unsloth/studio/frontend/.npmrc
Daniel Han 54f25bf17e
Studio: UNSLOTH_NPM_REGISTRY opt-in for corporate npm mirrors (#6491) (#6663)
* Studio: UNSLOTH_NPM_REGISTRY opt-in for corporate npm mirrors (#6491)

studio/frontend/.npmrc pins registry=https://registry.npmjs.org/ as a
supply-chain lock. A project-level pin takes precedence over a user's
~/.npmrc, so behind a corporate firewall that blocks npmjs.org the
frontend bun/npm install hit npmjs.org directly and failed with 403.

Add an opt-in UNSLOTH_NPM_REGISTRY env var (off by default). When set it
is threaded as --registry into every registry-touching install in
setup.sh, setup.ps1 and build.sh (bun bootstrap, bun install + retry, npm
fallback, OXC validator runtime). --registry is the highest-precedence
override for both bun and npm and leaves min-release-age and save-exact
in force, so the default lock is unchanged for everyone else.

On an install failure that looks like a blocked registry, print guidance
pointing at UNSLOTH_NPM_REGISTRY and auto-suggest the mirror already set
in the user's npm config. Registries are never switched automatically.

Also correct the .npmrc comment: the pin does not block an ambient
NPM_CONFIG_REGISTRY env var (npm and bun honor that at higher precedence);
it only guards against a lower-precedence stale ~/.npmrc.

* Studio: make the registry hint reachable under set -e; clean temp log (#6491)

run_quiet_no_exit returns non-zero on failure, which under `set -euo
pipefail` exits the script at the call site before the exit code is
captured, so the new UNSLOTH_NPM_REGISTRY hint never printed on the npm
fallback and OXC validator paths. Guard both with `|| _rc=$?` (the same
idiom every other run_quiet_no_exit caller already uses) so the failure
branch runs, and remove the _FRONTEND_INSTALL_LOG temp file on the
early-exit path.

* Studio: detect the user's mirror outside the pinned frontend dir (#6491)

_suggest_npm_registry / Show-NpmRegistryHint run while the cwd is still
studio/frontend, whose .npmrc pins registry=https://registry.npmjs.org/.
So `npm config get registry` returned that pin instead of the user's
~/.npmrc mirror, and the "Detected a registry" branch was skipped for the
main corporate case (mirror set in ~/.npmrc). Run the lookup from a
directory with no project .npmrc (/ in bash, the temp dir in PowerShell)
so the user/global mirror is surfaced. The NPM_CONFIG_REGISTRY env check
is unchanged and still takes precedence.
2026-06-25 04:01:43 -07:00

34 lines
2 KiB
Text

# Studio frontend npm configuration.
#
# Mini Shai-Hulud / Axios-style supply chain defense.
# Requires npm >=11.10.0. Refuses tarballs published less than 7 days ago,
# closing the typical 4-72h attack window between malicious publish and
# upstream removal. npm interprets the bare integer as DAYS; do not
# append `d`, npm 11.x will parse `7d` as a Date string and abort.
min-release-age=7
# Do not re-add the old `minimum-release-age` alias: npm >=11.16 warns on
# unknown project configs and npm 12 stops accepting them.
# Belt-and-braces: refuse to write back loose `^x.y.z` ranges into
# package.json when a maintainer runs `npm install <pkg>` locally. This
# does NOT rewrite already-present ranges (those need an explicit
# `npm install <name>@<version> --save-exact` pass) but it stops new
# carets from creeping into the manifest as patch-version footguns.
save-exact=true
# Pin the default registry so a stale or hostile *lower-precedence* ~/.npmrc
# can't silently redirect our installs to an attacker registry. Note this does
# NOT block an ambient NPM_CONFIG_REGISTRY env var: npm and bun honor that at a
# higher precedence than this project file. That is exactly why Unsloth does not
# read NPM_CONFIG_REGISTRY and instead exposes one deliberate, explicit opt-in.
#
# Corporate mirror / proxy (issue #6491): if your firewall blocks
# registry.npmjs.org, set UNSLOTH_NPM_REGISTRY=<your-mirror-url> when running
# ./install.sh (or setup.sh / setup.ps1). The installer threads it as
# `--registry <url>`, which overrides this line for both npm and bun while
# leaving the min-release-age and save-exact locks above in force. Do not edit
# this line for that -- the env var keeps the default pinned for everyone else.
registry=https://registry.npmjs.org/
audit-level=high
fund=false
# Maintainer note: use `npm ci` (never `npm install`) in CI and locally
# when reproducing a build. The 7-day cooldown above is enforced by npm
# itself; downgrading or removing it bypasses the supply-chain gate.