default: https://registry.npmjs.org/
- Type: url
The base URL of the npm package registry (trailing slash included).
@jsr:registry
Added in: v10.9.0
- Default: https://npm.jsr.io/
- Type: url
The base URL of the JSR package registry.
<scope>:registry
The npm registry that should be used for packages of the specified scope. For
example, setting @babel:registry=https://example.com/packages/npm/
will enforce that when you use pnpm add @babel/core, or any @babel scoped
package, the package will be fetched from https://example.com/packages/npm
instead of the default registry.
Authentication Settings
<URL>:_authToken
Definisci il token del portatore di autenticazione da utilizzare quando si accede al registro. Ad esempio:
//registry.npmjs.org/:_authToken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Puoi anche usare una variabile d'ambiente. Ad esempio:
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
Since v10.34.2, environment variables are only expanded in trusted locations (the user ~/.npmrc, the global config, CLI options, and npm_config_* environment variables), not in the project or workspace .npmrc. See Environment variables.
Or you may just use an environment variable directly, without changing .npmrc at all:
npm_config_//registry.npmjs.org/:_authToken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
<URL>:tokenHelper
Un token helper è un eseguibile che emette un token di autenticazione. Può essere usato in situazioni in cui authToken non è un valore costante ma è qualcosa che si aggiorna regolarmente, in cui uno script o un altro strumento può usare un token di aggiornamento esistente per ottenere un nuovo token di accesso.
La configurazione per il percorso dell'helper deve essere un percorso assoluto, senza argomenti. In order to be secure, it is only permitted to set this value in the user .npmrc. Otherwise a project could place a value in a project's local .npmrc and run arbitrary executables.
Impostazione di un token helper per il registro predefinito:
tokenHelper=/home/ivan/token-generator
Impostazione di un token helper per il registro specificato:
//registry.corp.com:tokenHelper=/home/ivan/token-generator
Proxy Settings
https-proxy
- Default: null
- Type: url
Un proxy da utilizzare per le richieste HTTPS in uscita. If the HTTPS_PROXY, https_proxy,
HTTP_PROXY or http_proxy environment variables are set, their values will be
used instead.
If your proxy URL contains a username and password, make sure to URL-encode them. Ad esempio:
https-proxy=https://use%21r:pas%2As@my.proxy:1234/foo
Do not encode the colon (:) between the username and password.
http-proxy
proxy
- Default: null
- Type: url
Un proxy da utilizzare per le richieste http in uscita. Se le variabili di ambiente HTTP_PROXY o http_proxy sono impostate, le impostazioni del proxy saranno onorate dalla libreria di richiesta sottostante.
local-address
- Default: undefined
- Type: IP Address
L'indirizzo IP dell'interfaccia locale da utilizzare quando si effettuano connessioni al registro npm.
maxsockets
- Default: networkConcurrency x 3
- Type: Number
Il numero massimo di connessioni da utilizzare per origine (combinazione protocollo/host/porta).
noproxy
- Default: null
- Type: String
Una stringa di estensioni di dominio separate da virgole per le quali non dovrebbe essere utilizzato un proxy.
SSL Settings
strict-ssl
- Default: true
- Type: Boolean
Se eseguire o meno la convalida della chiave SSL quando si effettuano richieste al registro tramite HTTPS.
See also the ca option.
Certificate Settings
ca
- Default: The npm CA certificate
- Type: String, Array or null
Il certificato di firma dell'autorità di certificazione considerato attendibile per le connessioni SSL al registro. I valori devono essere in formato PEM (ovvero "X.509 codificato in base-64 (.CER)"). Ad esempio:
ca="-----BEGIN CERTIFICATE-----\nXXXX\nXXXX\n-----END CERTIFICATE-----"
Imposta a null per consentire solo ai registrar noti o un certificato CA specifico di considerare attendibile solo quella specifica autorità di firma.
È possibile considerare attendibili più CA specificando una serie di certificati:
ca[]="..."
ca[]="..."
See also the strict-ssl config.
cafile
- Default: null
- Type: path
Un percorso a un file contenente una o più autorità di certificazione che firmano
certificati. Similar to the ca setting, but allows for multiple CAs, as well
as for the CA information to be stored in a file instead of being specified via
CLI.
<URL>:cafile
Define the path to a Certificate Authority file to use when accessing the specified registry. Ad esempio:
//registry.npmjs.org/:cafile=ca-cert.pem
<URL>:ca
Added in: v10.25.0
Define an inline Certificate Authority certificate for the specified registry.
The value must be PEM-encoded, like the global ca setting, but it only applies
to the matching registry URL.
//registry.example.com/:ca=-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----
cert
- Default: null
- Type: String
Un certificato client da passare quando si accede al registro. I valori devono essere in formato PEM (ovvero "X.509 codificato in base-64 (.CER)"). Ad esempio:
cert="-----BEGIN CERTIFICATE-----\nXXXX\nXXXX\n-----END CERTIFICATE-----"
It is not the path to a certificate file.
<URL>:cert
Added in: v10.25.0
Define an inline client certificate to use when accessing the specified registry. Esempio:
//registry.example.com/:cert=-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----
<URL>:certfile
Define the path to a certificate file to use when accessing the specified registry. Ad esempio:
//registry.npmjs.org/:certfile=server-cert.pem
key
- Default: null
- Type: String
Una chiave client da passare quando si accede al registro. I valori devono essere in formato PEM (ovvero "X.509 codificato in base-64 (.CER)"). Ad esempio:
key="-----BEGIN PRIVATE KEY-----\nXXXX\nXXXX\n-----END PRIVATE KEY-----"
It is not the path to a key file. Use <URL>:keyfile if you need to reference
the file system instead of inlining the key.
Questa impostazione contiene informazioni sensibili. Don't write it to a local .npmrc file committed to the repository.
<URL>:key
Added in: v10.25.0
Define an inline client key for the specified registry URL.
//registry.example.com/:key=-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----
<URL>:keyfile
Define the path to a client key file to use when accessing the specified registry. Ad esempio:
//registry.npmjs.org/:keyfile=server-key.pem