NPM registry configuration template (.npmrc.template) and validation logic for GitHub Packages authentication with pnpm hoisting settings. Includes 4 critical standards (GitHub Package Registry config with token placeholder, pnpm hoisting for monorepo compatibility, exact version management, security documentation). Use when creating or auditing .npmrc.template files to prevent token leakage.
Creates and validates .npmrc.template files for GitHub Packages authentication with pnpm hoisting. Triggered when creating new templates or auditing existing NPM registry configurations to prevent token leakage and ensure monorepo compatibility.
/plugin marketplace add metasaver/metasaver-marketplace/plugin install core-claude-plugin@metasaver-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
This skill provides .npmrc.template template and validation logic for NPM registry configuration with GitHub Packages authentication.
Manage .npmrc.template configuration to:
This skill is invoked by the npmrc-template-agent when:
The standard .npmrc.template is located at:
templates/.npmrc.template
Must configure GitHub Packages for @metasaver scope:
# GitHub Package Registry for @metasaver packages
@metasaver:registry=https://npm.pkg.github.com
# Authentication token (replaced by setup script)
# Generate token at: https://github.com/settings/tokens
# Required scopes: read:packages
//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}
Requirements:
@metasaver pointing to npm.pkg.github.com${GITHUB_TOKEN} variableValidation:
# Check registry configuration
grep -q "@metasaver:registry=https://npm.pkg.github.com" .npmrc.template || echo "VIOLATION: Missing @metasaver registry"
# Check auth token placeholder
grep -q "//npm.pkg.github.com/:_authToken=\${GITHUB_TOKEN}" .npmrc.template || echo "VIOLATION: Missing auth token placeholder"
# Security check - ensure no real tokens
grep -E "ghp_[a-zA-Z0-9]{36}" .npmrc.template && echo "SECURITY VIOLATION: Real token detected"
Must configure pnpm for proper module resolution in monorepos:
# pnpm Configuration
shamefully-hoist=true
strict-peer-dependencies=false
auto-install-peers=true
node-linker=hoisted
Settings explained:
shamefully-hoist=true - Hoists all dependencies to root (fixes module resolution)strict-peer-dependencies=false - Relaxed peer dependency checkingauto-install-peers=true - Automatically install peer dependenciesnode-linker=hoisted - Use hoisted node_modules structureValidation:
# Check all required hoisting settings
grep -q "shamefully-hoist=true" .npmrc.template || echo "VIOLATION: Missing shamefully-hoist"
grep -q "node-linker=hoisted" .npmrc.template || echo "VIOLATION: Missing node-linker"
grep -q "auto-install-peers=true" .npmrc.template || echo "VIOLATION: Missing auto-install-peers (recommended)"
Must configure exact version saving:
# Dependency version management
save-exact=true
save-prefix=''
Settings explained:
save-exact=true - Save exact versions (no ^ or ~)save-prefix='' - Empty prefix (no symbols)Validation:
# Check version management settings
grep -q "save-exact=true" .npmrc.template || echo "VIOLATION: Missing save-exact"
grep -q "save-prefix=''" .npmrc.template || echo "VIOLATION: Missing save-prefix"
Must include setup instructions and warnings:
# ==============================================
# MetaSaver NPM Registry Configuration Template
# ==============================================
# This is a TEMPLATE file - ALWAYS copy before editing directly
#
# Setup Instructions:
# 1. Copy .env.example to .env
# 2. Add your GITHUB_TOKEN to .env
# 3. Run: pnpm setup:npmrc
#
# The setup script will replace ${GITHUB_TOKEN} with your actual token
# and generate .npmrc (which is gitignored)
# ==============================================
Requirements:
Validation:
# Check documentation header
grep -q "MetaSaver NPM Registry Configuration Template" .npmrc.template || echo "VIOLATION: Missing documentation header"
grep -q "Setup Instructions" .npmrc.template || echo "VIOLATION: Missing setup instructions"
grep -q "pnpm setup:npmrc" .npmrc.template || echo "VIOLATION: Missing setup command reference"
To validate .npmrc.template configuration:
# Check file exists
[ -f ".npmrc.template" ] || echo "VIOLATION: Missing .npmrc.template at root"
# Rule 1: GitHub Package Registry
grep -q "@metasaver:registry=https://npm.pkg.github.com" .npmrc.template || echo "VIOLATION: Missing @metasaver registry"
grep -q "//npm.pkg.github.com/:_authToken=\${GITHUB_TOKEN}" .npmrc.template || echo "VIOLATION: Missing auth token placeholder"
# Security check
if grep -E "ghp_[a-zA-Z0-9]{36}" .npmrc.template; then
echo "SECURITY VIOLATION: Real GitHub token detected (should use \${GITHUB_TOKEN} placeholder)"
exit 1
fi
# Rule 2: pnpm hoisting
grep -q "shamefully-hoist=true" .npmrc.template || echo "VIOLATION: Missing shamefully-hoist"
grep -q "node-linker=hoisted" .npmrc.template || echo "VIOLATION: Missing node-linker"
# Rule 3: Version management
grep -q "save-exact=true" .npmrc.template || echo "VIOLATION: Missing save-exact"
grep -q "save-prefix=''" .npmrc.template || echo "VIOLATION: Missing save-prefix"
# Rule 4: Documentation
grep -q "Setup Instructions" .npmrc.template || echo "VIOLATION: Missing setup instructions"
${GITHUB_TOKEN} placeholder)CRITICAL: .npmrc.template must ALWAYS use token placeholders and never contain real authentication tokens.
Correct:
//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}
WRONG (Security Violation):
//npm.pkg.github.com/:_authToken=ghp_abc123xyz789...
Token detection pattern:
# GitHub Personal Access Token pattern
grep -E "ghp_[a-zA-Z0-9]{36}" .npmrc.template
This skill integrates with:
scope parameter. If not provided, use /skill scope-check/skill audit-workflow - Bi-directional comparison workflow/skill remediation-options - Conform/Update/Ignore choicespnpm-workspace-agent - For monorepo package manager setuppackage-scripts-agent - For setup:npmrc script validation