feat(scanner): add npm token based on registry for sdk calls (#544)

Author: clemgbld

.changeset/forty-waves-jog.md

@@ -0,0 +1,5 @@
+---
+"@nodesecure/scanner": minor
+---
+
+feat(scanner): add npm token based on registry for sdk calls

package-lock.json

@@ -70,7 +70,9 @@
     "type-fest": "^5.0.1"
   },
   "devDependencies": {
+    "@npmcli/config": "^10.4.2",
     "@types/node": "^24.0.2",
+    "@types/npmcli__config": "^6.0.3",
     "c8": "^10.1.3",
     "tsx": "^4.19.4",
     "typescript": "^5.8.3"

workspaces/scanner/package.json

@@ -14,15 +14,18 @@ import { parseAuthor } from "@nodesecure/utils";
 import { ManifestManager, parseNpmSpec } from "@nodesecure/mama";
 import type { ManifestVersion, PackageJSON, WorkspacesPackageJSON } from "@nodesecure/npm-types";
 import { getNpmRegistryURL } from "@nodesecure/npm-registry-sdk";
+import type Config from "@npmcli/config";
 
 // Import Internal Dependencies
 import {
   getDependenciesWarnings,
   addMissingVersionFlags,
   getUsedDeps,
-  getManifestLinks
+  getManifestLinks,
+  NPM_TOKEN
 } from "./utils/index.js";
 import { NpmRegistryProvider } from "./registry/NpmRegistryProvider.js";
+import { RegistryTokenStore } from "./registry/RegistryTokenStore.js";
 import { TempDirectory } from "./class/TempDirectory.class.js";
 import { Logger, ScannerLoggerEvents } from "./class/logger.class.js";
 import type {
@@ -79,6 +82,7 @@ const { version: packageVersion } = JSON.parse(
 type WalkerOptions = Omit<Options, "registry"> & {
   registry: string;
   location?: string;
+  npmRcConfig?: Config;
 };
 
 export async function depWalker(
@@ -93,9 +97,12 @@ export async function depWalker(
     maxDepth,
     location,
     vulnerabilityStrategy = Vulnera.strategies.NONE,
-    registry
+    registry,
+    npmRcConfig
   } = options;
 
+  const tokenStore = new RegistryTokenStore(npmRcConfig, NPM_TOKEN.token);
+
   await using tempDir = await TempDirectory.create();
 
   const dependencyConfusionWarnings: DependencyConfusionWarning[] = [];
@@ -150,7 +157,8 @@ export async function depWalker(
         const dep = dependencies.get(name)!;
         operationsQueue.push(
           new NpmRegistryProvider(name, version, {
-            registry
+            registry,
+            tokenStore
           }).enrichDependencyVersion(dep, dependencyConfusionWarnings, org)
         );
 
@@ -180,13 +188,17 @@ export async function depWalker(
       }
       else {
         fetchedMetadataPackages.add(name);
-        const provider = new NpmRegistryProvider(name, version);
+        const provider = new NpmRegistryProvider(name, version, {
+          registry,
+          tokenStore
+        });
 
         operationsQueue.push(provider.enrichDependency(logger, dependency));
         if (registry !== getNpmRegistryURL() && org) {
           operationsQueue.push(
             new NpmRegistryProvider(name, version, {
-              registry
+              registry,
+              tokenStore
             }).enrichScopedDependencyConfusionWarnings(dependencyConfusionWarnings, org)
           );
         }

workspaces/scanner/src/depWalker.ts

@@ -8,6 +8,7 @@ import pacote from "pacote";
 import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 import * as tarball from "@nodesecure/tarball";
 import type { PackageJSON } from "@nodesecure/npm-types";
+import type Config from "@npmcli/config";
 
 // Import Internal Dependencies
 import { depWalker } from "./depWalker.js";
@@ -27,9 +28,13 @@ const kDefaultCwdOptions = {
 export * from "./types.js";
 export * from "./extractors/index.js";
 
+export type CwdOptions = Options & {
+  npmRcConfig?: Config;
+};
+
 export async function cwd(
   location = process.cwd(),
-  options: Options = {},
+  options: CwdOptions = {},
   logger = new Logger()
 ) {
   const registry = options.registry ?

workspaces/scanner/src/index.ts

@@ -15,7 +15,8 @@ import { PackumentExtractor, type DateProvider } from "./PackumentExtractor.js";
 import { fetchNpmAvatars } from "./fetchNpmAvatars.js";
 import type {
   Dependency,
-  DependencyConfusionWarning
+  DependencyConfusionWarning,
+  TokenStore
 } from "../types.js";
 import { Logger } from "../class/logger.class.js";
 import { getLinks } from "../utils/getLinks.js";
@@ -30,6 +31,7 @@ await i18n.extendFromSystemPath(
 
 type PackumentNpmApiOptions = {
   registry: string;
+  token?: string;
 };
 
 export interface NpmApiClient {
@@ -42,12 +44,14 @@ export interface NpmRegistryProviderOptions {
   dateProvider?: DateProvider;
   npmApiClient?: NpmApiClient;
   registry?: string;
+  tokenStore?: TokenStore;
 }
 
 export class NpmRegistryProvider {
   #date: DateProvider | undefined;
   #npmApiClient: NpmApiClient;
   #registry: string;
+  #tokenStore: TokenStore | undefined;
 
   name: string;
   version: string;
@@ -60,7 +64,8 @@ export class NpmRegistryProvider {
     const {
       dateProvider = undefined,
       npmApiClient = npmRegistrySDK,
-      registry = npmRegistrySDK.getLocalRegistryURL()
+      registry = npmRegistrySDK.getLocalRegistryURL(),
+      tokenStore = undefined
     } = options;
 
     this.name = name;
@@ -69,14 +74,16 @@ export class NpmRegistryProvider {
     this.#date = dateProvider;
     this.#npmApiClient = npmApiClient;
     this.#registry = registry;
+    this.#tokenStore = tokenStore;
   }
 
   async collectPackageVersionData() {
     const packumentVersion = await this.#npmApiClient.packumentVersion(
       this.name,
       this.version,
       {
-        registry: this.#registry
+        registry: this.#registry,
+        token: this.#tokenStore?.get(this.#registry)
       }
     );
 
@@ -95,7 +102,8 @@ export class NpmRegistryProvider {
 
   async collectPackageData() {
     const packument = await this.#npmApiClient.packument(this.name, {
-      registry: this.#registry
+      registry: this.#registry,
+      token: this.#tokenStore?.get(this.#registry)
     });
     const packumentVersion = packument.versions[this.version];
 
@@ -167,7 +175,8 @@ export class NpmRegistryProvider {
       }
       try {
         const packumentVersionFromPublicRegistry = await this.#npmApiClient.packumentVersion(this.name, this.version, {
-          registry: getNpmRegistryURL()
+          registry: getNpmRegistryURL(),
+          token: this.#tokenStore?.get(getNpmRegistryURL())
         });
         if (!this.#hasSameSignatures(signatures, packumentVersionFromPublicRegistry.dist.signatures)) {
           this.#addDependencyConfusionWarning(warnings, await i18n.getToken("scanner.dependency_confusion"));

workspaces/scanner/src/registry/NpmRegistryProvider.ts

@@ -0,0 +1,32 @@
+// Import Third-party Dependencies
+import type Config from "@npmcli/config";
+
+// Import Internal Dependencies
+import { type TokenStore } from "../types.js";
+
+export class RegistryTokenStore implements TokenStore {
+  #memo: Map<string, string | undefined> = new Map();
+  #config: Config | undefined;
+  #tokenFromEnv: string | undefined;
+  constructor(config: Config | undefined, tokenFromEnv: string | undefined) {
+    this.#config = config;
+    this.#tokenFromEnv = tokenFromEnv;
+  }
+
+  get(registry: string): string | undefined {
+    if (!this.#config) {
+      return this.#tokenFromEnv;
+    }
+    if (this.#memo.has(registry)) {
+      return this.#memo.get(registry);
+    }
+    const token = this.#config.get(this.getTokenKey(registry), "project") as string | undefined ?? this.#tokenFromEnv;
+    this.#memo.set(registry, token);
+
+    return token;
+  }
+
+  private getTokenKey(registry: string) {
+    return `${registry.replace(/https:|http:/, "")}:_authToken`;
+  }
+}

workspaces/scanner/src/registry/RegistryTokenStore.ts

@@ -262,3 +262,10 @@ export interface Options {
    */
   readonly scanRootNode?: boolean;
 }
+
+export interface TokenStore {
+  /**
+   * Get the token for the given registry
+   */
+  get(registry: string): string | undefined;
+}