rfcs
rfcs copied to clipboard
[RRFC] Allow list of registries (to be used as a per-project .npmrc override)
Motivation ("The Why")
I found some references to private registries in a package-lock.json
of a public project. They likely ended up in there by mistake.
Sorry, if there's already an existing feature that I missed that can solved this...
Example
- https://github.com/kubernetes-client/javascript/pull/605/files
How
Current Behaviour
The package-lock.json
/ package.json
will be installed based on user's .npmrc
.
Desired Behaviour
A project should be able to create an explicit allow list of registries in its own .npmrc
.
This would also likely be useful for users as well, just in case a project does not define an allow list, and installs from other registries than the user's preferred one.
I realize that there may be some collisions there between user settings and project settings, so there may be a degradation of UX there...
References
- n/a
How about allowing for multiple registries generally in the system npmrc - falling back to another one if not found in the first? https://stackoverflow.com/questions/32633678/is-there-any-way-to-configure-multiple-registries-in-a-single-npmrc-file/67067209#67067209