How to unpublish npm packages in nexus oss - npm

I've setup an Nexus (2.10.0) NPM repository and administrate an user with full access to this repo.
By setting the "_auth" and "always-auth" param in my local .npmrc the publishing and reading of npm artifacts are working well. But if i try to unpublish or deprecate an npm artifact i get still an error "...This request requires auth credentials. Run npm login and repeat the request...".
What is the preferred way to remove artifacts from an nexus npm repository?
thx,
David

Unpublish is currently not supported. Details see https://issues.sonatype.org/browse/NEXUS-6892
Also keep in mind that is not considered good practice to use unpublish as you can see from the npm documentation itself linked in the issue.

Unfortunately, Nexus 2.11 doesn't support npm unpublish or npm deprecate.
If the goal is to make your previously published versions of npm-packages inaccessible:
You can delete the packages from Nexus by manually removing the tarballs from .../nexus/storage/<your_npm_repo>/<your_package>/-/ on your Nexus server and creating a scheduled task to 'rebuild hosted npm metadata':
The npm metadata for a hosted repository
can be rebuilt based on the components found in the storage of a
hosted repository. The task can serve as a recovery tool in cases
where the npm metadata database got corrupted or the component storage
was created manually or via some external process like e.g. an rsync
copying.
This also works great for injecting old versions of packages into your npm-repo. (To get these tarballs, use npm pack.)

Related

NPM dependency from Gitlab directly

I have a situation where there was an update in one of npm packages I use in my project, but author didn't publish it on npmjs registry, so up to date code sits in gitlab only.
What would be the best solution to get updated version of code? I believe there is a way to add dependency to project which will be downloaded from gitlab or github public repository directly? Is it possible to compile it like in npmjs as well?
Yes, you could install a dependency from a git repository directly. As can be seen in the npm docs. You can straight install a Git Remote repository like this:
npm install <git remote url>
e.g.
npm install git://github.com/npm/cli.git
But beware that installing directly from the source git might have unintended side effects (missing build files, additional documentation files in general changes to the npmjs Version).
Also installing from the repository I would recommend you install from a specific commit/Tag.

Using Gitlab as Proget's feed with a unique place to store packages

Is it possible to use gitlab's package repository to feed our npm packages as well as public packages online.
On proget it is possible to register common npm packages and my private npm packages under the same URL using a proxy. Is it possible to do the same with Gitlab so that pointing to gitlab's repository in the .npmrc would be enough to install all the dependencies ?
Yes, you can have a different registry for your personal packages and e.g. company packages. You can reference them by #my-gitlab-username/foo-package or #company/bar-package.
NPM packages hosted on npmjs.com which get installed by npm install <package> will always be resolved if the lookup on your provided Gitlab package registry fails. Usually you do not have to provide a separate proxy.
Multiple private/non-public registries can be targeted by using npm install #company/<package>. So there should be no issue in targeting multiple Proget and/or Gitlab npm registries at the same time.
Authentification is described here: https://stackoverflow.com/a/42648251/4236831

What is url for npm packages repository?

I have installed node js and npm on my windows But when I try to install npm modules(packages) using
command>>npm install -g xxxx(package name)
It doesn't get installed, and it asked me to check proxy setting. As I am working on private network, so may be it doesn't allow me to access the url from which npm packages get downloaded.
Please tell me what is url for such npm packages from where it gets downloaded so that I can ask my network provider to give access for that site.
NPM packages are downloaded from https://registry.npmjs.org unless otherwise configured.
You can get the download URL for a package with npm view, for example JQuery:
npm view jquery dist.tarball
returns: https://registry.npmjs.org/jquery/-/jquery-3.5.1.tgz
You can change the default registry with npm set registry <new url>; this is typically used in large institutions or corporations with an internal registry mirror.
All npm packages are in fact downloaded from GitHub. However, npm resolves those GitHub dependencies via https://www.npmjs.com.
For example, express https://github.com/expressjs/express is the download link.
npm install -g express (or without -g).
The system does not know the GitHub location of the express package. So it must first lookup https://www.npmjs.com to get GitHub url. Then it will clone the package.

Use artifactory without remote npm repository

I'm working in an environment where artifactory does not have internet access. We would like to use artifactory as a npm registry and host. Is it possible to upload external dependencies and their transitive dependencies?
For example: I'm on a computer with internet access and downloaded webpack and all its dependencies using npm install. Now I go to a different network with artifactory access and want to upload my node_modules Folder. Does that work somehow?
In addition to Artifactory's proxy/caching features, it can also host multiple local repositories (such as npm repositories) in it. This basically means that you can create an npm local repository in Artifactory and deploy any npm *.tgz packages (your dependencies) into this repository and Artifactory will generate the relevant metadata for your client. All you'll need to do is to deploy the relevant packages and configur your npm clients to resolve from Artifactory.
I have recently made an node module that should help with this problem.
You give it a list of packages that you want downloaded and it will download the packages with all dependencies as a tar.gz. It will then save them in the original npm folder structure, and create a tar.gz with everything inside.
You can then take the tar.gz with all your dependencies and deploy it to Artifactory using the deploy wizard.
When you deploy, select the checkbox "Deploy as Bundle Artifact". This will extract the tar.gz of packages and load them into the npm repository. Artifactory will read the package.json of all packages, and will load the relevant information, allowing you to pull packages with npm.
The package is called package-bundle, and can be downloaded from npm using npm install -g package-bundle
To download packages you can run the command pb bluebird express#1.0.1, which will fetch the specified packages, and all the required dependencies.

Nexus OSS 3 - npm install requires npm login

We've started using Nexus OSS 3 as a standalone NPM server and so far it's working great but there's one thing that makes little sense to me, and that is the requirement to do the npm login before being able to npm install self published packages.
We're following the proposed repository structure:
npm_proxy - to use as proxy toward npm public repo
npm_private_internal - to use to upload self created internal packages
npm_private_external - to use to upload 3rd party packages
npm_group - to wrap all of them together so they're reachable with one URL
Now I understand that npm login should be required when publishing a new package, but why is it required when doing npm install of one of the self published packages, and can it be avoided ?
It's not required if you allow anonymous read privileges to your npm repositories. But I guess you've not given these privileges to the anonymous user?
If so, the alternative would be to base64 encode the needed credentials in your .npmrc file as described here:
https://books.sonatype.com/nexus-book/reference/npm-deploying-packages.html
But using npm login would be preferable.