feat(scanner): add npm token based on registry for sdk calls

Author: clemgbld

.changeset/forty-waves-jog.md

@@ -0,0 +1,5 @@
+---
+"@nodesecure/scanner": minor
+---
+
+feat(scanner): add npm token based on registry for sdk calls

package-lock.json

@@ -70,7 +70,9 @@
     "type-fest": "^5.0.1"
   },
   "devDependencies": {
+    "@npmcli/config": "^10.4.2",
     "@types/node": "^24.0.2",
+    "@types/npmcli__config": "^6.0.3",
     "c8": "^10.1.3",
     "tsx": "^4.19.4",
     "typescript": "^5.8.3"

workspaces/scanner/package.json

@@ -13,14 +13,16 @@ import { npm } from "@nodesecure/tree-walker";
 import { parseAuthor } from "@nodesecure/utils";
 import { ManifestManager, parseNpmSpec } from "@nodesecure/mama";
 import type { ManifestVersion, PackageJSON, WorkspacesPackageJSON } from "@nodesecure/npm-types";
-import { getNpmRegistryURL } from "@nodesecure/npm-registry-sdk";
+import { getNpmRegistryURL, getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
+import Config from "@npmcli/config";
 
 // Import Internal Dependencies
 import {
   getDependenciesWarnings,
   addMissingVersionFlags,
   getUsedDeps,
-  getManifestLinks
+  getManifestLinks,
+  NPM_TOKEN
 } from "./utils/index.js";
 import { NpmRegistryProvider } from "./registry/NpmRegistryProvider.js";
 import { TempDirectory } from "./class/TempDirectory.class.js";
@@ -79,6 +81,7 @@ const { version: packageVersion } = JSON.parse(
 type WalkerOptions = Omit<Options, "registry"> & {
   registry: string;
   location?: string;
+  npmRcConfig?: Config;
 };
 
 export async function depWalker(
@@ -93,9 +96,15 @@ export async function depWalker(
     maxDepth,
     location,
     vulnerabilityStrategy = Vulnera.strategies.NONE,
-    registry
+    registry,
+    npmRcConfig
   } = options;
 
+  const registryToken = npmRcConfig?.get(NpmRegistryProvider.getTokenKey(getLocalRegistryURL()), "project") as string | undefined
+    ?? NPM_TOKEN.token;
+  const publicRegistryToken = npmRcConfig?.get(NpmRegistryProvider.getTokenKey(getNpmRegistryURL())
+    , "project") as string | undefined ?? NPM_TOKEN.token;
+
   await using tempDir = await TempDirectory.create();
 
   const dependencyConfusionWarnings: DependencyConfusionWarning[] = [];
@@ -150,7 +159,9 @@ export async function depWalker(
         const dep = dependencies.get(name)!;
         operationsQueue.push(
           new NpmRegistryProvider(name, version, {
-            registry
+            registry,
+            registryToken,
+            publicRegistryToken
           }).enrichDependencyVersion(dep, dependencyConfusionWarnings, org)
         );
 
@@ -180,13 +191,19 @@ export async function depWalker(
       }
       else {
         fetchedMetadataPackages.add(name);
-        const provider = new NpmRegistryProvider(name, version);
+        const provider = new NpmRegistryProvider(name, version, {
+          registry,
+          registryToken,
+          publicRegistryToken
+        });
 
         operationsQueue.push(provider.enrichDependency(logger, dependency));
         if (registry !== getNpmRegistryURL() && org) {
           operationsQueue.push(
             new NpmRegistryProvider(name, version, {
-              registry
+              registry,
+              registryToken,
+              publicRegistryToken
             }).enrichScopedDependencyConfusionWarnings(dependencyConfusionWarnings, org)
           );
         }

workspaces/scanner/src/depWalker.ts

@@ -8,6 +8,7 @@ import pacote from "pacote";
 import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 import * as tarball from "@nodesecure/tarball";
 import type { PackageJSON } from "@nodesecure/npm-types";
+import Config from "@npmcli/config";
 
 // Import Internal Dependencies
 import { depWalker } from "./depWalker.js";
@@ -27,9 +28,13 @@ const kDefaultCwdOptions = {
 export * from "./types.js";
 export * from "./extractors/index.js";
 
+type CwdOptions = Options & {
+  npmRcConfig?: Config;
+};
+
 export async function cwd(
   location = process.cwd(),
-  options: Options = {},
+  options: CwdOptions = {},
   logger = new Logger()
 ) {
   const registry = options.registry ?

workspaces/scanner/src/index.ts

@@ -30,6 +30,7 @@ await i18n.extendFromSystemPath(
 
 type PackumentNpmApiOptions = {
   registry: string;
+  token?: string;
 };
 
 export interface NpmApiClient {
@@ -42,12 +43,16 @@ export interface NpmRegistryProviderOptions {
   dateProvider?: DateProvider;
   npmApiClient?: NpmApiClient;
   registry?: string;
+  registryToken?: string;
+  publicRegistryToken?: string;
 }
 
 export class NpmRegistryProvider {
   #date: DateProvider | undefined;
   #npmApiClient: NpmApiClient;
   #registry: string;
+  #registryToken: string | undefined;
+  #publicRegistryToken: string | undefined;
 
   name: string;
   version: string;
@@ -60,7 +65,9 @@ export class NpmRegistryProvider {
     const {
       dateProvider = undefined,
       npmApiClient = npmRegistrySDK,
-      registry = npmRegistrySDK.getLocalRegistryURL()
+      registry = npmRegistrySDK.getLocalRegistryURL(),
+      registryToken = undefined,
+      publicRegistryToken = undefined
     } = options;
 
     this.name = name;
@@ -69,14 +76,17 @@ export class NpmRegistryProvider {
     this.#date = dateProvider;
     this.#npmApiClient = npmApiClient;
     this.#registry = registry;
+    this.#registryToken = registryToken;
+    this.#publicRegistryToken = publicRegistryToken;
   }
 
   async collectPackageVersionData() {
     const packumentVersion = await this.#npmApiClient.packumentVersion(
       this.name,
       this.version,
       {
-        registry: this.#registry
+        registry: this.#registry,
+        token: this.#registryToken
       }
     );
 
@@ -95,7 +105,8 @@ export class NpmRegistryProvider {
 
   async collectPackageData() {
     const packument = await this.#npmApiClient.packument(this.name, {
-      registry: this.#registry
+      registry: this.#registry,
+      token: this.#registryToken
     });
     const packumentVersion = packument.versions[this.version];
 
@@ -167,7 +178,8 @@ export class NpmRegistryProvider {
       }
       try {
         const packumentVersionFromPublicRegistry = await this.#npmApiClient.packumentVersion(this.name, this.version, {
-          registry: getNpmRegistryURL()
+          registry: getNpmRegistryURL(),
+          token: this.#publicRegistryToken
         });
         if (!this.#hasSameSignatures(signatures, packumentVersionFromPublicRegistry.dist.signatures)) {
           this.#addDependencyConfusionWarning(warnings, await i18n.getToken("scanner.dependency_confusion"));
@@ -185,6 +197,10 @@ export class NpmRegistryProvider {
     }
   }
 
+  static getTokenKey(registry: string) {
+    return `${registry.replace(/https:|http:/, "")}:_authToken`;
+  }
+
   #hasSameSignatures(signatures: Signature[] | undefined, signaturesFromPublicRegistry: Signature[] | undefined) {
     if (!signatures || !signaturesFromPublicRegistry) {
       return false;