[RRFC] Allow list of registries (to be used as a per-project .npmrc override)

[dominykas]

Motivation ("The Why")

I found some references to private registries in a package-lock.json of a public project. They likely ended up in there by mistake.

Sorry, if there's already an existing feature that I missed that can solved this...

Example

• https://github.com/kubernetes-client/javascript/pull/605/files

How

Current Behaviour

The package-lock.json / package.json will be installed based on user's .npmrc.

Desired Behaviour

A project should be able to create an explicit allow list of registries in its own .npmrc.

This would also likely be useful for users as well, just in case a project does not define an allow list, and installs from other registries than the user's preferred one.

I realize that there may be some collisions there between user settings and project settings, so there may be a degradation of UX there...

References

• n/a

[jcrben]

How about allowing for multiple registries generally in the system npmrc - falling back to another one if not found in the first? https://stackoverflow.com/questions/32633678/is-there-any-way-to-configure-multiple-registries-in-a-single-npmrc-file/67067209#67067209