Remove stale user-level .npmrc instead of npmAuthenticate#7366
Merged
evgenyfedorov2 merged 1 commit intomainfrom Mar 7, 2026
Merged
Remove stale user-level .npmrc instead of npmAuthenticate#7366evgenyfedorov2 merged 1 commit intomainfrom
evgenyfedorov2 merged 1 commit intomainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the CI pipeline template to address intermittent npm ci E401 failures on Windows agents caused by stale credentials in the user-level .npmrc, by removing that file before building the Azure DevOps plugin.
Changes:
- Remove the previously-added
npmAuthenticate@0steps for the Azure DevOps plugin build. - Add a PowerShell step that deletes the user-level
.npmrcon Windows to prevent npm from sending stale credentials to a public feed.
Replace the npmAuthenticate@0 tasks and .npmrc deletion with a scoped NPM_CONFIG_USERCONFIG env var on just the Build Azure DevOps plugin step. This points npm at a non-existent user config file so it ignores stale credentials from C:\Users\cloudtest\.npmrc without affecting other jobs on shared agents. Verified locally: npm skips the user config section entirely when NPM_CONFIG_USERCONFIG points to a non-existent path, while still reading the project-level .npmrc for the registry URL. Fixes #7365 Co-authored-by: Copilot <[email protected]>
ilonatommy
force-pushed
the
fix-npm-stale-user-npmrc
branch
from
b708f38 to
19d9358
Compare
evgenyfedorov2
approved these changes
Mar 7, 2026
This was referenced Mar 9, 2026
ilonatommy
added a commit
that referenced
this pull request
Mar 9, 2026
Set NPM_CONFIG_USERCONFIG and NPM_CONFIG_GLOBALCONFIG at the top of build.ps1 pointing to non-existent files. This makes all npm/npx calls in the script ignore stale agent-level .npmrc credentials that cause E401 errors against the public dotnet-public-npm feed. This approach is more reliable than the AzDO env: block (PR #7366) because: - Pure PowerShell variable expansion (no AzDO macro issues) - Covers BOTH user AND global config (previous only had user) - Applies to all npm AND npx invocations in the script - Scoped to this process only (no cross-job side effects) Fixes #7365 Co-authored-by: Copilot <[email protected]>
ilonatommy
added a commit
that referenced
this pull request
Mar 9, 2026
Set NPM_CONFIG_USERCONFIG and NPM_CONFIG_GLOBALCONFIG at the top of build.ps1 pointing to non-existent files. This makes all npm/npx calls in the script ignore stale agent-level .npmrc credentials that cause E401 errors against the public dotnet-public-npm feed. This approach is more reliable than the AzDO env: block (PR #7366) because: - Pure PowerShell variable expansion (no AzDO macro issues) - Covers BOTH user AND global config (previous only had user) - Applies to all npm AND npx invocations in the script - Scoped to this process only (no cross-job side effects) Fixes #7365 Co-authored-by: Copilot <[email protected]>
ilonatommy
added a commit
that referenced
this pull request
Mar 12, 2026
The workarounds bypassed the custom .npmrc that sets the AzDO dotnet-public-npm feed, which is required for SFI compliance. The actual fix is to run scripts/UpdateNpmDependencies.ps1 to ingest new upstream npm package versions into the feed. Co-authored-by: Copilot <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
PR #7364 added
npmAuthenticate@0tasks to fix E401 errors, but PR #7361 is still failing (build 1323658). ThenpmAuthenticatetasks succeed but npm still sends stale credentials from the user-levelC:\Users\cloudtest\.npmrc, overriding the project-level tokens.Fix
Replace the two
npmAuthenticate@0tasks with a single step that removes the stale user-level.npmrc. Since thedotnet-public-npmfeed is public, no authentication is needed — the problem was stale credentials being sent unnecessarily.Why npmAuthenticate didn't work
npm merges config from multiple
.npmrcfiles. ThenpmAuthenticatetask writes fresh tokens to the project-level.npmrc, but npm also reads the user-level~/.npmrcwhich has stale auth tokens for the same registry. The stale tokens get sent, causing E401.Fixes #7365
Related: #7361, #7362, #7364
Microsoft Reviewers: Open in CodeFlow