Also override global npm config to fix persistent E401#7375
Also override global npm config to fix persistent E401#7375ilonatommy wants to merge 1 commit intomainfrom
Conversation
The previous fix only overrode NPM_CONFIG_USERCONFIG, but stale auth tokens may also exist in the global .npmrc on CI agents. Override both NPM_CONFIG_USERCONFIG and NPM_CONFIG_GLOBALCONFIG to non-existent files so npm only reads the project-level .npmrc (registry URL, no auth). Also add npm config list diagnostics to confirm the env vars take effect and help debug if E401 persists. Fixes #7365 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions
bot
added
the
area-ai-eval
There was a problem hiding this comment.
Pull request overview
This PR hardens the Azure Pipelines “Build Azure DevOps plugin” step against npm E401 failures caused by stale credentials on hosted agents by neutralizing additional npm config sources and adding diagnostics to confirm which config files npm is using.
Changes:
- Add
NPM_CONFIG_GLOBALCONFIGalongsideNPM_CONFIG_USERCONFIGto ignore global and user-level.npmrcfiles on CI agents. - Add
npm config listdiagnostics before the plugin build to aid troubleshooting.
|
|
||
| - pwsh: | | ||
| Write-Host "--- npm config diagnostics ---" | ||
| npm config list |
There was a problem hiding this comment.
npm config list can print a large portion of npm’s effective configuration, which may include registry credentials from agent/user/global configs. Since this runs in CI logs, consider limiting diagnostics to only the specific config paths and a small set of non-sensitive keys (e.g., which config files are being used and what registry is selected), or otherwise ensuring any auth values are redacted before output.
| npm config list | |
| Write-Host ("npm userconfig: " + (npm config get userconfig)) | |
| Write-Host ("npm globalconfig:" + (npm config get globalconfig)) | |
| Write-Host ("npm registry: " + (npm config get registry)) |
| # so npm only reads the project-level .npmrc (which has the registry | ||
| # URL but no auth tokens). |
There was a problem hiding this comment.
The comment says overriding user/global config means npm will only read the project-level .npmrc (URL/no auth). In this script, npm runs in multiple directories, and not all of them appear to have a project .npmrc (e.g., the repo-level install). Consider adjusting the wording to reflect that this forces npm to ignore user/global configs and rely on project config when present (otherwise built-in defaults), to avoid confusion for future maintenance.
| # so npm only reads the project-level .npmrc (which has the registry | |
| # URL but no auth tokens). | |
| # so npm ignores user/global .npmrc files and instead uses any | |
| # project-level .npmrc present (with the registry URL but no auth | |
| # tokens), or npm's built-in defaults if none exist. |
Problem
PR #7366 added \NPM_CONFIG_USERCONFIG\ to bypass stale user-level .npmrc\ credentials, but build 1325007 on PR #7361 still fails with E401 on agents 92 and 93.
The env var override was confirmed present in the merge commit, yet npm still sends stale auth tokens. This means the stale credentials are likely in the global .npmrc\ (<prefix>/etc/npmrc), not just the user-level one.
Fix
pm config list\ diagnostics before the build so we can confirm the env vars take effect and see exactly which config sources npm is reading.
Why the previous fix was insufficient
npm reads config from four sources in order: project → user → global → built-in. PR #7366 only overrode the user config. If stale _authToken\ entries exist in the global config on these CI agents, they would still be sent.
Fixes #7365
Related: #7361, #7362, #7364, #7366
Microsoft Reviewers: Open in CodeFlow