Renovate loses ".npmrc" context when trying to regenerate lock files

[elliotleelewis]

What Renovate type, platform and version are you using?

Self-hosted in Azure DevOps. Using packages from both NPMJS and a private feed in Azure DevOps (Azure Artifacts)

Describe the bug

Renovate is trying to create a PR for a private NPM package, but falls over itself when generating the lock-file, and gets a "401 Unauthorized" from the private feed.

I'm setting the "npmrc" config option via a command-line parameter to the Renovate runner with the following value (of course with the new lines replaced by "\n"):

@jabil:registry=https://pkgs.dev.azure.com/jblinnersource/ab32dfdb-775d-44da-a767-c4e669a46d63/_packaging/uiux-community/npm/registry/
@jabil:always-auth=true
//pkgs.dev.azure.com/jblinnersource/ab32dfdb-775d-44da-a767-c4e669a46d63/_packaging/uiux-community/npm/registry/:username=VssSessionToken
//pkgs.dev.azure.com/jblinnersource/ab32dfdb-775d-44da-a767-c4e669a46d63/_packaging/uiux-community/npm/registry/:email=not-used@example.com
//pkgs.dev.azure.com/jblinnersource/ab32dfdb-775d-44da-a767-c4e669a46d63/_packaging/uiux-community/npm/registry/:_password=${NPM_TOKEN}

We use this same ".npmrc" file everywhere across our organization and I know that it works. It even works here to allow Renovate to access the info about the updated package, just not sure why it doesn't want to use this when it generates the lock-file. Maybe its getting overwrote by something?

Relevant debug logs

DEBUG: File config
       "config": {}

         "hostRules": [
           {"hostType": "github", "domainName": "github.com", "token": "***********"}
         ]
       }

DEBUG: Combined config
       "config": {
         "hostRules": [
           {"hostType": "github", "domainName": "github.com", "token": "***********"}
         ],
         "repositories": ["UIUX Community/styleguide-legacy"],
         "platform": "azure",
         "endpoint": "https://dev.azure.com/jblinnersource/",
         "token": "***********",
         "npmrc": "***********"
       }

DEBUG: npm.updateDependency(): dependencies.@jabil/ui-styles = ^0.3.0 (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)

DEBUG: Updating @jabil/ui-styles in package.json (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)


DEBUG: npmrc file found in repository (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)

DEBUG: Generating package-lock.json for . (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)

DEBUG: Spawning npm install to create /tmp/renovate/repos/azure/UIUX Community/styleguide-legacy/package-lock.json (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)

DEBUG: Updating lock file only (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)

DEBUG: No node constraint found - using latest (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)

DEBUG: Executing command (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)
       "command": "npm install --package-lock-only --ignore-scripts --no-audit"

DEBUG: lock file error (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)
       "err": {
         "killed": false,
         "code": 1,
         "signal": null,
         "cmd": "npm install --package-lock-only --ignore-scripts --no-audit",
         "stdout": "",
         "stderr": "npm ERR! code E401\nnpm ERR! Unable to authenticate, need: Bearer authorization_uri=https://login.windows.net/bc876b21-f134-4c12-a265-8ed26b7f0f3b, Basic realm=\"https://pkgsprodcus1.pkgs.visualstudio.com/\", TFS-Federated\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR!     /tmp/renovate/cache/others/npm/_logs/2021-03-02T05_14_04_390Z-debug.log\n",
         "message": "Command failed: npm install --package-lock-only --ignore-scripts --no-audit\nnpm ERR! code E401\nnpm ERR! Unable to authenticate, need: Bearer authorization_uri=https://login.windows.net/bc876b21-f134-4c12-a265-8ed26b7f0f3b, Basic realm=\"https://pkgsprodcus1.pkgs.visualstudio.com/\", TFS-Federated\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR!     /tmp/renovate/cache/others/npm/_logs/2021-03-02T05_14_04_390Z-debug.log\n",
         "stack": "Error: Command failed: npm install --package-lock-only --ignore-scripts --no-audit\nnpm ERR! code E401\nnpm ERR! Unable to authenticate, need: Bearer authorization_uri=https://login.windows.net/bc876b21-f134-4c12-a265-8ed26b7f0f3b, Basic realm=\"https://pkgsprodcus1.pkgs.visualstudio.com/\", TFS-Federated\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR!     /tmp/renovate/cache/others/npm/_logs/2021-03-02T05_14_04_390Z-debug.log\n\n    at ChildProcess.exithandler (child_process.js:308:12)\n    at ChildProcess.emit (events.js:315:20)\n    at ChildProcess.EventEmitter.emit (domain.js:467:12)\n    at maybeClose (internal/child_process.js:1048:16)\n    at Process.ChildProcess._handle.onexit (internal/child_process.js:288:5)"
       },
       "type": "npm"

DEBUG: No updated lock files in branch (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)

DEBUG: Branch timestamp: 2021-02-15T23:15:44.000Z (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)

DEBUG: PR is older than 2 hours, raise PR with lock file errors (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)

DEBUG: 1 file(s) to commit (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)

DEBUG: Committing files to branch renovate/jabil-ui-styles-0.x (repository=UIUX Community/styleguide-legacy, branch=renovate/jabil-ui-styles-0.x)

Have you created a minimal reproduction repository?

Please read the minimal reproductions documentation to learn how to make a good minimal reproduction repository.

• This is a really small bug, it does not need a reproduction (think small typo)
• I have provided a minimal reproduction repository
• I don't have time for that, but it happens in a public repository I have linked to
• I don't have time for that, and cannot share my private repository
• The nature of this bug means it's impossible to reproduce publicly

Additional context

Really not sure if I have any additional context here, I've tried to give as much detail as I can in the logs. My only theory is that from the debug logs it looks like Renovate is using the .npmrc from the branch, rather than the one from my Renovate config.

[rarkins]

Do you have any .npmrc file within the repo itself?

[viceice]

My bad, forgot to do base64 encoding in #8967. fixing asap

[viceice]

now we need to wait for #9051 to get live in app. Sorry

[elliotleelewis]

@viceice Nice spot!! Thank you for the quick fixes, really appreciate all the help! 😄

[elliotleelewis]

@viceice It works!! 🎉

Just tested out the new release and it added the lock-files to the PRs that were pending for our custom dependencies. Thank you so much for all your help!

[viceice]

Thanks for confirming