Verify latest release
pnpm version
10.15.0
Which area(s) of pnpm are affected? (leave empty if unsure)
No response
Link to the code that reproduces this issue or a replay of the bug
https://github.com/mxxk-examples/pnpm-v10-config-issue
Reproduction steps
-
Check out https://github.com/mxxk-examples/pnpm-v10-config-issue.
-
Build the Docker container:
docker build -t pnpm-repro .
-
Inspect the results in each reproduction directory within the Docker container:
docker run --rm -it pnpm-repro sh
Describe the Bug
Suppose the intention is to append the following line to the current project's .npmrc file:
//npm.pkg.github.com/:_authToken=${NPM_TOKEN}
Doing so is useful in CI/CD where an NPM_TOKEN environment variable is provided for accessing a private NPM repository (in this example, the GitHub NPM registry).
In pnpm v9, the command
pnpm config set \
--location=project \
'//npm.pkg.github.com/:_authToken=${NPM_TOKEN}'
did just that.
However, in pnpm v10, the same command does two different things, depending on whether there is an .npmrc file already present in the project directory:
-
If there is no .npmrc file present, it writes the following to pnpm-workspace.yaml:
//npmPkgGithubCom/:AuthToken: ${NPM_TOKEN}
-
If there is an .npmrc file present, it writes the following to .npmrc:
npm-pkg-github-com-auth-token=${NPM_TOKEN}
Lastly, if the pnpm config set command is run with --location=global, all three examples (pnpm v9, pnpm v10 without .npmrc, pnpm v10 with .npmrc) produce the same result: they write the following to ~/.npmrc:
//npm.pkg.github.com/:_authToken=${NPM_TOKEN}
Expected Behavior
I'm not sure what should be considered correct behavior in this case. The option being set is not pnpm-specific, so using the npm config set command instead may be the right move.
To my knowledge, however, the behavior demonstrated above is not documented anywhere, nor is it called out as a breaking change in pnpm v10.
Which Node.js version are you using?
v24.6.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
Alpine (Docker)
Verify latest release
pnpm version
10.15.0
Which area(s) of pnpm are affected? (leave empty if unsure)
No response
Link to the code that reproduces this issue or a replay of the bug
https://github.com/mxxk-examples/pnpm-v10-config-issue
Reproduction steps
Check out https://github.com/mxxk-examples/pnpm-v10-config-issue.
Build the Docker container:
docker build -t pnpm-repro .Inspect the results in each reproduction directory within the Docker container:
Describe the Bug
Suppose the intention is to append the following line to the current project's
.npmrcfile:Doing so is useful in CI/CD where an
NPM_TOKENenvironment variable is provided for accessing a private NPM repository (in this example, the GitHub NPM registry).In pnpm v9, the command
did just that.
However, in pnpm v10, the same command does two different things, depending on whether there is an
.npmrcfile already present in the project directory:If there is no
.npmrcfile present, it writes the following topnpm-workspace.yaml:If there is an
.npmrcfile present, it writes the following to.npmrc:Lastly, if the
pnpm config setcommand is run with--location=global, all three examples (pnpm v9, pnpm v10 without.npmrc, pnpm v10 with.npmrc) produce the same result: they write the following to~/.npmrc:Expected Behavior
I'm not sure what should be considered correct behavior in this case. The option being set is not pnpm-specific, so using the
npm config setcommand instead may be the right move.To my knowledge, however, the behavior demonstrated above is not documented anywhere, nor is it called out as a breaking change in pnpm v10.
Which Node.js version are you using?
v24.6.0
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
Alpine (Docker)