mirror of
https://github.com/pnpm/pnpm.git
synced 2026-05-30 11:38:41 -04:00
99cdedc235
* fix(config): pin unscoped per-registry settings to their source's registry at load time Each .npmrc / auth.ini / CLI source's unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) are rewritten to their URL-scoped equivalent during load, using the same source's registry= value (or the npmjs default if none). After this rewrite the merged config contains only URL-scoped settings, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot rebind a credential or client certificate to a different host. Each rescope emits a deprecation warning naming the source and the URL the setting was pinned to. ca/cafile are intentionally not rescoped — they're trust anchors, not credentials, and corporate MITM-proxy setups rely on them applying globally. Ported from #11953. Reported by JUNYI LIU. --- Written by an agent (Claude Code, claude-opus-4-7). * chore(changeset): bump @pnpm/network.auth-header to major Removing the unscoped credential fallback in getAuthHeadersFromConfig is a breaking change to the package's contract — callers passing unscoped _authToken/_auth/username+_password/tokenHelper alongside a default registry no longer get a header back. Matches the major bump in #11953. --- Written by an agent (Claude Code, claude-opus-4-7).