From 42a846e86798934d3f39e18f726bc871f1cf1b1f Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Fri, 21 May 2021 13:30:30 +0200
Subject: [PATCH] fix(config): filter npm_ env

---
 docs/usage/private-modules.md | 4 +++-
 lib/config/env.spec.ts        | 6 ++++++
 lib/config/env.ts             | 6 ++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/docs/usage/private-modules.md b/docs/usage/private-modules.md
index 3a1ef51301..29ee645095 100644
--- a/docs/usage/private-modules.md
+++ b/docs/usage/private-modules.md
@@ -216,7 +216,7 @@ For instructions on this, see the above section on encrypting secrets for the Wh
 
 Self-hosted users can use environment variables to configure the most common types of `hostRules` for authentication.
 
-The format of the environment variables must be all upper-case and follow:
+The format of the environment variables must follow:
 
 - Datasource name (e.g. `NPM`, `PYPI`)
 - Underscore (`_`)
@@ -227,6 +227,8 @@ The format of the environment variables must be all upper-case and follow:
 Hyphens (`-`) in datasource or host name must be replaced with double underscores (`__`).
 Periods (`.`) in host names must be replaced with a single underscore (`_`).
 
+Note: the following prefixes cannot be supported for this functionality: `npm_config_`, `npm_lifecycle_`, `npm_package_`.
+
 #### npmjs registry token example
 
 `NPM_REGISTRY_NPMJS_ORG_TOKEN=abc123`:
diff --git a/lib/config/env.spec.ts b/lib/config/env.spec.ts
index acb608f5ab..6b9915f9e9 100644
--- a/lib/config/env.spec.ts
+++ b/lib/config/env.spec.ts
@@ -126,6 +126,12 @@ describe(getName(), () => {
       };
       expect(env.getConfig(envParam).hostRules).toHaveLength(0);
     });
+    it('rejects npm env', () => {
+      const envParam: NodeJS.ProcessEnv = {
+        npm_package_devDependencies__types_registry_auth_token: '4.2.0',
+      };
+      expect(env.getConfig(envParam).hostRules).toHaveLength(0);
+    });
     it('supports Bitbucket token', () => {
       const envParam: NodeJS.ProcessEnv = {
         RENOVATE_PLATFORM: PLATFORM_TYPE_BITBUCKET,
diff --git a/lib/config/env.ts b/lib/config/env.ts
index 9858f3ff8f..9689b70353 100644
--- a/lib/config/env.ts
+++ b/lib/config/env.ts
@@ -92,7 +92,13 @@ export function getConfig(env: NodeJS.ProcessEnv): GlobalConfig {
 
   const hostRules: HostRule[] = [];
 
+  const npmEnvPrefixes = ['npm_config_', 'npm_lifecycle_', 'npm_package_'];
+
   for (const envName of Object.keys(env).sort()) {
+    if (npmEnvPrefixes.some((prefix) => envName.startsWith(prefix))) {
+      logger.trace('Ignoring npm env: ' + envName);
+      continue; // eslint-disable-line no-continue
+    }
     // Double underscore __ is used in place of hyphen -
     const splitEnv = envName.toLowerCase().replace('__', '-').split('_');
     const hostType = splitEnv.shift();
-- 
GitLab