This week: 49 repos in the scanned fleet exposed this category (83 matches).See Radar #4 →

What it is

.npmrc configures npm — registries, scopes, and authentication. A line like //registry.npmjs.org/:_authToken=... grants publish and install rights to private packages.

Why it matters for AI context

An AI assistant indexing the repo can read the auth token from .npmrc and surface it in context or completions. The token can be used to publish or download private packages.

How to keep it out of AI tools

  1. Keep auth tokens in a user-level ~/.npmrc or CI secret, not the project file.
  2. Use environment variable references (${NPM_TOKEN}) in a committed .npmrc instead of literal tokens.
  3. Add .npmrc to .gitignore if it ever contains literal credentials.
  4. Add .npmrc to your AI ignore file as a precaution.
Add to your ignore file
.npmrc

Ignore files that exclude this

FAQ

Can I commit .npmrc at all?
Yes, if it only contains non-secret config or environment variable references. Never commit a literal _authToken.

Check your own project

158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:

Run the same local check with Offsend CLI:

brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-run

Everything runs locally. No file contents are uploaded.