fix(config): filter npm_ env

renovatebot · May 21, 2021 · 42a846e · 42a846e
1 parent 80e3e6a
commit 42a846e
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/docs/usage/private-modules.md b/docs/usage/private-modules.md
@@ -216,7 +216,7 @@ For instructions on this, see the above section on encrypting secrets for the Wh
 
 Self-hosted users can use environment variables to configure the most common types of `hostRules` for authentication.
 
-The format of the environment variables must be all upper-case and follow:
+The format of the environment variables must follow:
 
 - Datasource name (e.g. `NPM`, `PYPI`)
 - Underscore (`_`)
@@ -227,6 +227,8 @@ The format of the environment variables must be all upper-case and follow:
 Hyphens (`-`) in datasource or host name must be replaced with double underscores (`__`).
 Periods (`.`) in host names must be replaced with a single underscore (`_`).
 
+Note: the following prefixes cannot be supported for this functionality: `npm_config_`, `npm_lifecycle_`, `npm_package_`.
+
 #### npmjs registry token example
 
 `NPM_REGISTRY_NPMJS_ORG_TOKEN=abc123`:

diff --git a/lib/config/env.spec.ts b/lib/config/env.spec.ts
@@ -126,6 +126,12 @@ describe(getName(), () => {
       };
       expect(env.getConfig(envParam).hostRules).toHaveLength(0);
     });
+    it('rejects npm env', () => {
+      const envParam: NodeJS.ProcessEnv = {
+        npm_package_devDependencies__types_registry_auth_token: '4.2.0',
+      };
+      expect(env.getConfig(envParam).hostRules).toHaveLength(0);
+    });
     it('supports Bitbucket token', () => {
       const envParam: NodeJS.ProcessEnv = {
         RENOVATE_PLATFORM: PLATFORM_TYPE_BITBUCKET,

diff --git a/lib/config/env.ts b/lib/config/env.ts
@@ -92,7 +92,13 @@ export function getConfig(env: NodeJS.ProcessEnv): GlobalConfig {
 
   const hostRules: HostRule[] = [];
 
+  const npmEnvPrefixes = ['npm_config_', 'npm_lifecycle_', 'npm_package_'];
+
   for (const envName of Object.keys(env).sort()) {
+    if (npmEnvPrefixes.some((prefix) => envName.startsWith(prefix))) {
+      logger.trace('Ignoring npm env: ' + envName);
+      continue; // eslint-disable-line no-continue
+    }
     // Double underscore __ is used in place of hyphen -
     const splitEnv = envName.toLowerCase().replace('__', '-').split('_');
     const hostType = splitEnv.shift();