[Bug] .opencode/package-lock.json generated without respecting ~/.npmrc `registry` configuration

[FurryWolfX]

Description

When opencode generates the .opencode/package-lock.json file , it does not respect the registry configuration specified in the user's ~/.npmrc file. The generated package-lock.json appears to use default npm registry settings instead of user-configured values.

Expected Behavior

When generating .opencode/package-lock.json, opencode should read and respect the npm repository configuration from ~/.npmrc, including:

• Custom registry URLs
• Any other relevant npm configuration

Actual Behavior

The generated .opencode/package-lock.json does not reflect the user's ~/.npmrc configuration. It seems to ignore the registry field entirely when resolving package dependencies.

Plugins

omo

OpenCode version

1.3.15

Steps to reproduce

1. Use the latest version of opencode
2. Run opencode command that triggers package-lock.json generation
3. Observe the generated .opencode/package-lock.json

Screenshot and/or share link

No response

Operating System

macos

Terminal

iTerm2

[FurryWolfX]

I see opencode previously generated bun.lock - are you planning to migrate to npm?

[FurryWolfX]

The Arborist instance in packages/opencode/src/npm/index.ts is created without passing the registry option:

const arb = new Arborist({
  path: dir,
  binLinks: true,
  progress: false,
  savePrefix: "",
  ignoreScripts: true,
  // Missing: registry option
})

Without explicit registry configuration, @npmcli/arborist defaults to https://registry.npmjs.org regardless of any .npmrc settings.

Impact

• Users in regions with restricted access to registry.npmjs.org cannot use opencode effectively
• Enterprise users with private registries cannot install packages through opencode
• Inconsistent behavior compared to running npm install directly

Proposed Solution

Use @npmcli/config to read the .npmrc and pass the registry to Arborist:

import { readConfig } from "@npmcli/config"

const npmConfig = await readConfig(dir)
const arb = new Arborist({
  path: dir,
  registry: npmConfig.get("registry"),
  // ...other options
})

Alternatively, read the registry directly from the .npmrc file and pass it to Arborist.

[kdybicz]

I have both package-lock.json and bun.lock in my .opencode folder now, and the package-lock.json isn't added to .gitignore in contrast to bun.lock. This change feels unintentional 🤔

[JosXa]

This blocks us from upgrading OpenCode, as registry.npmjs.org is blocked by Firewall and we must proxy every NPM request through our own registry. If the value in .npmrc or bunfig is not respected, we have a huge problem. It is also news to me that the ~/.config/opencode/package.json now suddenly has some kind of weight in the whole process, I thought it was mostly ignored and just relevant for custom plugin/*s 🤔

[JosXa]

Analysis & suggested fix

The root cause is straightforward: Npm.add() and Npm.install() in packages/opencode/src/npm/index.ts create new Arborist({...}) without passing registry. Arborist doesn't discover it on its own (that's @npmcli/config's job inside npm CLI), so it falls back to the hardcoded default https://registry.npmjs.org. Same story for outdated() which has a hardcoded fetch() to registry.npmjs.org.

This completely breaks corporate/airgapped environments where registry.npmjs.org is blocked by firewall.

Suggested fix (minimal, ~20 lines)

Read registry from the same sources Bun and npm already use. No heavy deps needed. ini is already a transitive dep via Arborist.

import { parse as parseIni } from "ini"
import { parse as parseToml } from "smol-toml" // or skip if bunfig support not desired
import { readFileSync } from "fs"
import { join } from "path"
import { homedir } from "os"

function getRegistry(): string {
  // 1. env var (set by both npm and bun from their respective configs)
  if (process.env.npm_config_registry)
    return process.env.npm_config_registry

  // 2. ~/.npmrc
  try {
    const rc = parseIni(readFileSync(join(homedir(), ".npmrc"), "utf8"))
    if (rc.registry) return rc.registry
  } catch {}

  // 3. bunfig.toml (or skip if bunfig support not desired)
  try {
    const toml = parseToml(readFileSync(join(homedir(), "bunfig.toml"), "utf8"))
    if (toml.install?.registry) return toml.install.registry
  } catch {}

  return "https://registry.npmjs.org"
}

Then:

• Pass registry: getRegistry() to every new Arborist() call
• Use getRegistry() in outdated() instead of the hardcoded URL

Additional bug: outdated() hardcodes registry

Even with the Arborist fix, outdated() has a separate hardcoded fetch:

const response = await fetch(`https://registry.npmjs.org/${pkg}`)

This also needs to use the configured registry.

cc @thdxr @rekram1-node

[FurryWolfX]

update to 1.4.8, ~/.config/opencode/package-lock.json has the same problem
and the startup speed has slowed down significantly, probably due to slower dependency parsing