Commit b53c9fa
libraries/javascript: fix pnpm auth for upstream-fallback packages (#3445)
## What
Scopes a small fix to the **pnpm** section of the JavaScript
build-configuration docs so direct-access auth works for packages served
through the upstream fallback.
- Configure pnpm direct-access credentials keyed to the whole
`libraries.cgr.dev` host (`//libraries.cgr.dev/:_auth`) instead of
scoping them to the `/javascript/` path.
- Fix the `username`/`_password` example: pnpm requires the `_password`
value to be **base64-encoded** and rejects a raw token. The previous
example used the raw token and fails.
## Why
pnpm authenticates against whatever tarball URL the registry returns for
each package. Packages Chainguard has not yet rebuilt are served from
`https://libraries.cgr.dev/javascript-upstream/`. With credentials
scoped only to `//libraries.cgr.dev/javascript/`, pnpm sends **no auth
header** for the `/javascript-upstream/` path, so any install that
resolves an upstream-fallback package (e.g. `react`) fails with
`ERR_PNPM_FETCH_401`.
A credential keyed to the host covers both `/javascript/` and
`/javascript-upstream/`. The explicit two-path form is kept in the docs
as an alternative.
## Testing
Verified against **pnpm 11.8.0** with a fresh project/lockfile against
`libraries.cgr.dev/javascript`:
- Host-keyed `//libraries.cgr.dev/:_auth` → `react` (upstream-fallback)
resolves and downloads. ✅
- Path-scoped `//libraries.cgr.dev/javascript/:_auth` only →
`ERR_PNPM_FETCH_401` on `…/javascript-upstream/react/…tgz` ("No
authorization header was set"). ❌
- `username`/`_password` with a raw token fails; base64-encoded
`_password` succeeds.
The **npm** section is intentionally left unchanged: npm authenticates
upstream-fallback tarball fetches even with path-scoped `/javascript/`
credentials, so it is already correct.
## Scope
pnpm section only (2 hunks). No changes to npm, Yarn, Bun, or
repository-manager sections.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>1 parent 2dd5b5a commit b53c9fa
1 file changed
Lines changed: 33 additions & 7 deletions
Lines changed: 33 additions & 7 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
390 | 390 | | |
391 | 391 | | |
392 | 392 | | |
393 | | - | |
394 | | - | |
| 393 | + | |
395 | 394 | | |
396 | 395 | | |
397 | 396 | | |
398 | 397 | | |
399 | 398 | | |
400 | 399 | | |
| 400 | + | |
| 401 | + | |
| 402 | + | |
| 403 | + | |
| 404 | + | |
| 405 | + | |
| 406 | + | |
| 407 | + | |
| 408 | + | |
| 409 | + | |
| 410 | + | |
| 411 | + | |
| 412 | + | |
| 413 | + | |
| 414 | + | |
| 415 | + | |
| 416 | + | |
| 417 | + | |
| 418 | + | |
401 | 419 | | |
402 | 420 | | |
403 | 421 | | |
| |||
528 | 546 | | |
529 | 547 | | |
530 | 548 | | |
531 | | - | |
532 | | - | |
| 549 | + | |
533 | 550 | | |
534 | 551 | | |
535 | | - | |
| 552 | + | |
| 553 | + | |
| 554 | + | |
| 555 | + | |
| 556 | + | |
| 557 | + | |
| 558 | + | |
| 559 | + | |
| 560 | + | |
| 561 | + | |
536 | 562 | | |
537 | 563 | | |
538 | | - | |
539 | | - | |
| 564 | + | |
| 565 | + | |
540 | 566 | | |
541 | 567 | | |
542 | 568 | | |
| |||
0 commit comments