NodeSecure · PierreDemailly · Mar 23, 2026 · Mar 23, 2026
diff --git a/.changeset/cyan-days-read.md b/.changeset/cyan-days-read.md
@@ -0,0 +1,5 @@
+---
+"@nodesecure/scanner": minor
+---
+
+feat(scanner): read .npmrc scoped registries for private package resolution
diff --git a/workspaces/scanner/src/depWalker.ts b/workspaces/scanner/src/depWalker.ts
@@ -30,6 +30,7 @@ import {
   getManifestLinks,
   NPM_TOKEN
 } from "./utils/index.ts";
+import { getRegistryForPackage } from "./utils/npmrc.ts";
 import { NpmRegistryProvider, type NpmApiClient } from "./registry/NpmRegistryProvider.ts";
 import { StatsCollector } from "./class/StatsCollector.class.ts";
 import { RegistryTokenStore } from "./registry/RegistryTokenStore.ts";
@@ -95,6 +96,7 @@ type WalkerOptions = Omit<Options, "registry"> & {
   registry: string;
   location?: string;
   npmRcConfig?: Config;
+  npmRcEntries?: Record<string, string>;
 };
 
 type InitialPayload =
@@ -122,16 +124,18 @@ export async function depWalker(
     vulnerabilityStrategy = Vulnera.strategies.NONE,
     registry,
     npmRcConfig,
+    npmRcEntries = {},
     maxConcurrency = 8
   } = options;
 
   const statsCollector = new StatsCollector({ logger }, { isVerbose });
 
   const collectables = kCollectableTypes.map((type) => new DefaultCollectableSet<Metadata>(type));
 
-  const tokenStore = new RegistryTokenStore(npmRcConfig, NPM_TOKEN.token);
+  const tokenStore = new RegistryTokenStore(npmRcConfig, NPM_TOKEN.token, npmRcEntries);
 
   const npmProjectConfig = tokenStore.getConfig(registry);
+  const pacoteScopedConfig = { ...npmProjectConfig, ...npmRcEntries };
 
   const pacoteProvider: PacoteProvider = {
     async extract(spec, dest, opts): Promise<void> {
@@ -140,7 +144,7 @@ export async function depWalker(
         "tarball-scan",
         () => pacote.extract(spec, dest, {
           ...opts,
-          ...npmProjectConfig
+          ...pacoteScopedConfig
         })
       );
     }
@@ -172,10 +176,10 @@ export async function depWalker(
     providers: {
       pacote: {
         manifest: (spec, opts) => statsCollector.track(`pacote.manifest ${spec}`, "tree-walk", () => pacote.manifest(spec,
-          { ...opts, ...npmProjectConfig })),
+          { ...opts, ...pacoteScopedConfig })),
         packument: (spec, opts) => statsCollector.track(`pacote.packument ${spec}`,
           "tree-walk",
-          () => pacote.packument(spec, { ...opts, ...npmProjectConfig }))
+          () => pacote.packument(spec, { ...opts, ...pacoteScopedConfig }))
       }
     }
   });
@@ -234,9 +238,10 @@ export async function depWalker(
       const org = parseNpmSpec(name)?.org;
       if (dependencies.has(name)) {
         const dep = dependencies.get(name)!;
+        const packageRegistry = getRegistryForPackage(name, npmRcEntries, registry);
         operationsQueue.push(
           new NpmRegistryProvider(name, version, {
-            registry,
+            registry: packageRegistry,
             tokenStore,
             npmApiClient
           }).enrichDependencyVersion(dep, dependencyConfusionWarnings, org)
@@ -280,16 +285,17 @@ export async function depWalker(
       }
       else {
         fetchedMetadataPackages.add(name);
+        const packageRegistry = getRegistryForPackage(name, npmRcEntries, registry);
         const provider = new NpmRegistryProvider(name, version, {
-          registry,
+          registry: packageRegistry,
           tokenStore
         });
 
         operationsQueue.push(provider.enrichDependency(logger, dependency));
-        if (registry !== getNpmRegistryURL() && org) {
+        if (packageRegistry !== getNpmRegistryURL() && org) {
           operationsQueue.push(
             new NpmRegistryProvider(name, version, {
-              registry,
+              registry: packageRegistry,
               tokenStore
             }).enrichScopedDependencyConfusionWarnings(dependencyConfusionWarnings, org)
           );

diff --git a/workspaces/scanner/src/index.ts b/workspaces/scanner/src/index.ts
@@ -12,7 +12,7 @@ import type Config from "@npmcli/config";
 
 // Import Internal Dependencies
 import { depWalker } from "./depWalker.ts";
-import { NPM_TOKEN, urlToString } from "./utils/index.ts";
+import { NPM_TOKEN, urlToString, readNpmRc } from "./utils/index.ts";
 import { Logger, ScannerLoggerEvents } from "./class/logger.class.ts";
 import { TempDirectory } from "./class/TempDirectory.class.ts";
 import { comparePayloads } from "./comparePayloads.ts";
@@ -48,13 +48,16 @@ export async function workingDir(
     location
   };
 
+  const npmRcEntries = await readNpmRc(location);
+
   const finalizedOptions = Object.assign(
     { location },
     kDefaultWorkingDirOptions,
     {
       ...options,
       packageLock,
-      registry
+      registry,
+      npmRcEntries
     }
   );
 

diff --git a/workspaces/scanner/src/registry/RegistryTokenStore.ts b/workspaces/scanner/src/registry/RegistryTokenStore.ts
@@ -8,13 +8,25 @@ export class RegistryTokenStore implements TokenStore {
   #memo: Map<string, string | undefined> = new Map();
   #config: Config | undefined;
   #tokenFromEnv: string | undefined;
-  constructor(config: Config | undefined, tokenFromEnv: string | undefined) {
+  #npmRcEntries: Record<string, string>;
+
+  constructor(
+    config: Config | undefined,
+    tokenFromEnv: string | undefined,
+    npmRcEntries: Record<string, string> = {}
+  ) {
     this.#config = config;
     this.#tokenFromEnv = tokenFromEnv;
+    this.#npmRcEntries = npmRcEntries;
   }
 
   get(registry: string): string | undefined {
     if (!this.#config) {
+      const tokenKey = this.getTokenKey(registry);
+      if (tokenKey in this.#npmRcEntries) {
+        return this.#npmRcEntries[tokenKey];
+      }
+
       return this.#tokenFromEnv;
     }
     if (this.#memo.has(registry)) {

diff --git a/workspaces/scanner/src/utils/index.ts b/workspaces/scanner/src/utils/index.ts
@@ -5,6 +5,7 @@ export * from "./getLinks.ts";
 export * from "./urlToString.ts";
 export * from "./getUsedDeps.ts";
 export * from "./isNodesecurePayload.ts";
+export * from "./npmrc.ts";
 
 export const NPM_TOKEN = typeof process.env.NODE_SECURE_TOKEN === "string" ?
   { token: process.env.NODE_SECURE_TOKEN } :

diff --git a/workspaces/scanner/src/utils/npmrc.ts b/workspaces/scanner/src/utils/npmrc.ts
@@ -0,0 +1,70 @@
+// Import Node.js Dependencies
+import { readFile } from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+
+function resolveEnvVars(value: string): string {
+  return value.replace(
+    /\$\{([^}]+)\}/g,
+    (_, envVar) => process.env[envVar] ?? ""
+  );
+}
+
+export function parseNpmRc(content: string): Record<string, string> {
+  const entries: Record<string, string> = {};
+
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith(";")) {
+      continue;
+    }
+
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1) {
+      continue;
+    }
+
+    const key = trimmed.slice(0, eqIndex).trim();
+    const value = resolveEnvVars(trimmed.slice(eqIndex + 1).trim());
+
+    entries[key] = value;
+  }
+
+  return entries;
+}
+
+async function readNpmRcFile(filePath: string): Promise<Record<string, string>> {
+  try {
+    const content = await readFile(filePath, "utf-8");
+
+    return parseNpmRc(content);
+  }
+  catch {
+    return {};
+  }
+}
+
+export async function readNpmRc(location: string): Promise<Record<string, string>> {
+  const [userEntries, projectEntries] = await Promise.all([
+    readNpmRcFile(path.join(os.homedir(), ".npmrc")),
+    readNpmRcFile(path.join(location, ".npmrc"))
+  ]);
+
+  return { ...userEntries, ...projectEntries };
+}
+
+export function getRegistryForPackage(
+  packageName: string,
+  npmRcEntries: Record<string, string>,
+  defaultRegistry: string
+): string {
+  const scopeMatch = packageName.match(/^(@[^/]+)\//);
+  if (scopeMatch) {
+    const scopeKey = `${scopeMatch[1]}:registry`;
+    if (scopeKey in npmRcEntries) {
+      return npmRcEntries[scopeKey];
+    }
+  }
+
+  return defaultRegistry;
+}
diff --git a/workspaces/scanner/test/RegistryTokenStore.spec.ts b/workspaces/scanner/test/RegistryTokenStore.spec.ts
@@ -85,4 +85,44 @@ always-auth=true
       });
     });
   });
+
+  describe("npmRcEntries", () => {
+    const npmRcEntries = {
+      "//npm.private-registry.test/:_authToken": "private-token",
+      "//other.registry.test/:_authToken": "other-token"
+    };
+
+    test("should resolve token from npmRcEntries when no config", () => {
+      const store = new RegistryTokenStore(undefined, undefined, npmRcEntries);
+      assert.strictEqual(
+        store.get("https://npm.private-registry.test/"),
+        "private-token"
+      );
+      assert.strictEqual(
+        store.get("https://other.registry.test/"),
+        "other-token"
+      );
+    });
+
+    test("should fallback to tokenFromEnv when registry not in npmRcEntries", () => {
+      const store = new RegistryTokenStore(undefined, "env-token", npmRcEntries);
+      assert.strictEqual(store.get("https://unknown.registry.test/"), "env-token");
+    });
+
+    test("should prefer npmRcEntries over tokenFromEnv when no config", () => {
+      const store = new RegistryTokenStore(undefined, "env-token", npmRcEntries);
+      assert.strictEqual(
+        store.get("https://npm.private-registry.test/"),
+        "private-token"
+      );
+    });
+
+    test("should ignore npmRcEntries when @npmcli/config is provided", () => {
+      const store = new RegistryTokenStore(config, undefined, npmRcEntries);
+      assert.strictEqual(
+        store.get("https://registry.npmjs.org/"),
+        "public-token"
+      );
+    });
+  });
 });