[BUG] credential checks don't resolve environment variable references #8513
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
Commands like npm whoami and npm publish perform a credential check, and can remind you that you need to be logged in. However if a credential configuration setting references an environment variable (${FOO}), the credential check passes regardless of whether the environment variable is set.
Expected Behavior
The credential check first resolves any references to environment variables. If an environment variable is not set, or alternatively the interpolated string is empty, the credential check warning or error message is produced. Optionally "(environment variable FOO is not set)" could be appended to the message.
Steps To Reproduce
- Log out of the registry
- Run
npm whoamiornpm publish --dry-run, confirm you getENEEDAUTH: This command requires you to be logged in - Update
.npmrcto include//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}. Do not set any environment variable. - Run
npm whoamiornpm publish --dry-run
You should continue to get ENEEDAUTH: This command requires you to be logged in, but don't.
You can reproduce this issue locally, or in a GitHub Actions workflow by using actions/setup-node (ref).
Environment
- npm: 11.5.2
- Node.js: v24.4.1
- OS Name: macOS
- System Model Name: MacBook Air, Space Gray
- npm config:
; "user" config from /Users/hashtagchris/.npmrc
//registry.npmjs.org/:_authToken = (protected)
; node bin location = /Users/hashtagchris/.nvm/versions/node/v24.4.1/bin/node
; node version = v24.4.1
; npm local prefix = /private/tmp/dry-run-test
; npm version = 11.5.2
; cwd = /private/tmp/dry-run-test
; HOME = /Users/hashtagchris
; Run `npm config ls -l` to show all defaults.% cat ~/.npmrc
//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}