No ability to create PAT with read-only access to NPM registry

Summary

There is no way to create a personal access token with read-only access to GitLab NPM registries.

Steps to reproduce

Navigate to the PAT page

Observe that there is no read_npm_registry (or similarly named) access level.

Example Project

install_package:
  stage: build
  image: node:current-alpine
  script:
      - npm set @foo:registry=https://gitlab.com/api/v4/packages/npm/
      - npm set //gitlab.com/api/v4/packages/npm/:_authToken=$MY_PAT
      - npm install @foo/my-package

The above only succeeds if $MY_PAT has api access

What is the current bug behavior?

Too much access is granted by users to tokens used to access NPM registries in gitlab-ci creating a security risk.

What is the expected correct behavior?

Correct access level is available.

Relevant logs and/or screenshots

With any permission other than api:

$ npm install @foo/my-package
npm ERR! code E403
npm ERR! 403 Forbidden - GET https://gitlab.com/api/v4/packages/npm/@foo%2fmy-package - insufficient_scope

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2019-09-26T19_20_04_473Z-debug.log

Output of checks

This bug happens on GitLab.com

Possible fixes

None identified.

Edited Sep 26, 2019 by James Tharpe