From f95c09e7621337eb61ab4e21932a92a94f24d986 Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Fri, 16 Nov 2018 18:03:35 +0100
Subject: [PATCH] fix(npm): ignore npmrc if localhost and low trust

---
 lib/datasource/npm.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/datasource/npm.js b/lib/datasource/npm.js
index f99bd648d3..5bc8944daf 100644
--- a/lib/datasource/npm.js
+++ b/lib/datasource/npm.js
@@ -61,6 +61,7 @@ function setNpmrc(input, trustLevel = 'low') {
     if (input === npmrcRaw) {
       return;
     }
+    const existingNpmrc = npmrc;
     npmrcRaw = input;
     logger.debug('Setting npmrc');
     npmrc = ini.parse(input);
@@ -73,7 +74,12 @@ function setNpmrc(input, trustLevel = 'low') {
         val &&
         val.includes('localhost')
       ) {
-        logger.warn({ key, val }, 'Detected localhost registry');
+        logger.info(
+          { key, val },
+          'Detected localhost registry - rejecting npmrc file'
+        );
+        npmrc = existingNpmrc;
+        return;
       }
       if (key !== '_auth' && key.endsWith('_auth') && isBase64(val)) {
         logger.debug('Massaging _auth to _authToken');
-- 
GitLab