Add dynamic .npmrc authentication

Fixes static authentication token caching issue where tokens from .npmrc
were read once during module extension evaluation and cached, causing
401 errors when short-lived credentials expired (e.g., AWS CodeArtifact
12-hour tokens).

Changes:
- Add _read_npmrc_auth() function to read .npmrc files dynamically on
  each download instead of caching tokens statically
- Add _get_auth_from_url() helper to extract auth for specific registry URLs
- Add npmrc and use_home_npmrc attributes to npm_import_rule
- Modify _download_and_extract_archive() to read auth dynamically first,
  with fallback to static auth attributes for backward compatibility
- Pass npmrc/use_home_npmrc from npm_translate_lock extension instead
  of static npm_auth* attributes

Testing:
- Add unit tests for _get_auth_from_url() helper function
- Add e2e integration test that verifies tokens are read dynamically:
  * Fetches succeed with valid tokens
  * Fetches fail with 401 when tokens are broken (proving fresh reads)
  * Fetches succeed when tokens are restored
- Test uses --repository_cache= to force fresh downloads

Fixes: #2547

Author: ravi-pplx

e2e/npm_translate_lock_dynamic_auth/.bazelignore

@@ -0,0 +1 @@
+node_modules

e2e/npm_translate_lock_dynamic_auth/.bazelrc

@@ -0,0 +1 @@
+try-import %workspace%/../../.aspect/workflows/bazelrc

e2e/npm_translate_lock_dynamic_auth/.bazelversion

@@ -0,0 +1 @@
+../../.bazelversion

e2e/npm_translate_lock_dynamic_auth/.npmrc

@@ -0,0 +1,4 @@
+hoist=false
+
+# This will be replaced by test script with dynamic token
+_authToken=${ASPECT_NPM_AUTH_TOKEN}

e2e/npm_translate_lock_dynamic_auth/BUILD.bazel

@@ -0,0 +1,11 @@
+load("@bazel_skylib//rules:build_test.bzl", "build_test")
+load("@npm//:defs.bzl", "npm_link_all_packages")
+
+npm_link_all_packages(name = "node_modules")
+
+build_test(
+    name = "test",
+    targets = [
+        ":node_modules",
+    ],
+)

e2e/npm_translate_lock_dynamic_auth/MODULE.bazel

@@ -0,0 +1,27 @@
+bazel_dep(name = "aspect_rules_js", version = "0.0.0", dev_dependency = True)
+local_path_override(
+    module_name = "aspect_rules_js",
+    path = "../..",
+)
+
+bazel_dep(name = "bazel_skylib", version = "1.5.0", dev_dependency = True)
+
+pnpm = use_extension("@aspect_rules_js//npm:extensions.bzl", "pnpm")
+pnpm.pnpm(
+    name = "pnpm",
+)
+use_repo(pnpm, "pnpm", "pnpm__links")
+
+npm = use_extension(
+    "@aspect_rules_js//npm:extensions.bzl",
+    "npm",
+    dev_dependency = True,
+)
+npm.npm_translate_lock(
+    name = "npm",
+    data = ["//:package.json"],
+    pnpm_lock = "//:pnpm-lock.yaml",
+    use_home_npmrc = True,
+    verify_node_modules_ignored = "//:.bazelignore",
+)
+use_repo(npm, "npm")

e2e/npm_translate_lock_dynamic_auth/README.md

@@ -0,0 +1,7 @@
+# Dynamic .npmrc authentication integration test
+
+Tests that authentication tokens are read dynamically from `.npmrc` on each download,
+not cached statically. Critical for short-lived credentials like AWS CodeArtifact tokens.
+
+Auth token with permission to pull packages from `@aspect-test` scope must be set in
+`ASPECT_NPM_AUTH_TOKEN` environment variable for this e2e test to pass.

e2e/npm_translate_lock_dynamic_auth/WORKSPACE

@@ -0,0 +1 @@
+# Marker file for Bazel

e2e/npm_translate_lock_dynamic_auth/WORKSPACE.bzlmod

@@ -0,0 +1,2 @@
+# This file marks the root of the Bazel workspace.
+# See MODULE.bazel for external dependencies setup with bzlmod.

e2e/npm_translate_lock_dynamic_auth/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "npm-translate-lock-dynamic-auth-test",
+  "version": "0.0.0",
+  "dependencies": {
+    "@aspect-test/a": "5.0.0"
+  }
+}