aspect-build
Add dynamic .npmrc authentication
Fixes static authentication token caching issue where tokens from .npmrc were read once during module extension evaluation and cached, causing 401 errors when short-lived credentials expired (e.g., AWS CodeArtifact 12-hour tokens).
Changes:
- Add _read_npmrc_auth() function to read .npmrc files dynamically on each download instead of caching tokens statically
- Add _get_auth_from_url() helper to extract auth for specific registry URLs
- Add npmrc and use_home_npmrc attributes to npm_import_rule
- Modify _download_and_extract_archive() to read auth dynamically first, with fallback to static auth attributes for backward compatibility
- Pass npmrc/use_home_npmrc from npm_translate_lock extension instead of static npm_auth* attributes
Changes are visible to end-users: no
Test plan
- Add unit tests for _get_auth_from_url() helper function
- Add e2e integration test that verifies tokens are read dynamically:
- Fetches succeed with valid tokens
- Fetches fail with 401 when tokens are broken (proving fresh reads)
- Fetches succeed when tokens are restored
- Test uses --repository_cache= to force fresh downloads
Fixes: https://github.com/aspect-build/rules_js/issues/2547
Bazel 7 (Test)
All tests were cache hits
299 tests (100.0%) were fully cached saving 39s.
Bazel 8 (Test)
All tests were cache hits
262 tests (100.0%) were fully cached saving 37s.
Bazel 7 (Test)
e2e/bzlmod
All tests were cache hits
5 tests (100.0%) were fully cached saving 559ms.
Bazel 7 (Test)
e2e/git_dep_metadata
All tests were cache hits
1 test (100.0%) was fully cached saving 31ms.
Bazel 7 (Test)
e2e/gyp_no_install_script
All tests were cache hits
2 tests (100.0%) were fully cached saving 153ms.
Bazel 7 (Test)
e2e/js_image_oci
All tests were cache hits
1 test (100.0%) was fully cached saving 6s.
Bazel 7 (Test)
e2e/npm_link_package
All tests were cache hits
2 tests (100.0%) were fully cached saving 206ms.
Bazel 7 (Test)
e2e/npm_link_package-esm
All tests were cache hits
2 tests (100.0%) were fully cached saving 224ms.
Bazel 7 (Test)
e2e/npm_link_package-rerooted
All tests were cache hits
2 tests (100.0%) were fully cached saving 199ms.
Bazel 7 (Test)
e2e/npm_translate_lock
All tests were cache hits
3 tests (100.0%) were fully cached saving 681ms.
Bazel 7 (Test)
e2e/npm_translate_lock_disable_hooks
All tests were cache hits
3 tests (100.0%) were fully cached saving 257ms.
Bazel 7 (Test)
e2e/npm_translate_lock_empty
All tests were cache hits
2 tests (100.0%) were fully cached saving 180ms.
Bazel 7 (Test)
e2e/npm_translate_lock_exclude_package_contents
All tests were cache hits
1 test (100.0%) was fully cached saving 34ms.
Bazel 7 (Test)
e2e/npm_translate_lock_link_workspace
All tests were cache hits
2 tests (100.0%) were fully cached saving 225ms.
Bazel 7 (Test)
e2e/npm_translate_lock_multi
All tests were cache hits
2 tests (100.0%) were fully cached saving 164ms.
Bazel 7 (Test)
e2e/npm_translate_lock_partial_clone
All tests were cache hits
1 test (100.0%) was fully cached saving 61ms.
Bazel 7 (Test)
e2e/npm_translate_lock_replace_packages
All tests were cache hits
4 tests (100.0%) were fully cached saving 487ms.
Bazel 7 (Test)
e2e/npm_translate_lock_subdir_patch
All tests were cache hits
1 test (100.0%) was fully cached saving 95ms.
Bazel 7 (Test)
e2e/npm_translate_package_lock
All tests were cache hits
1 test (100.0%) was fully cached saving 31ms.
Bazel 7 (Test)
e2e/npm_translate_yarn_lock
All tests were cache hits
1 test (100.0%) was fully cached saving 31ms.
Bazel 7 (Test)
e2e/package_json_module
All tests were cache hits
1 test (100.0%) was fully cached saving 324ms.
Bazel 7 (Test)
e2e/patch_from_repo
All tests were cache hits
1 test (100.0%) was fully cached saving 31ms.
Bazel 7 (Test)
e2e/pnpm_lockfiles
All tests were cache hits
82 tests (100.0%) were fully cached saving 8s.
Bazel 7 (Test)
e2e/pnpm_repo_install
All tests were cache hits
1 test (100.0%) was fully cached saving 963ms.
Bazel 7 (Test)
e2e/pnpm_version
All tests were cache hits
1 test (100.0%) was fully cached saving 75ms.
Bazel 7 (Test)
e2e/pnpm_workspace
All tests were cache hits
15 tests (100.0%) were fully cached saving 3s.
Bazel 7 (Test)
e2e/pnpm_workspace_deps
All tests were cache hits
3 tests (100.0%) were fully cached saving 428ms.
Bazel 7 (Test)
e2e/pnpm_workspace_rerooted
All tests were cache hits
15 tests (100.0%) were fully cached saving 3s.
Bazel 7 (Test)
e2e/repo_mapping
All tests were cache hits
3 tests (100.0%) were fully cached saving 394ms.
Bazel 7 (Test)
e2e/runfiles
All tests were cache hits
1 test (100.0%) was fully cached saving 110ms.
Bazel 7 (Test)
e2e/stamped_package_json
All tests were cache hits
1 test (100.0%) was fully cached saving 44ms.
Bazel 7 (Test)
e2e/vendored_node
All tests were cache hits
1 test (100.0%) was fully cached saving 70ms.
Bazel 7 (Test)
e2e/vendored_tarfile
All tests were cache hits
1 test (100.0%) was fully cached saving 31ms.
Bazel 7 (Test)
e2e/verify_patches
All tests were cache hits
2 tests (100.0%) were fully cached saving 109ms.
Bazel 7 (Test)
e2e/worker
All tests were cache hits
1 test (100.0%) was fully cached saving 35ms.
Bazel 7 (Test)
e2e/workspace
All tests were cache hits
1 test (100.0%) was fully cached saving 35ms.
Buildifier 
Format
![aspect-workflows[bot] avatar](https://avatars.githubusercontent.com/in/380038?v=4 "Published by a pub.dev verified publisher"){kind=small}
Don't we need to change npm_translate_lock to actually pass this info through to each npm_import?
I'm also curious if https://github.com/aspect-build/rules_js/pull/2554 solves this? Can you try that?
That is for 3.x atm though since I think that won't work with bazel6
I'm also curious if #2554 solves this? Can you try that?
That is for
3.xatm though since I think that won't work with bazel6
thanks for the review @jbedard. let me test with this change and get back to you