How can I manually validate npm:HOSTNAME_MISMATCH?

Inspect SANs for the registry cert: `openssl s_client -connect :443 -servername </dev/null | openssl x509 -noout -text`. Confirm the hostname appears under Subject Alternative Name (SAN).

How do I prevent npm:HOSTNAME_MISMATCH in CI?

Avoid registry host aliases that do not match the deployed certificate. Keep `.npmrc` scope mappings explicit and reviewed.

RepoFlow | npm ERR! code HOSTNAME

Q: What does npm:HOSTNAME_MISMATCH mean?

npm connected to a host whose certificate doesn't match the hostname (CN/SAN mismatch).

Q: How do I prevent npm:HOSTNAME_MISMATCH in CI?

Avoid registry host aliases that do not match the deployed certificate. Keep `.npmrc` scope mappings explicit and reviewed.

What This Error Means

npm connected to a host whose certificate doesn't match the hostname (CN/SAN mismatch).

How to Fix It

Confirm which registry host npm is calling: npm config get registry.
Check for proxy settings: npm config get proxy and npm config get https-proxy.
Check TLS config: npm config get strict-ssl and npm config get cafile.
If you use scoped registries, verify .npmrc mapping (example: @your-scope:registry=...).
If you use a private registry, ensure the certificate includes the exact hostname you use in .npmrc.
If you control the registry/proxy, ensure it serves the full certificate chain (leaf + intermediates).
Inspect the served chain: openssl s_client -showcerts -connect <host>:443 -servername <host> </dev/null.
Quick confirmation (insecure, temporary): run once with npm --strict-ssl=false <command>. If it works, fix CA trust instead of leaving SSL checks disabled.
Alternative temporary config toggle (insecure): npm config set strict-ssl false, retry once, then immediately revert: npm config set strict-ssl true.
Alternative one-off (insecure): run once with NODE_TLS_REJECT_UNAUTHORIZED=0 (do not use in CI, remove afterward).
Proper fix: trust the CA that is signing the certificate chain.
If you are behind a corporate TLS proxy, export the corporate root CA and configure npm: npm config set cafile /path/to/corp-ca.pem.
In CI, prefer NODE_EXTRA_CA_CERTS=/path/to/corp-ca.pem so Node trusts the internal CA without changing global npm config.
Retry with npm --verbose and keep the full output for troubleshooting.

Why It Happens

The registry hostname does not match the certificate (CN/SAN mismatch).
A proxy is presenting a certificate for a different hostname.
You are hitting the wrong registry host due to .npmrc scope mapping or an env override.

How to Verify

Run npm ping and confirm it succeeds.
Re-run the original command and confirm HOSTNAME_MISMATCH is gone.

Manual certificate validation

Inspect SANs for the registry cert: openssl s_client -connect <host>:443 -servername <host> </dev/null | openssl x509 -noout -text.
Confirm the hostname appears under Subject Alternative Name (SAN).

Common CLI Output

npm ERR! code HOSTNAME_MISMATCH

How npm verifies TLS certificates

npm uses Node.js for HTTPS. Node verifies the certificate chain and checks that the certificate matches the hostname you requested.
If the hostname does not match, the connection is rejected even if the certificate is otherwise trusted.

Prevention Tips

Avoid registry host aliases that do not match the deployed certificate.
Keep .npmrc scope mappings explicit and reviewed.

Where This Can Be Triggered

github.com/npm/cli/blob/417daa72b09c5129e7390cd12743ef31bf3ddb83/lib/utils/ping.js

This is the registry request path where npm talks to the network. DNS/TLS errors like this code are raised by Node/OS during this request. - GitHub

// used by the ping and doctor commands
const npmFetch = require('npm-registry-fetch')
module.exports = async (flatOptions) => {
  const res = await npmFetch('/-/ping', { ...flatOptions, cache: false })
  return res.json().catch(() => ({}))
}