Multiple registry scopes in encrypted .npmrc

[mschakulat]

What would you like help with?

I think I found a bug

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

I have several scores for my registry in the .npmrc:

@foo:registry=https://<my-company>.jfrog.io/path/api/npm/
@bar:registry=https://<my-company>.jfrog.io/path/api/npm/

I encrypt the file content via http...

To do this, I enter the lines separated by \n in raw value:

@foo:registry=https://<my-company>.jfrog.io/path/api/npm/\n@bar:registry=https://<my-company>.jfrog.io/path/api/npm/

The encrypted value is here in my renovate.json:

"encrypted": {
    "npmrc": "..."
}

Renovate can then access the dependency in scope @foo but not in @bar. If i change the order of my scopes like so:

@bar:registry=https://<my-company>.jfrog.io/path/api/npm/\n@foo:registry=https://<my-company>.jfrog.io/path/api/npm/

then renovate can access @bar but not @foo. A few days ago it seemed to work. Did anything change?

Logs (if relevant)

Logs

Logs dependending on the order of my npmrc string. The second scope always leads to the same error. This is for the second example:

@bar:registry=https://<my-company>.jfrog.io/path/api/npm/\n@foo:registry=https://<my-company>.jfrog.io/path/api/npm/

Scope: all 8 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
/tmp/renovate/repos/github/<my-company>>/<my-repo>>/path:
 ERR_PNPM_FETCH_404  GET https://registry.npmjs.org/@bar%2FpackageName: Not Found - 404

This error happened while installing a direct dependency of /tmp/renovate/repos/github/<my-company>>/<my-repo>>/path

@bar/packageName is not in the npm registry, or you have no permission to fetch it.

No authorization header was set for the request.

[viceice]

do not replace newlines, simply add the raw npmrc value to the encrypt page

[mschakulat]

Unfortunately adding it did not make any difference. I successfuly testet my local environment (also in an isolated docker container) with exactly the same content in a .npmrc file (with and without the suggested line). The error only occurs in renovate context.

[viceice]

does it work when you add those to the repo .npmrc file?

[mschakulat]

I added the .npmrc file to the repo and removed the encrypted part from the renovate.json. Works like a charm. Unfortunately i cannot do that in my other repo for security reasons.

[viceice]

do you have a npmrc in that repo? you maybe need to set the merge option

https://docs.renovatebot.com/configuration-options/#npmrcmerge

please use the new secrets feature in developer.mend.io, encrypted repo settings are deprecated and will be unsupported soon on hosted renovate.

please ensure to paste the raw npmrc config with real newlines.

@rarkins is there any docs how to use the new secrets?

[rarkins]

@justo-mend will contribute those soon

[mschakulat]

please use the new secrets feature in developer.mend.io, encrypted repo settings are deprecated and will be unsupported soon on hosted renovate.

I don't see any secrets feature in developer.mend.io. Can you please describe how to find it?

[rarkins]

If you the admin for an org I'd repo then you can edit Settings, inside which is a secrets capability

[mschakulat]

Is it correct just to copy the raw .npmrc content in the secret value field?