Wanted to say that @mpan-wework’s suggestion worked for me, and it felt like the least amount of compromise. The tricky bit is that the developers on my team need to use both private npm packages and packages published to a self-hosted GitLab registry, so there are multiple config steps required. I was able to create an .npmrc file in an arbitrary folder within my project(s), which is setup to use environment variables that I’ve set at a team level. I then added a line to netlify.toml to set the NPM_CONFIG_USERCONFIG option.
Inside netlify.toml:
[build.environment]
NPM_CONFIG_USERCONFIG = "./netlify/.npmrc"
And then I have a file within my project at ./netlify/.npmrc:
# Auth for private GitLab registry modules
@my-scope:registry=https://${gitlab_instance_url}/api/v4/packages/npm/
//${gitlab_instance_url}/api/v4/packages/npm/:_authToken=${GL_REGISTRY_TOKEN}
# Auth for private npm modules
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
The variables NPM_TOKEN and GL_REGISTRY_TOKEN are both exposed in the Team / Sites / Global site settings.
The downside: every project we build needs to include this file and this configuration in netlify.toml, but this is fairly minor.
The upside: everything “just works” without forcing developers to alter their local development environments to accommodate builds in Netlify. This file is only used in the context of Netlify, and it only needs to be updated if and when we add more registries.