Skip to content

chore: remove registry pin from .npmrc, guard lockfile in CI#662

Open
ochafik wants to merge 1 commit into
mainfrom
chore/lockfile-registry-guard
Open

chore: remove registry pin from .npmrc, guard lockfile in CI#662
ochafik wants to merge 1 commit into
mainfrom
chore/lockfile-registry-guard

Conversation

@ochafik
Copy link
Copy Markdown
Contributor

@ochafik ochafik commented May 20, 2026

Why

.npmrc pins registry=https://registry.npmjs.org/, which forces every npm install through the public registry even for contributors who fetch through a corporate proxy registry (their supply-chain gate). The pin was a blunt way to keep the committed package-lock.json free of non-public resolved URLs.

This replaces the pin with a precise invariant check, so contributors can use whatever registry their machine is configured for while the committed lockfile is guaranteed to reference only the public registry.

What

  • .npmrc: drop the registry= pin, leave a comment explaining the invariant and how it's enforced.
  • scripts/check-lockfile-registry.mjs (new): fails if any package-lock.json entry has a resolved URL outside registry.npmjs.org. --fix re-fetches the public registry's canonical resolved/integrity for each offending entry and rewrites it (safe to run after npm install <pkg> against a proxy).
  • CI (ci.yml): replace the inline grep check with the script.
  • pre-commit (.husky/pre-commit): same.
  • package.json: add lint:lockfile script; update-lock:docker now runs --fix instead of forcing --registry.
  • AGENTS.md: document the new lockfile-regen + lint flow.

Verified

  • Guard passes on the current clean lockfile.
  • Polluted a lockfile entry with an Artifactory URL → guard fails with a clear message → --fix restores it byte-identical to the public-registry original.

@ochafik
Strengthen lockfile registry guard
9fe79d6 
Drop the `registry=` pin from .npmrc — it's npm's default and pinning it
shadows contributors' own proxy registry config. The committed
package-lock.json must reference only registry.npmjs.org, but `npm install`
records whichever registry it actually resolved against (URL *and* integrity
digest, which can differ for older packages). Replace the inline grep checks
in .husky/pre-commit and CI with scripts/check-lockfile-registry.mjs, which
also has a `--fix` mode that re-fetches resolved/integrity from
registry.npmjs.org for the leaked entries.

Also:
- `update-lock:docker` no longer hard-codes `--registry=https://registry.npmjs.org/`;
  it uses the system registry and runs `--fix` at the end.
- AGENTS.md updated to describe the new flow and the `npm run lint:lockfile`
  helper.
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 20, 2026

Open in StackBlitz

@modelcontextprotocol/ext-apps

npm i https://pkg.pr.new/@modelcontextprotocol/ext-apps@662

@modelcontextprotocol/server-basic-preact

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-preact@662

@modelcontextprotocol/server-basic-react

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-react@662

@modelcontextprotocol/server-basic-solid

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-solid@662

@modelcontextprotocol/server-basic-svelte

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-svelte@662

@modelcontextprotocol/server-basic-vanillajs

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-vanillajs@662

@modelcontextprotocol/server-basic-vue

npm i https://pkg.pr.new/@modelcontextprotocol/server-basic-vue@662

@modelcontextprotocol/server-budget-allocator

npm i https://pkg.pr.new/@modelcontextprotocol/server-budget-allocator@662

@modelcontextprotocol/server-cohort-heatmap

npm i https://pkg.pr.new/@modelcontextprotocol/server-cohort-heatmap@662

@modelcontextprotocol/server-customer-segmentation

npm i https://pkg.pr.new/@modelcontextprotocol/server-customer-segmentation@662

@modelcontextprotocol/server-debug

npm i https://pkg.pr.new/@modelcontextprotocol/server-debug@662

@modelcontextprotocol/server-map

npm i https://pkg.pr.new/@modelcontextprotocol/server-map@662

@modelcontextprotocol/server-pdf

npm i https://pkg.pr.new/@modelcontextprotocol/server-pdf@662

@modelcontextprotocol/server-scenario-modeler

npm i https://pkg.pr.new/@modelcontextprotocol/server-scenario-modeler@662

@modelcontextprotocol/server-shadertoy

npm i https://pkg.pr.new/@modelcontextprotocol/server-shadertoy@662

@modelcontextprotocol/server-sheet-music

npm i https://pkg.pr.new/@modelcontextprotocol/server-sheet-music@662

@modelcontextprotocol/server-system-monitor

npm i https://pkg.pr.new/@modelcontextprotocol/server-system-monitor@662

@modelcontextprotocol/server-threejs

npm i https://pkg.pr.new/@modelcontextprotocol/server-threejs@662

@modelcontextprotocol/server-transcript

npm i https://pkg.pr.new/@modelcontextprotocol/server-transcript@662

@modelcontextprotocol/server-video-resource

npm i https://pkg.pr.new/@modelcontextprotocol/server-video-resource@662

@modelcontextprotocol/server-wiki-explorer

npm i https://pkg.pr.new/@modelcontextprotocol/server-wiki-explorer@662

commit: 9fe79d6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ochafik