We've started using Nexus OSS 3 as a standalone NPM server and so far it's working great but there's one thing that makes little sense to me, and that is the requirement to do the npm login before being able to npm install self published packages.
We're following the proposed repository structure:
npm_proxy - to use as proxy toward npm public repo
npm_private_internal - to use to upload self created internal packages
npm_private_external - to use to upload 3rd party packages
npm_group - to wrap all of them together so they're reachable with one URL
Now I understand that npm login should be required when publishing a new package, but why is it required when doing npm install of one of the self published packages, and can it be avoided ?
It's not required if you allow anonymous read privileges to your npm repositories. But I guess you've not given these privileges to the anonymous user?
If so, the alternative would be to base64 encode the needed credentials in your .npmrc file as described here:
https://books.sonatype.com/nexus-book/reference/npm-deploying-packages.html
But using npm login would be preferable.
Related
Is it possible to use gitlab's package repository to feed our npm packages as well as public packages online.
On proget it is possible to register common npm packages and my private npm packages under the same URL using a proxy. Is it possible to do the same with Gitlab so that pointing to gitlab's repository in the .npmrc would be enough to install all the dependencies ?
Yes, you can have a different registry for your personal packages and e.g. company packages. You can reference them by #my-gitlab-username/foo-package or #company/bar-package.
NPM packages hosted on npmjs.com which get installed by npm install <package> will always be resolved if the lookup on your provided Gitlab package registry fails. Usually you do not have to provide a separate proxy.
Multiple private/non-public registries can be targeted by using npm install #company/<package>. So there should be no issue in targeting multiple Proget and/or Gitlab npm registries at the same time.
Authentification is described here: https://stackoverflow.com/a/42648251/4236831
I would like to install repos to a parent repo and specify by branch name.
I have tried the following:
npm install username/repo#branchName --save
npm install username/repo#branchName --save
npm install username/repo#tag --save
npm install username/repo#tag --save
I'm getting an error that says:
Could not install from {theRepoWithBranch} as it does not contain a package.json file.
The repo definitely contains a package.json file.
I'm wondering if this is a permissions issue given I'm using an enterprise npm registry.
npm/npm issue 19788 does mention:
Currently, npm does not support installation of modules from git services hosted on private domain names.
That includes both Github for Enterprise on custom domains as well as instances of gitlab, gitea, gogs, bitbucket and many others, basically anything hosted on a custom domain name.
With the comment:
So, obviously you reference installing via an http(s):// URL directly, but just as an fyi, our GitLab Enterprise instance allows us to install using a slightly different format.
We have 2FA enabled, so it requires SSH to be used.
From the docs.
npm install <git-host>:<git-user>/<repo-name>
npm install <git repo url>
We were able to actually install our repos like this:
npm install git+ssh://git#gitlab.mydomain.com:user/repo.git
So this is more a URL format combined with permission issue.
Regarding the branch, as seen here, your syntax is correct.
And:
if I prepend git+ on the HTTPS URL it works (I run gitea which accepts basic auth)
See also npm/hosted-git-info PR 30
I'm using Artifactory to pull npm packages. One of the packages that I use is stored privately and in order to access it the publisher gave me an authentication token.
I was asked to add //registry.npmjs.org/:_authToken=<private_token> to .npmrc, however my environment use Artifactory as a proxy for the public npm registry. How can I configure an authentication token geared specifically for the package?
You can use virtual repo concept of artifactory. You can upload the custom packages into your local repo and a common repo that will get the packages from the npm
I have installed node js and npm on my windows But when I try to install npm modules(packages) using
command>>npm install -g xxxx(package name)
It doesn't get installed, and it asked me to check proxy setting. As I am working on private network, so may be it doesn't allow me to access the url from which npm packages get downloaded.
Please tell me what is url for such npm packages from where it gets downloaded so that I can ask my network provider to give access for that site.
NPM packages are downloaded from https://registry.npmjs.org unless otherwise configured.
You can get the download URL for a package with npm view, for example JQuery:
npm view jquery dist.tarball
returns: https://registry.npmjs.org/jquery/-/jquery-3.5.1.tgz
You can change the default registry with npm set registry <new url>; this is typically used in large institutions or corporations with an internal registry mirror.
All npm packages are in fact downloaded from GitHub. However, npm resolves those GitHub dependencies via https://www.npmjs.com.
For example, express https://github.com/expressjs/express is the download link.
npm install -g express (or without -g).
The system does not know the GitHub location of the express package. So it must first lookup https://www.npmjs.com to get GitHub url. Then it will clone the package.
I've setup an Nexus (2.10.0) NPM repository and administrate an user with full access to this repo.
By setting the "_auth" and "always-auth" param in my local .npmrc the publishing and reading of npm artifacts are working well. But if i try to unpublish or deprecate an npm artifact i get still an error "...This request requires auth credentials. Run npm login and repeat the request...".
What is the preferred way to remove artifacts from an nexus npm repository?
thx,
David
Unpublish is currently not supported. Details see https://issues.sonatype.org/browse/NEXUS-6892
Also keep in mind that is not considered good practice to use unpublish as you can see from the npm documentation itself linked in the issue.
Unfortunately, Nexus 2.11 doesn't support npm unpublish or npm deprecate.
If the goal is to make your previously published versions of npm-packages inaccessible:
You can delete the packages from Nexus by manually removing the tarballs from .../nexus/storage/<your_npm_repo>/<your_package>/-/ on your Nexus server and creating a scheduled task to 'rebuild hosted npm metadata':
The npm metadata for a hosted repository
can be rebuilt based on the components found in the storage of a
hosted repository. The task can serve as a recovery tool in cases
where the npm metadata database got corrupted or the component storage
was created manually or via some external process like e.g. an rsync
copying.
This also works great for injecting old versions of packages into your npm-repo. (To get these tarballs, use npm pack.)