Incorrect documentation on use of preinstall npm script

[edumserrano]

Describe the bug
The documentation states that one way to setup this package is to:

2: configure registry explicilty
If that's the case, set the environment variable npm_config_registry=https://registry.npmjs.org.

That will ensure that npx or npm exec grabs from the public NPM feed, bypassing the soon-to-be authenticated ADO feed.

"scripts": {
"preinstall": "npm_config_registry=https://registry.npmjs.org npm exec ado-npm-auth"
},

However, this does not work. More information can be seen in this npm bug report: npm/cli#2660

The problem is that the preinstall script only runs after the packages have been installed. One of the comments in the above bug report even states that a fix to the issue would be desired so that:

Agreed on treating this as a bug. Another example is users who use the preinstall hook to authenticate with private registries on their cloud platforms and/or any other registries with short lived tokens.

Azure: https://github.com/gsoft-inc/azure-devops-npm-auth
AWS: https://aws.amazon.com/blogs/devops/publishing-private-npm-packages-aws-codeartifact/

To Reproduce
Steps to reproduce the behavior:

1. Make sure your user's .npmrc file does not have any authentication token for the Azure DevOps registry you want to authenticate to.
2. Create a project .npmrc file with an Azure DevOps registry.
3. Create a preinstall script in the package.json as set it to cross-env npm_config_registry=https://registry.npmjs.org npm exec ado-npm-auth -c ./.npmrc
4. Run "npm install" from the project root directory where the package.json and .npmrc files are.
5. You get an unable to authenticate error message because the preinstall script is not executed before packages are installed.

Expected behavior
Since the issue with the preinstall is still open I would suggest you update the documentation to remove this incorrect information. Unless you know of some workaround, I believe the only way to generate the authentication token is to explicitly invoke the ado-npm-auth package and pass the .npmrc file before you run npm install.

Desktop (please complete the following information):

• OS: Windows

Additional context
In my example above I used cross-env in the preinstall script because I'm running on Windows and that's how I do the equivalent of the preinstall script in the docs which was:

"scripts": {
  "preinstall": "npm_config_registry=https://registry.npmjs.org npm exec ado-npm-auth"
},

[johnnyreilly]

If you're looking for something cross platform without using cross-env you can use this approach:

#50 (comment)

The approach I advise in azdo-npm-auth is:

npx -y --registry https://registry.npmjs.org ado-npm-auth

I've adjusted this to use ado-npm-auth instead of azdo-npm-auth

[edumserrano]

That is fine, the cross-env isn't an issue. It's true it's not required for this bug report.

The issue I'm reporting is that the docs advise you to use preinstall npm script which should first take care of doing the auth and then the npm install would run and be able to download packages from the registry which was just authenticated. This is not the case. The preinstall npm script does not work that way.

[edumserrano]

Just to reiterate, this does not work since npm v6. See npm/cli#2660 (comment).

In case anyone encounters this, the only package manager I could find that comes close to have this working is pnpm with its pnpm:devPreinstall script. Unfortunately it doesn't work 100% due to this bug pnpm/pnpm#5507. It's the closer you can get but in some occasions it would mean you'd have to run pnpm i twice.