diff --git a/lib/datasource/npm/releases.ts b/lib/datasource/npm/releases.ts
index e26a83b42db27915c109c2a13438a68d16b72058..ef724d708f103097b13bdfeaa57da83d09293e39 100644
--- a/lib/datasource/npm/releases.ts
+++ b/lib/datasource/npm/releases.ts
@@ -1,3 +1,4 @@
+import is from '@sindresorhus/is';
 import type { GetReleasesConfig, ReleaseResult } from '../types';
 import { getDependency } from './get';
 import { setNpmrc } from './npmrc';
@@ -6,7 +7,7 @@ export async function getReleases({
   lookupName,
   npmrc,
 }: GetReleasesConfig): Promise<ReleaseResult | null> {
-  if (npmrc) {
+  if (is.string(npmrc)) {
     setNpmrc(npmrc);
   }
   const res = await getDependency(lookupName);
diff --git a/lib/manager/npm/extract/index.ts b/lib/manager/npm/extract/index.ts
index 33dd844c441586fa5cd49b507bdc2954ebfd9c98..ad22069b05061b7880e4de900d151e7da579c823 100644
--- a/lib/manager/npm/extract/index.ts
+++ b/lib/manager/npm/extract/index.ts
@@ -106,7 +106,7 @@ export async function extractPackageFile(
       logger.debug('Stripping package-lock setting from npmrc');
       npmrc = npmrc.replace(/(^|\n)package-lock.*?(\n|$)/g, '\n');
     }
-    if (npmrc) {
+    if (is.string(npmrc)) {
       if (npmrc.includes('=${') && getAdminConfig().trustLevel !== 'high') {
         logger.debug('Discarding .npmrc file with variables');
         ignoreNpmrcFile = true;
diff --git a/lib/manager/npm/post-update/index.ts b/lib/manager/npm/post-update/index.ts
index 62305f5d49d6839c31c6a66ea342b2de3c77c74a..083272c1612b0f524b573b9a622c55f84b82fe7b 100644
--- a/lib/manager/npm/post-update/index.ts
+++ b/lib/manager/npm/post-update/index.ts
@@ -138,7 +138,7 @@ export async function writeExistingFiles(
     );
     const npmrc: string = packageFile.npmrc || config.npmrc;
     const npmrcFilename = upath.join(basedir, '.npmrc');
-    if (npmrc) {
+    if (is.string(npmrc)) {
       try {
         await outputFile(npmrcFilename, `${npmrc}\n`);
       } catch (err) /* istanbul ignore next */ {