Skip to content

fix(self-update): respect custom registry when installing pnpm version #10205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zkochan merged 3 commits into from
Nov 19, 2025
Merged

fix(self-update): respect custom registry when installing pnpm version #10205

zkochan merged 3 commits into from
Nov 19, 2025

Conversation

@silentip404
Copy link
Contributor

@silentip404 silentip404 commented Nov 19, 2025

Fixes an issue where pnpm ignores custom registry configuration when auto-installing a specified pnpm version via managePackageManagerVersions.

Problem

When managePackageManagerVersions: true is set in pnpm-workspace.yaml and a custom registry is configured in .npmrc (e.g., registry=https://registry.npmmirror.com/), pnpm attempts to auto-install the specified version from registry.npmjs.org instead of respecting the user's custom registry configuration.

This occurs because installPnpmToTools runs in a temporary directory outside the project, which doesn't automatically inherit the project's .npmrc configuration.

Solution

The fix explicitly passes the registry configuration from opts.registries.default or opts.rawConfig.registry to the pnpm add command via the --config.registry flag.

Changes

  • Modified tools/plugin-commands-self-updater/src/installPnpmToTools.ts
  • Added registry configuration check: const registry = opts.registries?.default || opts.rawConfig?.registry
  • Pass registry to pnpm add command when available: command.push(`--config.registry=${registry}`)

Reproduction Steps

  1. Create a .npmrc file with a custom registry:

    registry=https://registry.npmmirror.com/

  2. Configure pnpm-workspace.yaml:

    managePackageManagerVersions: true

  3. Set package.json:

    {
  "packageManager": "[email protected]"
}

  4. Run pnpm -v without having [email protected] installed

  5. Before fix: pnpm downloads from registry.npmjs.org instead of the custom registry

  6. After fix: pnpm respects the custom registry configuration

Testing

  • ✅ Code compiles successfully
  • ✅ Linting passes
  • ✅ Manual testing confirms the fix works as expected

⚠️ Note: Test cases were not added due to module mocking complexity in ESM environment. If test coverage is required, I'm happy to add tests with guidance on the following:

  1. Test setup clarification:

    • How to properly mock runPnpmCli in the existing test suite?
    • Best practices for simulating registry configurations in test environment

  2. Scope of test coverage:

    • Should tests cover both opts.registries.default and opts.rawConfig.registry fallback paths?
    • Do you need tests for scenarios where no custom registry is configured?

I'm familiar with testing strategies but would benefit from understanding this project's conventions to ensure consistency with existing test patterns.

Related Issues

Checklist

  • Code follows the project's style guidelines
  • Self-review completed
  • Code compiles without errors
  • Linting passes
  • Commit message follows the project's commit message conventions

@silentip404
fix(self-update): respect custom registry when installing pnpm version
98897ec 
When managePackageManagerVersions is enabled and a custom registry is
configured in .npmrc, pnpm was attempting to auto-install the specified
version from registry.npmjs.org instead of respecting the user's custom
registry configuration.

This happens because installPnpmToTools runs in a temporary directory
outside the project, which doesn't automatically pick up the project's
.npmrc configuration. The fix explicitly passes the registry configuration
from opts.registries.default or opts.rawConfig.registry to the pnpm add
command via the --config.registry flag.
@silentip404 silentip404 requested a review from zkochan as a code owner November 19, 2025 10:32
@welcome
Copy link

welcome bot commented Nov 19, 2025

💖 Thanks for opening this pull request! 💖
Please be patient and we will get back to you as soon as we can.

@zkochan zkochan requested a review from Copilot November 19, 2025 21:31
Copilot AI reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes an issue where pnpm ignores custom registry configurations when auto-installing a specified pnpm version via managePackageManagerVersions. The fix ensures that when installing pnpm to the tools directory, the custom registry setting is respected by passing it via the --config.registry flag.

  • Modified installPnpmToTools to check for custom registry configuration and pass it to the pnpm add command
  • Added changeset documenting the fix

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
tools/plugin-commands-self-updater/src/installPnpmToTools.ts Added logic to pass custom registry configuration to the pnpm installation command when available
.changeset/cold-buckets-crash.md Added changeset entry documenting the fix

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zkochan zkochan merged commit d3cf00e into pnpm:main Nov 19, 2025
11 checks passed
@welcome
Copy link

welcome bot commented Nov 19, 2025

Congrats on merging your first pull request! 🎉🎉🎉

zkochan added a commit that referenced this pull request Nov 20, 2025
@silentip404 @zkochan
fix(self-update): respect custom registry when installing pnpm version (
2194432 
#10205)

* fix(self-update): respect custom registry when installing pnpm version

When managePackageManagerVersions is enabled and a custom registry is
configured in .npmrc, pnpm was attempting to auto-install the specified
version from registry.npmjs.org instead of respecting the user's custom
registry configuration.

This happens because installPnpmToTools runs in a temporary directory
outside the project, which doesn't automatically pick up the project's
.npmrc configuration. The fix explicitly passes the registry configuration
from opts.registries.default or opts.rawConfig.registry to the pnpm add
command via the --config.registry flag.

* refactor: self-update

* Update .changeset/cold-buckets-crash.md

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Zoltan Kochan <[email protected]>
Co-authored-by: Copilot <[email protected]>
@msogrin
Copy link

msogrin commented Nov 20, 2025

This seems to break installs when a custom registry defined in .npmrc has token/credentials too, e.g. private JFrog Artifactory.

@zkochan
Copy link
Member

zkochan commented Nov 21, 2025

Why do you store credentials in the local .npmrc? Credentials are usually stored globally. They are not committed to the repository.

@silentip404
Copy link
Contributor Author

silentip404 commented Nov 21, 2025

should we consider passing the entire project's .npmrc configuration instead of only the registry URL, to preserve authentication credentials and other settings?

@Charhua
Copy link

Charhua commented Nov 21, 2025

when an auth token exists in the .npmrc file, it will not take effect

@Charhua
Copy link

Charhua commented Nov 21, 2025

should we consider passing the entire project's .npmrc configuration instead of only the registry URL, to preserve authentication credentials and other settings?

I also encountered this problem. It wasn't until the CI/CD process failed that I realized there was this issue.

@silentip404
Copy link
Contributor Author

silentip404 commented Nov 21, 2025

Thank you all for the feedback regarding the authentication issue with private registries.

After reviewing the concerns raised by @msogrin and @Charhua , it appears the current implementation only passes the registry URL but doesn't preserve authentication credentials and other registry-specific configurations from .npmrc.

Potential approaches to consider:

Fully respect the entire project's .npmrc — Pass the complete .npmrc configuration to the temporary installation directory, preserving all registry settings including authentication tokens and custom configurations.

Comprehensively forward registry-related configurations — Extract and pass all registry-related settings (including authentication credentials) from the configuration to the pnpm add command, not just the registry URL.

Alternative solutions — Open to suggestions from the community for other viable approaches.

I'd appreciate guidance from @zkochan and other maintainers on the preferred direction for addressing this limitation while maintaining security best practices.

@silentip404
Copy link
Contributor Author

silentip404 commented Nov 21, 2025

For those encountering authentication issues with private registries in the current version, a temporary solution is to downgrade the global base pnpm installation to version <=10.22.

Note: This refers to the globally installed pnpm binary, not the version specified in the packageManager field of package.json. Downgrading the global pnpm version reverts to the previous behavior where pnpm is downloaded from registry.npmjs.org, thereby bypassing the authentication token issue entirely.

@mi-reichel
Copy link

mi-reichel commented Nov 24, 2025

This seems to break installations that currently do not explicitly use
manage-package-manager-versions=false
in the .npmrc

When manage-package-manager-versions=true (the default) pnpm will try to use the global .npmrc instead of the project's .npmrc with Version 10.23 now.

@zkochan zkochan mentioned this pull request Nov 25, 2025
Open
zkochan added a commit that referenced this pull request Nov 27, 2025
@zkochan
revert: "fix(self-update): respect custom registry when installing pn…
d2a7b02 
…pm version (#10205)"

This reverts commit d3cf00e.
zkochan added a commit that referenced this pull request Nov 27, 2025
@zkochan
revert: "fix(self-update): respect custom registry when installing pn…
0416f2c 
…pm version (#10205)"

This reverts commit 2194432.
@zkochan
Copy link
Member

zkochan commented Nov 27, 2025

This change has been reverted for now.

@dkimmich-onventis dkimmich-onventis mentioned this pull request Dec 5, 2025
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zkochan zkochan zkochan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@silentip404 @msogrin @zkochan @Charhua @mi-reichel