Pick up npm config for alternative npm registries, custom ca, etc.

[jedateach]

Unfortunately embrer-cli-update won't work in environments that rely on customising the npm registry.
I feel Ember is a good option for enterprises, which are often in this situation of using an internal mirror registry. It would be great to smooth the Ember upgrade experience by being able to use this tool.

Two issues here:

• using wrong registry
• not picking up custom CA certs

❯ ember-cli-update --to 4.12
FetchError: request to https://registry.npmjs.org/ember-cli failed, reason: self-signed certificate in certificate chain
    at ClientRequest.<anonymous> (/<redacted global path>/node_modules/ember-cli-update/node_modules/minipass-fetch/lib/index.js:130:14)
    at ClientRequest.emit (node:events:517:28)
    at TLSSocket.socketErrorListener (node:_http_client:501:9)
    at TLSSocket.emit (node:events:517:28)
    at emitErrorNT (node:internal/streams/destroy:151:8)
    at emitErrorCloseNT (node:internal/streams/destroy:116:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
  code: 'SELF_SIGNED_CERT_IN_CHAIN',
  errno: 'SELF_SIGNED_CERT_IN_CHAIN',
  type: 'system'
} 

I assume the best way for this tool to work is that it is aware of npm config, however that is passed to npm. (env, flags, npmrc)

Hacky solution

I have cobbled together a solution that uses npm-conf to grab the npm configuration and pass it into the various pacote methods' opts param.

In boilerplate-update I also modified these functions to take an opts arg to pass to pacote:
downloadAndCheckForUpdates getApplicableCodemods getCodemods getVersions.

It sort of works, but doesn't feel like the most elegant design.

Considering something more ideal

It would be nice if pacote could be configured to pick up npm config out of the box.

Maybe, as an interim, pacote could be wrapped/proxied within boilerplate-update to pick up npm config when necessary. Expose that same proxy for ember-cli-update to make use of. This should require less changes to the various method signatures within ember-cli-update and boilerplate-update

Then there's npm-conf not npm official, and not well maintained, but has significant use.
To me, this still feels hacky, and really there should be some module npm relies on that we can also rely on for picking up npm config.

What do you reckon @kellyselden? Is there a better approach you're aware of?

[jedateach]

I found @npmcli/config, which looks like a more official way to get config.

I've explored the 'more ideal' approach, by creating a package intended to proxy pacote calls, and extend them with npm config:
https://github.com/jedateach/pacote-with-npm-config/blob/main/index.js

[jedateach]

POC pr against boilerplate-update main branch:
kellyselden/boilerplate-update#473 (comment)

Trying to get that PR branch into ember-cli-update then fails.
Probably the miss-match in boilerplate-update major versions (2 is what ember-cli-update uses vs 5 for my branch).
I'm somewhat inclined to pause for now, until I get some direction from the maintainers of ember-cli-update to see if I'm going in the right direction.