Skip to content

Instantly share code, notes, and snippets.

@khaledosman
Last active February 11, 2019 14:15
Show Gist options
  • Select an option

  • Save khaledosman/b16b9b504564339f4e616e7187afb77a to your computer and use it in GitHub Desktop.

Select an option

Save khaledosman/b16b9b504564339f4e616e7187afb77a to your computer and use it in GitHub Desktop.
Private NPM Registry with Verdacccio

Description

Verdaccio is a private NPM registry that allows developers to publish and install packages privately for better code sharing. https://github.com/verdaccio/verdaccio

Authentication & Creating a new user

  1. Go to http://www.htaccesstools.com/htpasswd-generator/
  2. Create your username and password.
  3. Send the generated htpasswd line and copy it into the verdaccio/conf/htpasswd file on the server.
  4. You should now be able to login using that username and password.. (No server restart is required)

Usage

We use scopes to group our dependencies under the @myscope scope, which basically just sets your module name in package.json to "@myscope/module-name" see https://docs.npmjs.com/misc/scope & https://docs.npmjs.com/private-modules/intro for a quick understanding of scopes and working with private modules

  1. Set your default npm scope to @myscope. to ensure your package names start with @myscope when you do an npm init

npm config set scope @myscope

  1. Set your local npm registry to the new registry instead of the default npm so you dont have to specify the registry through the --registry flag with every npm command (i,e npm publish, npm adduser, npm install, etc..). There's a proxy in the verdaccio config, so if you try to install a dependency and it does not exist in colorfy's registry, it will fallback and try to install it from the npm registry.

npm set registry <YOUR_PRIVATE_REGISTRY_URL>

  1. To register/login with your own username created from the previous step (Authentication & Creating a new user) so that you can publish your own packages run 

npm adduser

  1. now you can install any package published on that registry for example:

npm install -g @myscope/aliased-imports

  1. now you can go to publish your own npm module to the registry by running 

npm publish

You can check https://www.sitepoint.com/private-npm-packages-verdaccio/ for a quick tutorial on verdaccio

DevOps / Installation & Security Concerns

Only authenticated users are allowed to see and publish packages. See https://verdaccio.org/docs/en/packages for how it can be configured..  Users are only allowed to publish packages that have the @myscope scope / prefix in their package name. The current configuration in the config.yaml file is

'@myscope/*':
    # scoped packages
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: "$authenticated"
    publish: "$authenticated"
    # if package is not available locally, proxy requests to 'npmjs' registry
    proxy: npmjs

after setting "npm config set registry" npm will use this registry for all local commands.. the reason it works when doing npm install with a project using global dependencies is because in the verdaccio config, there's a proxy for all packages that do not start with @myscope/ to the public npm registry.. so if you try to install a library that does not exist in the private registry it will redirect and try to install it from the default npm registry. verdaccio also caches dependencies installed on the server.

User registration is turned off for security reasons so that no external users can register to the registry and access/publish packages, users are authenticated using the htpasswd plugin. See https://verdaccio.org/docs/en/authentification for authentication configuration, the current configuration is 

auth:
  htpasswd:
    file: /verdaccio/conf/htpasswd
    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to -1 to disable registration.
    max_users: -1

make sure to run the following commands in the deployed instance to allow writing and storing packages into the directories

chmod -R 777 storage/
chmod -R 777 conf/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment