[Bug]: Different behavior for $HOME npmrc file with pnpm and rules_js

[scttdavs]

What happened?

Rules_js allows you to use your home npmrc file in addition to the project one via npm_translate_lock and the npmrc and use_home_npmrc fields. The contents of the home npmrc file will override any conflicting settings in the project file. This is great and allows us to specify our auth tokens in the project file via environment variables to work in our CI, but still use the home npmrc locally with user-specific auth credentials.

However, when using pnpm locally, it does the opposite, it overrides the home npmrc file with the project file's settings. These behaviors should be consistent for getting a solution for both local development and CIs to work.

Version

Development (host) and target OS/architectures:

Output of bazel --version: 6.5.0

Version of the Aspect rules, or other relevant rules from your
WORKSPACE or MODULE.bazel file: WORKSPACE

Language(s) and/or frameworks involved: JavaScript

How to reproduce

I think any sample project where local auth tokens are specified in the home npmrc, and in the project npmrc they are specified via env variables. Bazel tasks will install and complete just fine, however local pnpm commands to add/install will fail with "Failed to replace env in config: ${NPM_TOKEN}".

Any other information?

The real issue we're trying to solve is how to have a local npmrc with auth for development that is not checked into source control, while defining environment variables for auth in our CI. If there is a recommended path for this, we'd love to know what it is, if not, creating a path for this would be ideal.