mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-01 04:28:22 -04:00
5e5df2e086
Each .npmrc / auth.ini / CLI source's unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) are rewritten to their URL-scoped equivalent during load, using the same source's registry= value (or the npmjs default if none). After this rewrite the merged config contains only URL-scoped settings, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot rebind a credential or client certificate to a different host. Each rescope emits a deprecation warning naming the source and the URL the setting was pinned to. ca/cafile are intentionally not rescoped — they're trust anchors, not credentials, and corporate MITM-proxy setups rely on them applying globally. Ported from #11953. Reported by JUNYI LIU. --- Written by an agent (Claude Code, claude-opus-4-7).