How does NPM v7 access the private SSH key without credentials when pulling down private git packages?

Question

In NPM v6 (on Windows), before you run npm install to pull down one or more private git packages, you are expected to start the ssh agent and add your ssh key to it. When you add your key to the ssh agent, you are prompted for the password. That makes sense.

In NPM v7, however, that no longer seems to be required. It works even without the ssh agent running, and I am not prompted for the password. My question is - how does NPM v7 (or Git) access the private ssh key without credentials? Seems like a possible security vulnerability.

Answer 1

Check first your dependencie URL: if it is git+https://, it would not prompt for SSH private key passphrase or SSH agent, but would rely on Git credential caching.

Similarily, for SSH URL, check your git config -l for any insteadOf directive

cd /path/to/repo
git config -l --show-scope --show-origin|grep -i insteadof

If an SSH URL is automatically transformed into HTTPS, again SSH agent would not be involved. There was even npm/cli/issue 2610 complaining that SSH is used when HTTPS is specified.

The OP Mark Miretsky explains in the comments:

In fact, it turned out that my SSH URL was being automatically transformed into HTTPS, and, because I had my HTTPS credentials stored in Git Credential Store, it wasn't prompting me for credentials

See also a possible workaround at the end of "Error in initiating Astro after choosing a framework".