I've tried many different docs and tutorials to publish a scoped npm package on a private gitlab instance.
So far I've:
Created a deploy token with package write & read permissions:
Setup a .npmrc file with the following contents:
#<scope>:registry=https://<domain>/api/v4/packages/npm/
//<domain>/api/v4/projects/<id>/packages/npm/:_authToken=<token>
//<domain>/api/v4/packages/npm/:_authToken=<token>
Added "publishConfig" to "package.json":
{
"name": "#<scope>/<name>",
"version": "1.0.0",
"main": "dist/index.js",
"license": "MIT",
"publishConfig": {
"#<scope>:registry": "https://<domain>/api/v4/projects/<id>/packages/npm"
},
"scripts": {
"build": "tsc",
"prepublish": "tsc"
},
"devDependencies": {
"ts-node": "^9.1.1"
}
}
Verified that the repo allows packages to be stored:
But everytime I try and run either npm publish or yarn publish, it builds, packages but fails to publish:
The log file verbosily repeats the error log above.
I'm trying to release a private SDK for an internal service and would need a way to publish it so only those with the correct credentials can install it on their projects.
The link provided (Not Found - PUT https:// <link...> ) redirects to npmjs.com, which I believe wasn't supposed to happen, since I'm trying to store it on Gitlab instead of purchasing an organization on npmjs.
I've tried this process both on the private domain (running gitlab 13.9.1) and on https://gitlab.com, both with the same result on the same repository configuration disclosed above.
Am I missing some step? Thanks in advance!
Your .npmrc file has both instance and project level endpoints, but if you're using a project deploy token, the authentication of the token you're providing is scoped to the project, so you should only have the project endpoint.
#<scope>:registry=https://<domain>/api/v4/projects/<ID>/packages/npm/
//<domain>/api/v4/projects/<ID>/packages/npm/:_authToken=<TOKEN>
The project ID in the redacted part of URL shown as part of error message resulting from attempted publish looks rather long. The project's ID isn't the project's slug. it's a numeric value instead.
Related
We have a self-hosted GitLab (15.5.4) and I've configured everything we needed for publishing npm packages.
A CI/CD pipeline that properly creates the entry in the Package Registry.
The problem is that when I pull the package [npm i #scope/lib] (It doesn't change if I cast the auth token in the package.json or I pass through an environment variable as suggested in the documentation) the unwanted result is that the #scope/lib doesn't have the dist/ folder in it!! [node_module/#scope/lib/].
If I browse to the Package Registry and manually download the .tgz file I can see that the dist/ folder is present.
I've played around a bit with the .npmignore and "prepublish" script but I had no success and literally have no glue why this is happening.
Any tips would be very appreciated
To clarify:
The proper way is to tell npm to keep the dist/ folder, bypassing the .gitignore file (instead of defining an .npmignore article here ) is to define a files entry in the package.json :
{
"files": [
"dist",
"build",
...
]
}
Another unproper way to do get the result I needed is to use a postinstall command. But it is clearly an anti-pattern. Given that I am writing a typescript library, that is tested and then compiled by the CI, there's no need to recompile it within the postinstall command. But it could be an hacky solution when needed.
{
"scripts": {
"postinstall": "tsc src/index.ts"
}
}
To sum up, I think it was only an npm cache issue or more probably a server-side cache issue, because I've run npm cache clean --force different times.
Hope this helps.
I have a private, unpublished NPM package. Let's say it's named foo-test:
{
"name": "foo-test",
"version": "0.0.0",
"license": "MIT",
"private": true,
"scripts": {...},
"dependencies": {...}
}
It's not in the NPM registry, and I've marked it private.
I found out via a security audit that this is "vulnerable to dependency confusion attacks", but I don't know how.
If someone later comes along and publishes a real public package called foo-test to the NPM registry, will that affect my local development against my private package?
That is, let's say there's a real package foo-test#1.0.0 available on npmjs. If I run npm install locally against my own unrelated version of foo-test, will there be any side effects arising from the fact that the local package that I'm building has the same name as a public package on the registry?
I'm using Jenkins pipeline to compile npm app.
I want to use a parameter for my npm app, see each branch will publish the app under different name.
Also, I need some "default value, for the developers when they are working in their local env
for example, my package.json:
{
"name": ${some_env_var} : default_value",
"version: 1.0.0
...
}
does it possible?
I've got continuous deployment setup with Netlify and a git repo but so far no matter what I do, Netlify isn't npm-installing anything. There's no node_modules folder when I download a zip of the deploy, my site can't access node_modules, it's just not there. I've started with a random npm package (lodash) to try to get it to install but I've got nothing so far.
Netlify says that it automatically runs npm install. I've tried having no build commands and I've tried adding npm install as a build command with no results from either.
package.json:
{
"name": "netlify-test",
"version": "1.0.0",
"description": "stuff",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"repository": {
"type": "git",
"url": "git+https://github.com/electrovir/netlify-test.git"
},
"author": "electrovir",
"license": "MIT",
"bugs": {
"url": "https://github.com/electrovir/netlify-test/issues"
},
"homepage": "https://github.com/electrovir/netlify-test#readme",
"dependencies": {
"lodash": "^4.17.11"
}
}
HTML:
<!doctype html>
<html>
<head>
<title>
hi
</title>
<script src="node_modules/lodash/_apply.js"></script>
</head>
<body>
Why can't this find node_modules??
</body>
</html>
It took a while to figure this out but I discovered that Netlify does npm install into your repo root or Base directory when you have a package.json. This can be seen by changing the Build command to something like ls and reading the deploy console output (there will be a node_modules folder listed).
However, at some point after running the Build command and before deploying, this node_modules is deleted. Hence, if you use something similar to the following as a Build command, node_modules can be copied to your Publish directory:
rm -rf dist && mkdir dist && rsync -rv * dist --exclude ./dist
This copies the Base directory contents into dist, which I have set as my Publish directory, ignoring ./dist itself (it can't be copied into itself). It'd be even better if this were added as an npm script in package.json with npm run <script name> for your Build command.
Note that Base directory, Build command, and Publish directory are all under Deploys > Deploy settings or Settings > Build & deploy in Netlify.
Thanks to lastmjs for help with figuring this out.
It would be odd if node_modules WERE there. Netlify's continuous deployment does run npm install for you, if and only if there is a package.json in the root of your repository (or instead in the base directory if you set one in netlify.toml. However, it also uses a custom npm directory that is outside of the deployment directory (see how it is setup here: https://github.com/netlify/build-image/blob/master/run-build-functions.sh#L34), since deploying your node_modules shouldn't be needed for a static site at browse time - only at build time.
The intended path for a Netlify deploy is:
you have your dependency manager configuration checked into your git repo at the root of the repo (if no base directory is set in the UI or in the toml file) or in the base directory if set. This could be any/all of Gemfile.lock, package.json, yarn.lock, or requirements.txt as explained in this article about the build settings at Netlify
you do not store your node_modules in the repo. Many of those will be specific to the architecture of the build environment - and your local machine is almost certainly different than Netlify's. You'll want those generated at build time.
your build is intended to USE those modules DURING BUILD. So you use for instance dotenv to read your .env file while building, or you use gulp-cli to process your Gulpfile.js
your build completes, and you've used all the modules during build to generate standalone html/js/css/images, so you're done with them - your static html and other assets are generated in your publish directory, where the build process has intentionally not put your node modules, and thus they are not deployed. Your static website should not need the modules at runtime, so deploying the (thousands!) of files in there is not efficient or needed.
You could have a situation that requires some/one of them - e.g. a function or you could need a file from one of them even on your static site - and that's fine, feel free to copy it into the publish directory explicitly. But that is not the norm :)
We have a private NPM registry to which we are publishing our packages to, and have a publishConfig section in our projects package.json file which juts contains our registry url which gets picked up by our npm publish commands:
"publishConfig": {
"registry": "xxxxxx"
}
I would like to have this registry url read out from am .nprmc file rather than the package.json.
I have tried doing this, but when using npm publish I get:
400 - Repository with ID='xxx' is Read Only, but action was 'create'!
I figured this may be because I hadnt added my user details to my npmrc, which I have now done, but the problem still remains.
Is it possible for npm publish to use the details from an npmrc specifically?
Just add the following to your .npmrc
registry=YOUR_REGISTRY