Private github npm packages and lockFileMaintenance

[bodograumann]

How are you running Renovate?

A Mend.io-hosted app

Which platform you running Renovate on?

GitHub.com

Which version of Renovate are you using?

42.74.5

Please tell us more about your question or problem

We are publishing npm packages to the private github npm registry and installing them again in other npm projects in github.
I was able to configure renovate to find updates to these packages, by defining a package rule that changes the registryUrl like this:

    {
      "description": "Fetch our own npm packages from github",
      "matchDatasources": ["npm"],
      "matchDepNames": ["@mia-gmbh/*"],
      "registryUrls": ["https://npm.pkg.github.com"],
      "minimumReleaseAge": "0 days"
    }

and by providing a token via the developer.mend.io host rules.

However now the lockfileMaintenance runs npm directly and tries to update our packages from npmjs.org again.
Is that a bug, or is there even more I need to configure?
I would have expected all of this to work out-of-the-box, given we are running the renovate github app.

Logs (if relevant)

Logs

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm notice Access token expired or revoked. Please try logging in again.
npm error code E404
npm error 404 Not Found - GET https://registry.npmjs.org/@mia-gmbh%2feslint-config - Not found
npm error 404
npm error 404  The requested resource '@mia-gmbh/eslint-config@^6.0.0' could not be found or you do not have permission to access it.
npm error 404
npm error 404 Note that you can also install from a
npm error 404 tarball, folder, http url, or git url.
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-01-16T10_02_35_753Z-debug-0.log

[jamietanna]

How do engineers working on the codebase currently set this up, out of interest?

I'd say that if you can configure the registry for that package (i.e. via a .npmrc in the repo) then Renovate will follow that for that dependency as expected, as well as it working when the npm CLI is executed for lockFileMaintenace

[bodograumann]

The engineers are setting up one .npmrc on their machines.
I read about the npmrc field for renovate config. Not sure though how to use secrets in there.
Also I read that this conflicts with the npmrc that renovate generates itself. So I might have to disable the other method?

[bodograumann]

I duplicated the information from the host rules in the npmrc field and now it works fine. E.g.

  "npmrc": "@fortawesome:registry=https://npm.fontawesome.com/\n//npm.fontawesome.com/:_authToken={{ secrets.FONTAWESOME_TOKEN }}",