configure node.js to use the system ca trust store

provision/use-npm-repository.sh

@@ -20,7 +20,12 @@ npm --version
 
 # configure npm to trust our system trusted CAs.
 # NB never turn off ssl verification with npm config set strict-ssl false
-npm config set cafile /etc/ssl/certs/ca-certificates.crt
+# NB since node.js 22.19.0 we no longer need to use npm config set cafile to use
+#    a private ca. instead, either set the NODE_USE_SYSTEM_CA environment
+#    variable or use the --use-system-ca command line option.
+#    see https://github.com/nodejs/node/pull/59276
+#    see https://nodejs.org/docs/latest-v22.x/api/cli.html#--use-system-ca
+export NODE_USE_SYSTEM_CA='1'
 
 #
 # configure npm to use the npm-group repository.
@@ -62,7 +67,7 @@ export NPM_PASS=password
 export NPM_EMAIL=alice.doe@example.com
 export NPM_REGISTRY=https://$nexus_domain/repository/npm-hosted/
 npm install npm-registry-client@8.6.0
-npm_auth_token=$(NODE_PATH=$PWD/node_modules node --use-openssl-ca /vagrant/provision/npm-login.js 2>/dev/null)
+npm_auth_token=$(NODE_PATH=$PWD/node_modules node /vagrant/provision/npm-login.js 2>/dev/null)
 npm set //$nexus_domain/repository/npm-hosted/:_authToken $npm_auth_token
 
 # publish.

provision/windows/export-windows-ca-certificates.ps1

@@ -1,16 +0,0 @@
-# dump all the windows trusted roots into a ca file.
-$pems = New-Object System.Text.StringBuilder
-Get-ChildItem Cert:\LocalMachine\Root | ForEach-Object {
-    # $_ is-a System.Security.Cryptography.X509Certificates.X509Certificate2
-    Write-Host "Exporting the $($_.Issuer) certificate..."
-    [void]$pems.AppendLine('-----BEGIN CERTIFICATE-----')
-    [void]$pems.AppendLine(
-        [Convert]::ToBase64String(
-            $_.Export('Cert'),
-            'InsertLineBreaks'));
-    [void]$pems.AppendLine("-----END CERTIFICATE-----");
-}
-Set-Content `
-    -Encoding Ascii `
-    C:\ProgramData\ca-certificates.crt `
-    $pems.ToString()

provision/windows/use-npm-repository.ps1

@@ -36,10 +36,14 @@ Update-SessionEnvironment
 node --version
 npm --version
 
-# configure npm to trust our system trusted CAs.
+# configure node/npm to trust our system trusted CAs.
 # NB never turn off ssl verification with npm config set strict-ssl false
-c:\vagrant\provision\windows\export-windows-ca-certificates.ps1
+# NB since node.js 22.19.0 we no longer need to use npm config set cafile to use
-npm config set cafile c:/ProgramData/ca-certificates.crt
+#    a private ca. instead, either set the NODE_USE_SYSTEM_CA environment
+#    variable or use the --use-system-ca command line option.
+#    see https://github.com/nodejs/node/pull/59276
+#    see https://nodejs.org/docs/latest-v22.x/api/cli.html#--use-system-ca
+$env:NODE_USE_SYSTEM_CA='1'
 
 #
 # configure npm to use the npm-group repository.
@@ -88,8 +92,7 @@ $env:NPM_EMAIL='alice.doe@example.com'
 $env:NPM_REGISTRY="https://$nexusDomain/repository/npm-hosted/"
 npm install npm-registry-client@8.6.0
 $env:NODE_PATH="$PWD/node_modules"
-$env:NODE_EXTRA_CA_CERTS='C:\ProgramData\ca-certificates.crt'
+$npmAuthToken = node /vagrant/provision/npm-login.js 2>$null
-$npmAuthToken = node --use-openssl-ca /vagrant/provision/npm-login.js 2>$null
 npm set "//$nexusDomain/repository/npm-hosted/:_authToken" $npmAuthToken
 
 # publish.