Gar

If I use npm 11 and force this throw to happen I get the message on the cli: ```sh $ node /Users/wraithgar/Development/npm/cli/branches/gar_metavuln-throw i lodash@1 error loading from incorrect packument error...

The `package.json#config` [example](https://github.com/npm/cli/issues/8153#issuecomment-2718906990) is exactly how you want to do this. Those aren't parsed as "npm" config values, those are isolated as "user space" config values for the package. Those...

> This also applies to things like NODE_OPTIONS and any options that are set for pnpm or other package managers that use .npmrc These should be unaffected. In `.npmrc` itself...

I am going to pin this issue for now since there may be more folks who are wondering how to address these warnings. I also added a link to the...

`--` has always been the way to separate npm args and script args. ```sh ~/D/s/scripts $ npm pkg get scripts.argtest "node ./script.js" ~/D/s/scripts $ npm run argtest -- hello >...

Reminder to please read the `---Added by npm team---` section at the very top of this issue for how to set configs in a way that does not collide w/...

> If npm registry keys are changed, is there any advanced notice from the npm registry of a plan to change? There shouldn't be. The values of the keys aren't...

> If I have understood this correctly it would mean that Corepack would need to be enhanced to always use the live keys on https://registry.npmjs.org/-/npm/v1/keys and not use its own...

> TLDR: (I believe that) these signatures only guarantee integrity, and not authenticity. This is instead where projects like [TUF](https://theupdateframework.io/docs/overview/) and [Sigstore](https://www.sigstore.dev/) The npm cli uses [TUF to fetch the...

> Is it possible for npm to estimate how often they expect to rotate keys, or is this simply an unknown? This is an unknown currently.