@superblocksteam/sdk 2.0.123 → 2.0.124-next.0

package/src/cli-replacement/post-upgrade-lockfile-strip.test.mts

@@ -0,0 +1,482 @@
+/**
+ * Tests for post-upgrade-lockfile-strip.
+ *
+ * Strategy: stand up a real on-disk fixture mimicking the dev-server pod
+ * layout (`<prefix>/lib/node_modules/@superblocksteam/cli/...`), then assert
+ * the strip mutates the right files and is idempotent / non-fatal on edge
+ * cases. Avoids mocking the strip helpers because the disk-shape they expect
+ * is the actual contract under test.
+ */
+
+import {
+  mkdir,
+  mkdtemp,
+  readFile,
+  realpath,
+  rm,
+  symlink,
+  writeFile,
+} from "node:fs/promises";
+import * as os from "node:os";
+import * as path from "node:path";
+
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+import type { Logger } from "../telemetry/logging.js";
+import {
+  findGlobalCliInstallDir,
+  stripUpgradedCliLockfiles,
+} from "./post-upgrade-lockfile-strip.mjs";
+
+/**
+ * Vitest mocks structurally don't match the `Logger` interface signatures
+ * (`Mock<Procedure>` vs `(...messages: unknown[]) => void`), so we keep the
+ * mock object loosely typed and cast through `Logger` at call sites. The
+ * `LoggerMock` alias exists so tests can still introspect calls with
+ * `logger.warn.mock.calls` without losing the mock-specific helpers.
+ */
+type LoggerMock = {
+  info: ReturnType<typeof vi.fn>;
+  warn: ReturnType<typeof vi.fn>;
+  error: ReturnType<typeof vi.fn>;
+  debug: ReturnType<typeof vi.fn>;
+};
+
+function makeLogger(): LoggerMock {
+  return {
+    info: vi.fn(),
+    warn: vi.fn(),
+    error: vi.fn(),
+    debug: vi.fn(),
+  };
+}
+
+function asLogger(mock: LoggerMock): Logger {
+  return mock as unknown as Logger;
+}
+
+/**
+ * Lockfile fixture with mixed registries — only public-host `resolved` URLs
+ * should be stripped; `integrity` must survive.
+ */
+function lockfile(version: string) {
+  return {
+    name: "@superblocksteam/cli",
+    version,
+    lockfileVersion: 3,
+    requires: true,
+    packages: {
+      "": {
+        name: "@superblocksteam/cli",
+        version,
+      },
+      "node_modules/some-dep": {
+        version: "1.0.0",
+        resolved: "https://registry.npmjs.org/some-dep/-/some-dep-1.0.0.tgz",
+        integrity: "sha512-abc",
+      },
+      "node_modules/already-stripped": {
+        version: "2.0.0",
+        integrity: "sha512-def",
+      },
+    },
+  };
+}
+
+async function makeCliInstallTree(root: string): Promise<{
+  prefix: string;
+  cliDir: string;
+  cliLockfile: string;
+  cliHiddenLockfile: string;
+  globalHiddenLockfile: string;
+  binShim: string;
+  realBin: string;
+}> {
+  const prefix = path.join(root, ".npm-global");
+  const cliDir = path.join(
+    prefix,
+    "lib",
+    "node_modules",
+    "@superblocksteam",
+    "cli",
+  );
+  await mkdir(cliDir, { recursive: true });
+  await mkdir(path.join(cliDir, "node_modules"), { recursive: true });
+  await mkdir(path.join(cliDir, "bin"), { recursive: true });
+  await mkdir(path.join(prefix, "bin"), { recursive: true });
+
+  // package.json identifying this as @superblocksteam/cli
+  await writeFile(
+    path.join(cliDir, "package.json"),
+    JSON.stringify({ name: "@superblocksteam/cli", version: "2.1.0" }, null, 2),
+  );
+
+  // CLI's own lockfile, with stale public-host resolved URLs
+  const cliLockfile = path.join(cliDir, "package-lock.json");
+  await writeFile(
+    cliLockfile,
+    JSON.stringify(lockfile("2.1.0"), null, 2) + "\n",
+  );
+
+  // CLI's bundled hidden lockfile
+  const cliHiddenLockfile = path.join(
+    cliDir,
+    "node_modules",
+    ".package-lock.json",
+  );
+  await writeFile(
+    cliHiddenLockfile,
+    JSON.stringify(lockfile("2.1.0"), null, 2) + "\n",
+  );
+
+  // npm-global hidden lockfile (lists @superblocksteam/cli itself)
+  const globalHiddenLockfile = path.join(
+    prefix,
+    "lib",
+    "node_modules",
+    ".package-lock.json",
+  );
+  await writeFile(
+    globalHiddenLockfile,
+    JSON.stringify(
+      {
+        name: "global-prefix",
+        lockfileVersion: 3,
+        packages: {
+          "node_modules/@superblocksteam/cli": {
+            version: "2.1.0",
+            resolved:
+              "https://registry.npmjs.org/@superblocksteam/cli/-/cli-2.1.0.tgz",
+            integrity: "sha512-cli",
+          },
+        },
+      },
+      null,
+      2,
+    ) + "\n",
+  );
+
+  // Real binary the shim points at
+  const realBin = path.join(cliDir, "bin", "run.js");
+  await writeFile(realBin, "#!/usr/bin/env node\n");
+
+  // The PATH-resolved shim is a symlink under <prefix>/bin
+  const binShim = path.join(prefix, "bin", "superblocks");
+  await symlink(realBin, binShim);
+
+  return {
+    prefix,
+    cliDir,
+    cliLockfile,
+    cliHiddenLockfile,
+    globalHiddenLockfile,
+    binShim,
+    realBin,
+  };
+}
+
+describe("post-upgrade-lockfile-strip", () => {
+  let tmpRoot: string;
+  let logger: LoggerMock;
+
+  beforeEach(async () => {
+    // Realpath up front so test expectations match `fs.realpath` output on
+    // macOS, where `/var` is a symlink to `/private/var` and any subsequent
+    // realpath() resolves through it. Without this every "expect dir" line
+    // would have to manually realpath() each comparison.
+    tmpRoot = await realpath(
+      await mkdtemp(path.join(os.tmpdir(), "apps-4196-")),
+    );
+    logger = makeLogger();
+  });
+
+  afterEach(async () => {
+    await rm(tmpRoot, { recursive: true, force: true });
+  });
+
+  describe("findGlobalCliInstallDir", () => {
+    it("resolves the CLI install root via which + realpath + walkup", async () => {
+      const tree = await makeCliInstallTree(tmpRoot);
+
+      const which = vi.fn(async () => `${tree.binShim}\n`);
+      const result = await findGlobalCliInstallDir(asLogger(logger), which);
+
+      expect(result).toBe(tree.cliDir);
+      expect(which).toHaveBeenCalledWith("superblocks");
+    });
+
+    it("returns undefined when which/where fails (binary not in PATH)", async () => {
+      const which = vi.fn(async () => {
+        throw new Error("not found");
+      });
+      const result = await findGlobalCliInstallDir(asLogger(logger), which);
+
+      expect(result).toBeUndefined();
+      expect(logger.warn).toHaveBeenCalledWith(
+        expect.stringContaining("which/where superblocks failed"),
+        expect.any(Object),
+      );
+    });
+
+    it("returns undefined when which stdout is empty", async () => {
+      const which = vi.fn(async () => "\n");
+      const result = await findGlobalCliInstallDir(asLogger(logger), which);
+
+      expect(result).toBeUndefined();
+      expect(logger.warn).toHaveBeenCalledWith(
+        expect.stringContaining("superblocks binary not found in PATH"),
+      );
+    });
+
+    it("uses only the first line when which returns multiple paths", async () => {
+      const tree = await makeCliInstallTree(tmpRoot);
+      const which = vi.fn(
+        async () => `${tree.binShim}\n/another/path/superblocks\n`,
+      );
+
+      const result = await findGlobalCliInstallDir(asLogger(logger), which);
+      expect(result).toBe(tree.cliDir);
+    });
+
+    it("accepts @superblocksteam/cli-ephemeral as the CLI package name", async () => {
+      const tree = await makeCliInstallTree(tmpRoot);
+      // Rewrite the manifest as the ephemeral alias
+      await writeFile(
+        path.join(tree.cliDir, "package.json"),
+        JSON.stringify(
+          { name: "@superblocksteam/cli-ephemeral", version: "2.1.0" },
+          null,
+          2,
+        ),
+      );
+
+      const which = vi.fn(async () => `${tree.binShim}\n`);
+      const result = await findGlobalCliInstallDir(asLogger(logger), which);
+      expect(result).toBe(tree.cliDir);
+    });
+
+    it("returns undefined when no CLI manifest is found within the walk bound", async () => {
+      // Symlink targets a path whose ancestors carry no @superblocksteam/cli manifest.
+      const wrongRoot = path.join(tmpRoot, "wrong");
+      await mkdir(wrongRoot, { recursive: true });
+      const realBin = path.join(wrongRoot, "bin");
+      await writeFile(realBin, "#!/usr/bin/env node\n");
+      const shim = path.join(tmpRoot, "shim");
+      await symlink(realBin, shim);
+
+      const which = vi.fn(async () => `${shim}\n`);
+      const result = await findGlobalCliInstallDir(asLogger(logger), which);
+      expect(result).toBeUndefined();
+    });
+  });
+
+  describe("stripUpgradedCliLockfiles", () => {
+    it("strips resolved from all three lockfile locations", async () => {
+      const tree = await makeCliInstallTree(tmpRoot);
+
+      const result = await stripUpgradedCliLockfiles(asLogger(logger), {
+        installDir: tree.cliDir,
+      });
+
+      expect(result.installDir).toBe(tree.cliDir);
+      // The success info log is the operator-facing signal that the strip
+      // ran; assert it fires exactly once on the happy path.
+      expect(logger.info).toHaveBeenCalledTimes(1);
+      expect(logger.warn).not.toHaveBeenCalled();
+
+      // CLI's own lockfile: public-host resolved gone, integrity preserved
+      const cli = JSON.parse(await readFile(tree.cliLockfile, "utf-8"));
+      expect(cli.packages["node_modules/some-dep"].resolved).toBeUndefined();
+      expect(cli.packages["node_modules/some-dep"].integrity).toBe(
+        "sha512-abc",
+      );
+
+      // CLI's hidden lockfile
+      const hidden = JSON.parse(
+        await readFile(tree.cliHiddenLockfile, "utf-8"),
+      );
+      expect(hidden.packages["node_modules/some-dep"].resolved).toBeUndefined();
+
+      // Global hidden lockfile (the @superblocksteam/cli listing itself)
+      const global = JSON.parse(
+        await readFile(tree.globalHiddenLockfile, "utf-8"),
+      );
+      expect(
+        global.packages["node_modules/@superblocksteam/cli"].resolved,
+      ).toBeUndefined();
+      expect(
+        global.packages["node_modules/@superblocksteam/cli"].integrity,
+      ).toBe("sha512-cli");
+    });
+
+    it("is idempotent — second call produces no further changes", async () => {
+      const tree = await makeCliInstallTree(tmpRoot);
+
+      await stripUpgradedCliLockfiles(asLogger(logger), {
+        installDir: tree.cliDir,
+      });
+      const after1 = await readFile(tree.cliLockfile, "utf-8");
+
+      await stripUpgradedCliLockfiles(asLogger(logger), {
+        installDir: tree.cliDir,
+      });
+      const after2 = await readFile(tree.cliLockfile, "utf-8");
+
+      expect(after2).toBe(after1);
+    });
+
+    it("returns no installDir and does not throw when discovery fails", async () => {
+      const which = vi.fn(async () => {
+        throw new Error("not found");
+      });
+
+      const result = await stripUpgradedCliLockfiles(asLogger(logger), {
+        whichRunner: which,
+      });
+      expect(result).toEqual({});
+      // No success log should fire when there was no work to do.
+      expect(logger.info).not.toHaveBeenCalled();
+    });
+
+    it("does not throw when global hidden lockfile is absent (npm v6 layout)", async () => {
+      const tree = await makeCliInstallTree(tmpRoot);
+      await rm(tree.globalHiddenLockfile);
+
+      await expect(
+        stripUpgradedCliLockfiles(asLogger(logger), {
+          installDir: tree.cliDir,
+        }),
+      ).resolves.toEqual({ installDir: tree.cliDir });
+
+      // The other two were still stripped
+      const cli = JSON.parse(await readFile(tree.cliLockfile, "utf-8"));
+      expect(cli.packages["node_modules/some-dep"].resolved).toBeUndefined();
+    });
+
+    it("returns and warns when the inner strip exceeds the timeout", async () => {
+      // Simulate a hung strip (e.g. wedged I/O on a network-mounted prefix).
+      // Without the timeout, this would extend `cliUpgradePromise` and block
+      // dev-server startup; the timeout converts that into a bounded warn.
+      const tree = await makeCliInstallTree(tmpRoot);
+
+      const stripModule =
+        await import("@superblocksteam/vite-plugin-file-sync/npm-registry");
+      const stripSpy = vi
+        .spyOn(stripModule, "stripResolvedFromLockfile")
+        .mockImplementation(() => new Promise(() => {}));
+
+      try {
+        const result = await stripUpgradedCliLockfiles(asLogger(logger), {
+          installDir: tree.cliDir,
+          timeoutMs: 10,
+        });
+
+        expect(result).toEqual({ installDir: tree.cliDir });
+        expect(logger.warn).toHaveBeenCalledTimes(1);
+        expect(logger.warn).toHaveBeenCalledWith(
+          expect.stringContaining("strip exceeded timeout"),
+          expect.objectContaining({
+            installDir: tree.cliDir,
+            timeoutMs: 10,
+          }),
+        );
+        expect(logger.info).not.toHaveBeenCalled();
+      } finally {
+        stripSpy.mockRestore();
+      }
+    });
+
+    it("suppresses a post-timeout rejection so the abandoned strip cannot crash the pod", async () => {
+      // After the timeout wins the race we abandon `stripWork`. If a later
+      // rejection from the inner helpers (e.g. EACCES on the atomic rename)
+      // had no subscriber, Node would surface it as an unhandled rejection
+      // and exit the dev-server process. This test wires up a strip that
+      // rejects strictly after the timeout fires, then asserts the wrapper
+      // resolves cleanly AND logs the post-timeout rejection via its tail
+      // handler.
+      const tree = await makeCliInstallTree(tmpRoot);
+
+      let rejectStrip: (error: Error) => void = () => {};
+      const pendingStrip = new Promise<void>((_, reject) => {
+        rejectStrip = reject;
+      });
+
+      const unhandled: unknown[] = [];
+      const onUnhandled = (reason: unknown): void => {
+        unhandled.push(reason);
+      };
+      process.on("unhandledRejection", onUnhandled);
+
+      const stripModule =
+        await import("@superblocksteam/vite-plugin-file-sync/npm-registry");
+      const stripSpy = vi
+        .spyOn(stripModule, "stripResolvedFromLockfile")
+        .mockImplementation(() => pendingStrip);
+
+      try {
+        const result = await stripUpgradedCliLockfiles(asLogger(logger), {
+          installDir: tree.cliDir,
+          timeoutMs: 10,
+        });
+
+        expect(result).toEqual({ installDir: tree.cliDir });
+        expect(logger.warn).toHaveBeenCalledWith(
+          expect.stringContaining("strip exceeded timeout"),
+          expect.objectContaining({ installDir: tree.cliDir }),
+        );
+
+        rejectStrip(new Error("simulated post-timeout rejection"));
+        // Let the rejection propagate and the tail .catch() run.
+        await new Promise((resolve) => setImmediate(resolve));
+
+        expect(unhandled).toEqual([]);
+        expect(logger.warn).toHaveBeenCalledWith(
+          expect.stringContaining("background strip rejected after timeout"),
+          expect.objectContaining({
+            installDir: tree.cliDir,
+            error: expect.objectContaining({
+              message: "simulated post-timeout rejection",
+            }),
+          }),
+        );
+      } finally {
+        process.off("unhandledRejection", onUnhandled);
+        stripSpy.mockRestore();
+      }
+    });
+
+    it("does not throw or emit the success log when an inner strip rejects unexpectedly", async () => {
+      // Replace the CLI's lockfile with a directory at the same path — the
+      // inner helper's readFile will see EISDIR. The lower-level helpers
+      // documented as swallowing errors should keep the Promise.all from
+      // rejecting, but if a future refactor changes that, this test asserts
+      // the wrapper's belt-and-suspenders catch still keeps the function
+      // non-fatal AND suppresses the success log.
+      const tree = await makeCliInstallTree(tmpRoot);
+      await rm(tree.cliLockfile);
+      await mkdir(tree.cliLockfile);
+
+      const stripModule =
+        await import("@superblocksteam/vite-plugin-file-sync/npm-registry");
+      const stripSpy = vi
+        .spyOn(stripModule, "stripResolvedFromLockfile")
+        .mockRejectedValue(new Error("simulated unexpected throw"));
+
+      try {
+        await expect(
+          stripUpgradedCliLockfiles(asLogger(logger), {
+            installDir: tree.cliDir,
+          }),
+        ).resolves.toEqual({ installDir: tree.cliDir });
+
+        // Wrapper logged a warn for the unexpected error; the success info
+        // log MUST NOT have fired (otherwise pod logs would falsely claim
+        // the strip completed).
+        expect(logger.warn).toHaveBeenCalledTimes(1);
+        expect(logger.info).not.toHaveBeenCalled();
+      } finally {
+        stripSpy.mockRestore();
+      }
+    });
+  });
+});

package/src/cli-replacement/userconfig-env.integration.test.mts

@@ -0,0 +1,189 @@
+/**
+ * Integration test: real `npm` and `pnpm` subprocesses read the
+ * Superblocks-owned userconfig when our env overlay is set. Pins the
+ * contract that `buildInstallEnv` and the dev-server startup install
+ * rely on.
+ *
+ * Why this exists:
+ *   - Unit tests assert the spawned `env` includes the userconfig keys,
+ *     but they cannot tell us whether npm/pnpm actually *honor* them.
+ *     Earlier iterations of this PR tripped on two real CLI gaps that
+ *     the unit tests missed:
+ *       1. pnpm rejects `--userconfig=` as a CLI flag (pnpm/pnpm#6036)
+ *       2. pnpm 11 stopped honouring `NPM_CONFIG_USERCONFIG` (config
+ *          keys must now be `pnpm_config_*` instead).
+ *   - This file spawns the real binaries and asserts the registry
+ *     comes back from our fixture userconfig.
+ *
+ * Env scrubbing: pnpm/npm inject many `(npm|pnpm)_config_*` env vars
+ * into spawned child processes. Those take precedence over userconfig
+ * (env > userconfig in the npm config priority chain), which means the
+ * fixture would be silently overridden if we forwarded the test
+ * runner's env as-is. We strip those vars on the spawn so the assertion
+ * exercises the userconfig pathway in isolation.
+ */
+
+import { execFile } from "node:child_process";
+import { mkdtemp, rm, writeFile } from "node:fs/promises";
+import * as os from "node:os";
+import * as path from "node:path";
+import { promisify } from "node:util";
+
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+
+import { buildInstallEnv } from "./automatic-upgrades.js";
+
+const execFileAsync = promisify(execFile);
+
+const FIXTURE_REGISTRY = "https://test-registry.superblocks.example.invalid/";
+
+/**
+ * Strip every `(npm|pnpm)_config_*` var the test runner inherited so
+ * the userconfig file is the only registry source. Then layer the
+ * production env overlay on top. The assertion is then "with our
+ * env overlay applied, both binaries read the fixture" — exactly
+ * what production sees in a pod (no inherited package-manager env).
+ */
+function spawnEnv(userconfigPath: string): NodeJS.ProcessEnv {
+  const scrubbed: NodeJS.ProcessEnv = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (/^(npm|pnpm)_config_/i.test(k)) continue;
+    scrubbed[k] = v;
+  }
+  // 2nd arg is `logsDir` (omitted here); the scrubbed env is the base env.
+  return buildInstallEnv(userconfigPath, undefined, scrubbed);
+}
+
+/** Probe whether the binary is on PATH. Cleanly skips the test when
+ * the tool is unavailable (shouldn't happen in CI, but lets us run
+ * this file locally without special setup). */
+async function whichOrSkip(bin: string): Promise<string | undefined> {
+  try {
+    const { stdout } = await execFileAsync(
+      process.platform === "win32" ? "where" : "which",
+      [bin],
+    );
+    const candidate = stdout.split(/\r?\n/)[0].trim();
+    return candidate || undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+describe("userconfig env plumbing (real npm + pnpm subprocesses)", () => {
+  let tmpDir: string;
+  let userconfigPath: string;
+
+  beforeEach(async () => {
+    tmpDir = await mkdtemp(path.join(os.tmpdir(), "userconfig-integration-"));
+    userconfigPath = path.join(tmpDir, "npmrc");
+    await writeFile(userconfigPath, `registry=${FIXTURE_REGISTRY}\n`, {
+      mode: 0o400,
+    });
+  });
+
+  afterEach(async () => {
+    await rm(tmpDir, { recursive: true, force: true });
+  });
+
+  it("npm honors NPM_CONFIG_USERCONFIG", async () => {
+    const npmBin = await whichOrSkip("npm");
+    if (!npmBin) return;
+
+    const { stdout } = await execFileAsync(
+      npmBin,
+      ["config", "get", "registry"],
+      { env: spawnEnv(userconfigPath), cwd: tmpDir },
+    );
+
+    expect(stdout.trim()).toBe(FIXTURE_REGISTRY);
+  });
+
+  it("pnpm honors the userconfig (NPM_CONFIG_USERCONFIG or PNPM_CONFIG_USERCONFIG)", async () => {
+    // Critical: pnpm 11 stopped honouring NPM_CONFIG_USERCONFIG. The
+    // production env overlay sets BOTH NPM_CONFIG_USERCONFIG and
+    // PNPM_CONFIG_USERCONFIG to cover pnpm <= 10 and pnpm 11+. If a
+    // future pnpm bump changes the contract again, this test fails
+    // loudly.
+    const pnpmBin = await whichOrSkip("pnpm");
+    if (!pnpmBin) return;
+
+    const { stdout } = await execFileAsync(
+      pnpmBin,
+      ["config", "get", "registry"],
+      { env: spawnEnv(userconfigPath), cwd: tmpDir },
+    );
+
+    expect(stdout.trim()).toBe(FIXTURE_REGISTRY);
+  });
+
+  it("pnpm REJECTS --userconfig= as a CLI flag (pnpm/pnpm#6036)", async () => {
+    // This is the contract that rules out the per-flag approach for
+    // pnpm. Documents the CLI-flag asymmetry: npm accepts the flag,
+    // pnpm rejects it.
+    const pnpmBin = await whichOrSkip("pnpm");
+    if (!pnpmBin) return;
+
+    await expect(
+      execFileAsync(
+        pnpmBin,
+        [`--userconfig=${userconfigPath}`, "config", "get", "registry"],
+        { cwd: tmpDir },
+      ),
+    ).rejects.toThrow(/Unknown option.*userconfig/);
+  });
+
+  it("pnpm 11 ignores NPM_CONFIG_USERCONFIG when PNPM_CONFIG_USERCONFIG is unset", async () => {
+    // Regression guard for the pnpm 11 behaviour change. If this test
+    // ever starts FAILING (i.e. pnpm 11 reads the fixture from
+    // NPM_CONFIG_USERCONFIG alone) we can drop the PNPM_CONFIG_*
+    // overlay — but until then, both vars are required.
+    //
+    // We can only run this when pnpm >= 11 is installed; for older
+    // pnpm versions NPM_CONFIG_USERCONFIG works and the regression
+    // doesn't apply.
+    const pnpmBin = await whichOrSkip("pnpm");
+    if (!pnpmBin) return;
+
+    const { stdout: versionOut } = await execFileAsync(pnpmBin, ["--version"]);
+    const major = Number.parseInt(versionOut.trim().split(".")[0], 10);
+    if (!Number.isFinite(major) || major < 11) return;
+
+    const scrubbed: NodeJS.ProcessEnv = {};
+    for (const [k, v] of Object.entries(process.env)) {
+      if (/^(npm|pnpm)_config_/i.test(k)) continue;
+      scrubbed[k] = v;
+    }
+    scrubbed.NPM_CONFIG_USERCONFIG = userconfigPath;
+    // Deliberately do NOT set PNPM_CONFIG_USERCONFIG.
+
+    const { stdout } = await execFileAsync(
+      pnpmBin,
+      ["config", "get", "registry"],
+      { env: scrubbed, cwd: tmpDir },
+    );
+
+    expect(stdout.trim()).not.toBe(FIXTURE_REGISTRY);
+  });
+
+  it("npm does NOT read the fixture registry when no userconfig env var is set", async () => {
+    // Sanity check that the test isn't passing because the binary
+    // defaults to our fixture URL.
+    const npmBin = await whichOrSkip("npm");
+    if (!npmBin) return;
+
+    const scrubbed: NodeJS.ProcessEnv = {};
+    for (const [k, v] of Object.entries(process.env)) {
+      if (/^(npm|pnpm)_config_/i.test(k)) continue;
+      scrubbed[k] = v;
+    }
+
+    const { stdout } = await execFileAsync(
+      npmBin,
+      ["config", "get", "registry"],
+      { env: scrubbed, cwd: tmpDir },
+    );
+
+    expect(stdout.trim()).not.toBe(FIXTURE_REGISTRY);
+  });
+});