mirror of
https://github.com/unslothai/unsloth.git
synced 2026-07-09 15:58:41 +00:00
* Studio: UNSLOTH_NPM_REGISTRY opt-in for corporate npm mirrors (#6491) studio/frontend/.npmrc pins registry=https://registry.npmjs.org/ as a supply-chain lock. A project-level pin takes precedence over a user's ~/.npmrc, so behind a corporate firewall that blocks npmjs.org the frontend bun/npm install hit npmjs.org directly and failed with 403. Add an opt-in UNSLOTH_NPM_REGISTRY env var (off by default). When set it is threaded as --registry into every registry-touching install in setup.sh, setup.ps1 and build.sh (bun bootstrap, bun install + retry, npm fallback, OXC validator runtime). --registry is the highest-precedence override for both bun and npm and leaves min-release-age and save-exact in force, so the default lock is unchanged for everyone else. On an install failure that looks like a blocked registry, print guidance pointing at UNSLOTH_NPM_REGISTRY and auto-suggest the mirror already set in the user's npm config. Registries are never switched automatically. Also correct the .npmrc comment: the pin does not block an ambient NPM_CONFIG_REGISTRY env var (npm and bun honor that at higher precedence); it only guards against a lower-precedence stale ~/.npmrc. * Studio: make the registry hint reachable under set -e; clean temp log (#6491) run_quiet_no_exit returns non-zero on failure, which under `set -euo pipefail` exits the script at the call site before the exit code is captured, so the new UNSLOTH_NPM_REGISTRY hint never printed on the npm fallback and OXC validator paths. Guard both with `|| _rc=$?` (the same idiom every other run_quiet_no_exit caller already uses) so the failure branch runs, and remove the _FRONTEND_INSTALL_LOG temp file on the early-exit path. * Studio: detect the user's mirror outside the pinned frontend dir (#6491) _suggest_npm_registry / Show-NpmRegistryHint run while the cwd is still studio/frontend, whose .npmrc pins registry=https://registry.npmjs.org/. So `npm config get registry` returned that pin instead of the user's ~/.npmrc mirror, and the "Detected a registry" branch was skipped for the main corporate case (mirror set in ~/.npmrc). Run the lookup from a directory with no project .npmrc (/ in bash, the temp dir in PowerShell) so the user/global mirror is surfaced. The NPM_CONFIG_REGISTRY env check is unchanged and still takes precedence.
34 lines
2 KiB
Text
34 lines
2 KiB
Text
# Studio frontend npm configuration.
|
|
#
|
|
# Mini Shai-Hulud / Axios-style supply chain defense.
|
|
# Requires npm >=11.10.0. Refuses tarballs published less than 7 days ago,
|
|
# closing the typical 4-72h attack window between malicious publish and
|
|
# upstream removal. npm interprets the bare integer as DAYS; do not
|
|
# append `d`, npm 11.x will parse `7d` as a Date string and abort.
|
|
min-release-age=7
|
|
# Do not re-add the old `minimum-release-age` alias: npm >=11.16 warns on
|
|
# unknown project configs and npm 12 stops accepting them.
|
|
# Belt-and-braces: refuse to write back loose `^x.y.z` ranges into
|
|
# package.json when a maintainer runs `npm install <pkg>` locally. This
|
|
# does NOT rewrite already-present ranges (those need an explicit
|
|
# `npm install <name>@<version> --save-exact` pass) but it stops new
|
|
# carets from creeping into the manifest as patch-version footguns.
|
|
save-exact=true
|
|
# Pin the default registry so a stale or hostile *lower-precedence* ~/.npmrc
|
|
# can't silently redirect our installs to an attacker registry. Note this does
|
|
# NOT block an ambient NPM_CONFIG_REGISTRY env var: npm and bun honor that at a
|
|
# higher precedence than this project file. That is exactly why Unsloth does not
|
|
# read NPM_CONFIG_REGISTRY and instead exposes one deliberate, explicit opt-in.
|
|
#
|
|
# Corporate mirror / proxy (issue #6491): if your firewall blocks
|
|
# registry.npmjs.org, set UNSLOTH_NPM_REGISTRY=<your-mirror-url> when running
|
|
# ./install.sh (or setup.sh / setup.ps1). The installer threads it as
|
|
# `--registry <url>`, which overrides this line for both npm and bun while
|
|
# leaving the min-release-age and save-exact locks above in force. Do not edit
|
|
# this line for that -- the env var keeps the default pinned for everyone else.
|
|
registry=https://registry.npmjs.org/
|
|
audit-level=high
|
|
fund=false
|
|
# Maintainer note: use `npm ci` (never `npm install`) in CI and locally
|
|
# when reproducing a build. The 7-day cooldown above is enforced by npm
|
|
# itself; downgrading or removing it bypasses the supply-chain gate.
|