Conversation
…publish (#11492) `pnpm config get @<scope>:registry` now reports the same URL that `pnpm publish` and the resolvers actually use. Previously `config get` only read `.npmrc`, while `publish`/install used the merged `Config.registries` map (where pnpm-workspace.yaml's `registries` overrides `.npmrc`), so the two could diverge silently and a publish would go to the wrong registry. Also warn at config load when the same scope (or the default registry) is defined in both `.npmrc` and `pnpm-workspace.yaml` with different values.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAligns ChangesScoped Registry Config Resolution Alignment
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 Microsoft Presidio Analyzer (2.2.362)pnpm/test/config/get.tsMicrosoft Presidio Analyzer failed to scan this file Comment |
Avoid the CodeQL warning about unescaped `.` in `from-npmrc.example.com` regex literals — the assertions only need a substring check, so use `.toContain()` directly.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a pnpm v11 inconsistency where pnpm config get @<scope>:registry could report a different registry URL than the one actually used by pnpm publish/resolvers (workspace registries override vs .npmrc). It aligns config get behavior with the merged Config.registries map and adds a user-facing warning when conflicting registry definitions are detected.
Changes:
- Update
pnpm config get @<scope>:registryto prefer the mergedConfig.registriesvalue (workspaceregistries+.npmrc) over the raw.npmrc(authConfig) value. - Add config-load warnings when the same scope/default registry is defined in both
.npmrcandpnpm-workspace.yamlwith different URLs. - Add tests covering the aligned
config getbehavior and the new conflict-warning behavior, plus a changeset entry.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| config/reader/src/index.ts | Adds conflict-detection warning when workspace registries disagree with .npmrc registries before merging/normalizing. |
| config/reader/test/index.ts | Adds tests for scoped/default registry conflict warnings and “no warning” cases. |
| config/commands/src/configGet.ts | Makes scoped :registry lookups prefer the merged opts._config.registries map. |
| config/commands/test/configGet.test.ts | Adds regression test ensuring config get @scope:registry returns the merged registry value. |
| .changeset/scoped-registry-config-get-publish.md | Documents the behavior change and warning addition as patch releases. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
🧹 Nitpick comments (1)
config/reader/test/index.ts (1)
582-586: ⚡ Quick winAssert that the warning explicitly states which source wins.
These checks confirm both URLs are present, but they don’t lock in the “winner” wording/source. A warning could regress to ambiguous text and still pass.
Suggested test hardening
const scopeWarning = warnings.find((w) => w.includes('@my-org')) expect(scopeWarning).toBeDefined() expect(scopeWarning).toContain('https://from-npmrc.example.com/') expect(scopeWarning).toContain('https://from-workspace-yaml.example.com/') + expect(scopeWarning).toContain('.npmrc') + expect(scopeWarning).toContain('pnpm-workspace.yaml') + expect(scopeWarning).toContain('takes precedence') @@ const defaultWarning = warnings.find((w) => w.includes('default registry')) expect(defaultWarning).toBeDefined() expect(defaultWarning).toContain('https://from-npmrc.example.com/') expect(defaultWarning).toContain('https://from-workspace-yaml.example.com/') + expect(defaultWarning).toContain('.npmrc') + expect(defaultWarning).toContain('pnpm-workspace.yaml') + expect(defaultWarning).toContain('takes precedence')Also applies to: 605-608
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@config/reader/test/index.ts` around lines 582 - 586, The test currently only checks that both URLs appear in the scopeWarning (found via warnings.find) which allows ambiguous wording to slip through; update the assertions to assert the warning explicitly states which source wins (e.g., contains a clear phrase like "from-npmrc.example.com wins" or "workspace YAML wins" alongside the winning URL) so the message is unambiguous, and apply the same stronger assertion pattern to the analogous assertions around lines 605-608; target the scopeWarning variable returned by warnings.find and assert the exact winner wording rather than just presence of both URLs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@config/reader/test/index.ts`:
- Around line 582-586: The test currently only checks that both URLs appear in
the scopeWarning (found via warnings.find) which allows ambiguous wording to
slip through; update the assertions to assert the warning explicitly states
which source wins (e.g., contains a clear phrase like "from-npmrc.example.com
wins" or "workspace YAML wins" alongside the winning URL) so the message is
unambiguous, and apply the same stronger assertion pattern to the analogous
assertions around lines 605-608; target the scopeWarning variable returned by
warnings.find and assert the exact winner wording rather than just presence of
both URLs.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 189f96ad-76e9-471a-b68b-eb3043dac4eb
📒 Files selected for processing (1)
config/reader/test/index.ts
A pnpm-workspace.yaml `registries` entry overriding a value from ~/.npmrc is the normal local-over-global precedence, not a footgun worth surfacing. Now that `pnpm config get @<scope>:registry` reports the same URL `pnpm publish` uses, the divergence the user noticed in \#11492 is gone, and an extra warning would just be noise on the common case. The regression test that covers `pnpm-workspace.yaml` overriding the .npmrc value for the same scope stays.
After #11494, `pnpm config get @<scope>:registry` returns the value from the merged `Config.registries` map — the same URL the resolvers and `publish` use — which is normalized with a trailing slash. Update the e2e expectation to match.
zkochan
added a commit
that referenced
this pull request
May 6, 2026
…publish (#11494) Fixes [#11492](#11492). In pnpm v11 a scoped registry resolved to different URLs depending on which command read it: - `pnpm config get @<scope>:registry` returned the value from `.npmrc` - `pnpm publish` used the value from `pnpm-workspace.yaml`'s `registries` block When the two sources disagreed, `pnpm publish` silently targeted the URL from `pnpm-workspace.yaml`, even though `pnpm config get` reported a different (and seemingly authoritative) URL — so users could publish to the wrong registry without any indication. This PR makes `pnpm config get @<scope>:registry` read from the merged `Config.registries` map (the same map `publish` and the resolvers use) before falling back to `authConfig`. Both commands now report and use the same URL.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #11492.
In pnpm v11 a scoped registry resolved to different URLs depending on which command read it:
pnpm config get @<scope>:registryreturned the value from.npmrcpnpm publishused the value frompnpm-workspace.yaml'sregistriesblockWhen the two sources disagreed,
pnpm publishsilently targeted the URL frompnpm-workspace.yaml, even thoughpnpm config getreported a different (and seemingly authoritative) URL — so users could publish to the wrong registry without any indication.This PR makes
pnpm config get @<scope>:registryread from the mergedConfig.registriesmap (the same mappublishand the resolvers use) before falling back toauthConfig. Both commands now report and use the same URL.Test plan
config.commandstest coveringconfig get @scope:registryreturning the merged value whenpnpm-workspace.yamloverrides.npmrc.config.readerregression test confirmingpnpm-workspace.yaml'sregistriesoverrides the same scope from.npmrc.config get @my-org:registrynow returns the same URLpnpm publishPUTs to.Written by an agent (Claude Code, claude-opus-4-7).
Summary by CodeRabbit
Bug Fixes
Improvements
pnpm config getto report registry URLs consistently with publish/resolvers and emit a warning when workspace and local registry values differ.Tests