node@18

Local README excerpt

Node 18 Radioisotope

This radioisotope modifies the Homebrew node@18 package, but only changes the installed npm launcher. node and npx continue to run without isotope credential injection.

Security Model

Plaintext npm publishing tokens are commonly stored in ~/.npmrc as _authToken entries. The migration stores one token in the Automic Vault isotope keychain as NODE_AUTH_TOKEN and rewrites matching npm config entries to reference ${NODE_AUTH_TOKEN}.

The post-install hook wraps /opt/node@18/bin/npm. The wrapper injects NODE_AUTH_TOKEN only when an npm publish invocation is detected, then execs the original npm launcher.

Caveats

• Only one npm publishing token is supported.
• Multiple distinct _authToken values fail migration and must be handled

manually.

• Project-level npm configs are not migrated; only the npm user config is

inspected.

Source: data/radioisotopes/node@18/README.md