[BUG] Silent failure when cafile has restrictive filesystem permissions (EPERM)

[jsdevtom]

Summary

Silent failure when npm CLI loads cafile / NODE_EXTRA_CA_CERTS that has restrictive filesystem permissions. npm exits with EPERM stack trace but prints no user-visible error. Even when run with --loglevel verbose.

Environment

• npm: Reproducible with 10.9.3 and 11.6.0
• node: Reproducible with 20.20.0 and 24.9.0
• OS: macOS 15.x
• Shell: zsh 5.9 (Terminal.app)
• npm config sources: ~/.npmrc with

  cafile=/Users/<user>/Documents/CA.crt
  NODE_EXTRA_CA_CERTS=/Users/<user>/Documents/CA.crt
  

• Certificate file has 0000 permissions

Steps to Reproduce

1. On macOS, create any text file and add a restrictive MACL attribute:

   echo test > /tmp/test.crt
   

chmod 000 /tmp/test.crt

2. Point npm to the file:
```ini
echo "cafile=/tmp/test.crt" >> ~/.npmrc

3. Run a simple npm command:

   npm -v  # or npm ls --depth=0
   

Expected Behavior

npm should surface an error such as:

Error: cannot read cafile /tmp/test.crt (EPERM) while trying to load `cacert`.

and exit non-zero so users can diagnose quickly.

Actual Behavior

npm prints no error even when run with --loglevel verbose, then shows a stack trace:

Error: EPERM: operation not permitted, open '/tmp/test.crt'
    at readFileSync (node:fs:440:20)
    …

Command exits with code 1; users see nothing, resulting in silent failure.

Additional context

Full verbose stack trace attached below.

Stack trace

Error: EPERM: operation not permitted, open '/Users/.../CA.crt'
    at readFileSync (node:fs:440:20)
    at maybeReadFile (@npmcli/config/lib/definitions/definitions.js:13:12)
    at Definition.flatten (@npmcli/config/lib/definitions/definitions.js:363:19)
    at Config.flatten (@npmcli/config/lib/definitions/index.js:16:11)
    at get flat (@npmcli/config/lib/index.js:217:20)
    at get flatOptions (/Users/.../npm/lib/npm.js:360:13)
    …