NPM private library service


Introduction to the

Companies don’t want to open source their code to the package management area for privacy reasons, but they are desperate for a complete set of proprietary tools to manage an increasing number of components, modules, and projects. For the front end, I am most familiar with NPM, Bower, etc. However, bower’s market compatibility is obviously not as strong as NPM, coupled with the increasing maturity of the CommonJS specification. NPM should be the perfect choice for front-end package management.

The company has the following requirements for setting up a local private NPM library:

  1. Private packages are hosted on internal servers
  2. Public packages on a public repository and private packages on an internal server are used in the project
  3. Public packages go to the public repository and private packages go to the private repository of the internal server when downloading
  4. The server’s hard disk is limited and you want to cache only downloaded packages, not all synchronized.
  5. For download, the NPM package has corresponding permission management, easy installation, simple configuration, and less dependence.

Process for installing private packages


Service building

node + npm + verdaccio + pm2 + nrm

Sinopia Verdaccio is a zero-configuration proprietary NPM package management tool with caching capabilities

PS: Sinopia hasn’t been updated for many years. Verdaccio is based on Sinopia and has been refactored with more vitality

# config
$ /home/ubuntu/.config/verdaccio/config.yaml
# password
$ /home/ubuntu/web_npm/verdaccio/htpasswd
# storage
$ /home/ubuntu/web_npm/verdaccio/storage
Copy the code

Pm2 hosts Sinopia processes to keep them alive forever. NRM makes it easy to view and switch the registry verdaccio-delegated- Auth to enable the service to support custom validation


The standard custom

# Sinopia config.yaml
# path to a directory with all packages
storage: /home/ubuntu/web_npm/verdaccio/storage
auth:
  # htpasswd:
    # file: ./htpasswd
    # max_users: -1
    # mix_users: 1000
 delegated-auth:
    url: https://your-account-server/
    user_key: name # username field, default: username
    pwd_key: password # password field, default: password

# a list of other known repositories we can talk to
uplinks:
  npmjs:
    url: http://registry.npm.taobao.org/

packages:
  '@company/*':
    # scoped packages
    access: $authenticated
    publish: $authenticated
  The '*':
    # keywords: "$all", "$anonymous", "$authenticated"
    access: $all
    publish: $all
    proxy: npmjs

# log settings
logs:
  - {type: stdout, format: pretty, level: http}
  #- {type: file, path: sinopia.log, level: info}Listen: 0.0.0.0:4873Copy the code
  1. To prevent the client from creating false users or creating users by mistake, the registered user function is disabledmax_users: -1, using the server to provide user account configurationfile: ./htpasswdTo add users.A custom authentication plug-in has been written for Verdaccio to authenticate login using the username and password of your own account systemverdaccio-delegated-auth
  2. Internally publishing packages to private services requires a prefix@company/${app}, e.g.@company/lodash. The prefix package@company/*The installation or publishing can be performed only after the account has been authenticated. (companyRefers to the company name)
  3. Publishing an internal private package must have a README for the project, which must contain:
    • A basic description
    • use
    • The source address

Client use

  1. The installationnrmAdd a private service agent. Use your own system account to log in to the agent.
$ nrm add company http://*.*.*.*:4873/
$ nrm use company
$ npm login
Copy the code
  1. The browser accesses the private service to view all internal private packages.

security

The gateway

More and more

  • Docker
    • AWS S3 storage plugin for verdaccio
    • npm login in CI

Github: github.com/yansenlei