I am trying to find a way to be able to publish a private npm package without having to login every time to npm. I guess I can achieve that by using an .npmrc file in the root of the project, but I cant find more details on how exactly to achieve that, how to generate the npmrc with the right config.
Any idea? Any help highly appreciated.
I think to publish your private npm-package you need to login to npm once for the first time. After the first successful login, the npm creates a _authToken in your .npmrc file. Until and unless your .npmrc file contains this _authToken with the appropriate value, you don't need to login again to npm to publish next npm-package.
Best of my knowledge, Unless you remove that _authToken Or delete the .npmrc file Or manually logged out from npm I am sure you don't have to login again to publish npm package.
Hope this will help you :)
Related
The purpose of this effort is to be able to test whether a package version exists in a private registry, without having to touch the filesystem / config files. For packages in public registries this is perfectly straightforward: npm view lpad#2.0.1 produces some information about that published version, but (as of this writing) npm view lpad#201.0.0 does not have any information or output. I'm using this to infer the existence of packages.
I can also pass a private registry URL to npm view <packagename>, as in npm view <packagename> --registry https://private.registry/path/. This seems to hit the private registry even though it isn't explicitly mentioned in the npm-view documentation (but it's described in the npm-search documentation, so I take this to mean it's a documented API feature).
To be able to talk to private registries at all, I can use an authentication token in the query according to these npm instructions for doing it in a CI/CD workflow: put it into the .npmrc file like this:
//your_registry/:_authToken 12345
Or more securely, //your_registry/:_authToken $TOKEN and set the TOKEN environment variable to 12345 elsewhere.
What I can't figure out how to do is use npm view against a private npm registry, without writing to the .npmrc file.
I plan to be running several queries in parallel from the same machine, so to avoid race conditions in the .npmrc file, I'd rather pass the authentication directly in each command. I assume that with an auth token, this is just a simple curl command but I haven't had much luck finding information on how the NPM API works. (The npm-registry-client doesn't appear to do anything related to view/find; it has access which sets an access level).
Am I missing something blindingly obvious? Where can I find a guide on the request format for view and/or search functions of an NPM registry? What is the curl command that includes sending the auth token, package name, and version and receives some indication of whether it exists?
Found the answer here: https://github.com/npm/registry/blob/master/docs/user/authentication.md
#!/bin/sh
curl -H 'Authorization: Bearer $TOKEN' https://your_registry/$PACKAGE/$VERSION
If the package does not exist, it will return {}. If it does, you'll get the package information.
I have created a private typings npm module that I am using for my firebase functions and app projects. When I went to deploy firebase functions, I get a big error for every function that basically says ERR! remote: Invalid username or password.
For what I have read, it looks like I need to create a .npmrc file and put it in the /functions directory. (https://cloud.google.com/functions/docs/writing/specifying-dependencies-nodejs#using_private_modules)
I cannot however find proper instructions on how to do this anywhere. From what I found, I have done the following:
ran npm login
ran npm token create --read-only
This then gave me a token that looks like this: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.
I then create a file called .npmrc in my functions directory, and placed //registry.npmjs.org/:_authToken=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX in it.
Additionally, I saw that the error message was trying to use ssh to install my private repo package, I have not setup ssh and am using https instead, because of this I changed my package file to git+https://github.com/accounts-name/repo#commit-num so that it uses HTTPS.
However, I still get the same error message. What am I missing? The above is what I have strung together from lots of google searching.
It seems that you have made too many different changes while trying to make it work, so let's just go through the whole process step by step.
Check the package.json of your npm module and publish it:
Remove "private" property or set it to false because private modules in the npm are meant to be never published. That is not obvious but that is true.
Next step is to apply restricted access to the package. In order to do that, add such property in the package.json file:
"publishConfig": {
"access": "restricted"
},
Make sure that npm account you use for publishing supports private packages.
Now open the terminal in the root directory of your package, type npm login then sign in to npm. Check if you put the proper version in the package.json.
Run npm publish. The package should be published in few seconds. No worries, thanks to publishConfig property nobody can access it.
Now it is time to allow package installation in your project
Go to the directory of the project and open package.json file
Check that you have the name and version of your package in the dependencies list
Open browser, navigate to https://npmjs.com, login to your account, navigate to settings page of your account and open the tokens tab
Create new token and copy it
Now again go to the directory of your project, on same level where package.json file is situated (that is important!) and create .npmrc file there.
Put such string in the .npmrc file:
//registry.npmjs.org/:_authToken=TOKEN_HERE
You are done!
Deployment with remote CI/CD services
The easiest approach is not add .npmrc into .gitignore. In such case the file will be always in repository, so npm install will run smoothly on any machine where project was cloned
If you don't want to have token string in the repository, you can move it to the environment variable of your CI/CD service and then link .npmrc file to that variable. For example, you can put generated token into the NPM_TOKEN env variable (Just token from npmjs, not the whole string from .npmrc!)
And then change the .npmrc file in the next way:
//registry.npmjs.org/:_authToken=${NPM_TOKEN}.
So, with those steps you should be able to install your restricted packages without any issues. Good luck!
If you are trying to deploy you functions with firebase deploy from a CI and your .npmrc file looks like this.
#acmecorp:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${NPM_REGISTRY_TOKEN}
You will run into the problem even if you have the env var set.
Build failed: Error: Failed to replace env in config: ${NPM_REGISTRY_TOKEN}
Firebase for some reason needs access to that private repo. But the env var is not sent over to firebase.
Solution I've implemented was to replace ${NPM_REGISTRY_TOKEN} in the .npmrc file on every run of the CI pipeline.
sed -i.bak "s/\${NPM_REGISTRY_TOKEN}/${NPM_REGISTRY_TOKEN}/g" .npmrc
This breaks if you use Yarn. Took me a while to find a thread pointing to npm install in the firebase cli predeploy step. If there's no package-lock.json and you only use yarn, this will break. Remove yarn.lock and install using npm to resolve the issue.
I have a private registry configured in my global .npmrc file. Now I want to configure a fallback registry also in the same npmrc file. When npm is not able to find module in my private repository, I want it to download it from npm global registry i.e. https://registry.npmjs.org
Below are the two repositories I want to configure:
http://devint:9999/nexus/content/groups/NPM-Release //npm should first look into this
https://registry.npmjs.org // fallback registry
I know there is a solution available on StackOverflow for this similar problem, but those solution is suggesting to used scoped package approach. I don't want to use the scoped package approach for configuring multiple repositories in a npmrc file.
I have already gone through the solution available on
Is there any way to configure multiple registries in a single npmrc file
But I am looking for a different approach, where I can define multiple repositories with its priority in npmrc file.
I request not to mark this question as closed without giving a satisfactory correct answer.
Thanks.
As far as I know you can not define multiple NPM registry URLs in .npmrc , on the CLI, or anywhere else, and have NPM check them based on priority.
Configure your NPM server to check for a requested package locally first and fall back to the public NPM registry if not found. This can be done with Nexus, and I believe Sinopia/Verdaccio do this out of the box.
For awhile I'm using a private npm repository to publish some of my modules. All is working fine besides one little detail - I cannot make npm show to work.
[Assumptions]
Lets assume that I have a private npm repo # http://my-repo.com:8081/nexus/content/groups/npm/ (yes I'm using Nexus).
Lets assume I have changed my npm registry:
npm set registry http://my-repo.com:8081/nexus/content/groups/npm/
Lets assume I have my-module published to my-repo.
[My intentions]
I want to be able to check the latest (or may be all) version(s) of my-module. However using the standard npm show or npm view commands results in performing a search in npmjs.org and therefore doesn't find any version of my-package.
[Question]
Is there a npm way to see the version of my-package from the described scenario above?
you can use http request.In this case, is http://my-repo.com:8081/nexus/content/groups/npm/[your package name] to get package's information, then parse response object.
You can parse link into browser to see response directly
It is possible!
You can actually call npm show directly like how you normally would.
The determining factor for this to work though, is that you have to be in the same directory where you have your .npmrc file is located (usually at the root of your project) Then npm show will respect that and look it up using your creds and private repo link.
Basically the thing is I'm working on a project that uses grunt for build tasks and as I have a few dependencies here and there I thought it was a good idea to declare those on a package.json so that my co-workers can npm install without being required to manually install every package at the correct version.
Now the thing is, what if someone "accidentally" runs npm publish? Is there a way to have the package.json while keeping my stuff private?
Yes, set private to true.
If you set "private": true in your package.json, then npm will refuse
to publish it.
This is a way to prevent accidental publication of private
repositories. If you would like to ensure that a given package is only
ever published to a specific registry (for example, an internal
registry), then use the publishConfig hash described below to override
the registry config param at publish-time.
You can set "private" : true in your package.json file
Your CoWorkers will get an error if they try to publish it