[BUG] `npm config fix` evaluates environment variables when rewriting `_auth` for a private npm registry

[wcedmisten-reify]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When using an older .npmrc format with an unqualified _auth key (no registry prefix)

_auth=${AUTH_CREDENTIALS}

npm config fix
`_auth` renamed to `//path/to/remote-npm-registry/:_auth` in project config

However, now my .npmrc contains the literal contents of the environment variable ${AUTH_CREDENTIALS}, which can lead to accidentally committing auth credentials into the repo.

Expected Behavior

npm config fix should leave environment variables as written, and not evaluate their contents when rewriting the _auth key.

The output should contain the original value for _auth, rather than evaluating environment variables used in the value:

//path/to/remote-npm-registry/:_auth=${AUTH_CREDENTIALS}

Steps To Reproduce

1. In MacOS
2. Using a remote registry (https://docs.npmjs.com/cli/v9/using-npm/registry?v=true)
3. export AUTH_CREDENTIALS=secret
4. echo _auth=\${AUTH_CREDENTIALS} > .npmrc
5. cat .npmrc (the secret credentials are not in this file)
6. npm config fix
7. cat .npmrc

You should see:

//path/to/remote-npm-registry/:_auth=secret

Environment

• npm: 9.3.1
• Node.js: v19.5.0
• OS Name: MacOS Montery 12.6
• System Model Name: MacBook pro (Intel CPU)
• npm config:

...
registry = https://path/to/remote-npm-registry/
...