`renv::snapshot()` records repository URL despite `repos = c()` argument

[lschneiderbauer]

Hi,

our team is using a private package repository where authentification works with a token that is passed within the repository URL.
Hence it is undesirable in our case that renv::snapshot() records repository URLs since those contain private tokens, and the renv.lock file is supposed to be shared.

We used the workaround to pass renv::snapshot(repos = c()) which avoided recording of URLs. But with recent versions of renv or R (I don't know exactly which one) the behavior changed, and URLs are now recorded regardless.
Every package in renv.lock contains a "Repository:" entry with the URL.

Is there any way to create renv.lock files that do not contain URLs?

Thanks!

[kevinushey]

Thanks for the bug report! Would you be able to provide a reproducible example? It seems like the following works as I would expect:

lockfile <- renv::snapshot(
  packages = "renv",
  repos = character(),
  lockfile = NULL
)

str(lockfile$R$Repositories)

which gives

> str(lockfile$R$Repositories)
 list()

In case it's related -- are you using Bioconductor in your projects?

[lschneiderbauer]

Thanks for your reply.
I can confirm that lockfile$R$Repositories is empty. However, lockfile$Packages$renv$Repository is not:

lockfile <-
  renv::snapshot(
    packages = "renv",
    repos = character(),
    lockfile = NULL
  )

str(lockfile$R$Repositories)
#>  list()
str(lockfile$Packages$renv$Repository)
#>  chr "https://TOKENINFO@REDUCTED"| __truncated__

^{Created on 2025-12-02 with reprex v2.1.1}

Session info

sessioninfo::session_info()
#> Warning in system2("quarto", "-V", stdout = TRUE, env = paste0("TMPDIR=", :
#> Ausführung von Kommando '"quarto"
#> TMPDIR=C:/Users/6999schneiderbauer/AppData/Local/Temp/Rtmp2zxub2/filea1d033e952e8
#> -V' ergab Status 1
#> ─ Session info ───────────────────────────────────────────────────────────────
#>  setting  value
#>  version  R version 4.5.2 (2025-10-31 ucrt)
#>  os       Windows 11 x64 (build 26100)
#>  system   x86_64, mingw32
#>  ui       RTerm
#>  language (EN)
#>  collate  German_Germany.utf8
#>  ctype    German_Germany.utf8
#>  tz       Europe/Berlin
#>  date     2025-12-02
#>  pandoc   3.6.3 @ C:/Program Files/RStudio/resources/app/bin/quarto/bin/tools/ (via rmarkdown)
#>  quarto   NA @ C:\\PROGRA~1\\RStudio\\RESOUR~1\\app\\bin\\quarto\\bin\\quarto.exe
#> 
#> ─ Packages ───────────────────────────────────────────────────────────────────
#>  package     * version date (UTC) lib source
#>  cli           3.6.5   2025-04-23 [1] CRAN (R 4.5.1)
#>  digest        0.6.38  2025-11-12 [1] CRAN (R 4.5.2)
#>  evaluate      1.0.5   2025-08-27 [1] CRAN (R 4.5.1)
#>  fastmap       1.2.0   2024-05-15 [1] CRAN (R 4.5.1)
#>  fs            1.6.6   2025-04-12 [1] CRAN (R 4.5.1)
#>  glue          1.8.0   2024-09-30 [1] CRAN (R 4.5.1)
#>  htmltools     0.5.8.1 2024-04-04 [1] CRAN (R 4.5.1)
#>  knitr         1.50    2025-03-16 [1] CRAN (R 4.5.1)
#>  lifecycle     1.0.4   2023-11-07 [1] CRAN (R 4.5.1)
#>  renv          1.1.5   2025-07-24 [1] CRAN (R 4.5.2)
#>  reprex        2.1.1   2024-07-06 [1] CRAN (R 4.5.1)
#>  rlang         1.1.6   2025-04-11 [1] CRAN (R 4.5.1)
#>  rmarkdown     2.30    2025-09-28 [1] CRAN (R 4.5.1)
#>  rstudioapi    0.17.1  2024-10-22 [1] CRAN (R 4.5.1)
#>  sessioninfo   1.2.3   2025-02-05 [1] CRAN (R 4.5.1)
#>  withr         3.0.2   2024-10-28 [1] CRAN (R 4.5.1)
#>  xfun          0.54    2025-10-30 [1] CRAN (R 4.5.2)
#>  yaml          2.3.10  2024-07-26 [1] CRAN (R 4.5.0)
#> 
#>  [1] C:/InternationalApplications/R-Library
#>  [2] C:/Program Files/R/R-4.5.2/library
#> 
#> ──────────────────────────────────────────────────────────────────────────────

We do not use Bioconductor packages, only CRAN is mirrored.