Private NPM libraries, I think, are a phase that every team practices and goes through. There are many ways to implement private NPM, such as based on private Git repositories, based on proprietary functionality provided by NPM (paid for), Verdaccio, and so on. However, Verdaccio is slightly better at everything (free and easy to use).
So, today, this article will also take you to use Verdaccio to build an enterprise private NPM library!
One, installation, start
The installation and startup process of Verdaccio is relatively simple. The first is the global installation of Verdaccio:
npm i -g verdaccio
Copy the code
Then, enter the verdaccio command in the terminal to start verdaccio:
Copy the code
Then Verdaccio will output a prompt in the terminal, output its configuration file location, service address started and other information:
By default, Verdaccio starts services on port 4873. If you open this address in the browser, you will see the interface of Verdaccio’s private library NPM:
As you can see, the default interface style is still very simple, beautiful. Also, we will be prompted with the commands we need to execute to log in and publish the NPM package.
2. Configuration modification
Although, Verdaccio is installed and started. However, since the default configuration of Verdaccio is inconsistent with our production requirements, we need to modify the configuration of Verdaccio.
In a production environment, a private NPM library needs to have three functions:
- Search for NPM packages is supported
- Strict permission control, NPM package access is restricted to registered users only. In some scenarios, users need to be deleted
- After the NPM package is published, it is pushed to the nails group to tell which NPM package has been published
The Verdaccio configuration file is the config.yaml file in the ~/.config/Verdaccio folder. The default configuration will look like this:
storage: ./storage
plugins: ./plugins
title: Verdaccio
file: ./htpasswd
'@ * / *':
access: $all
publish: $authenticated
unpublish: $authenticated
proxy: npmjs
'* *':
access: $all
publish: $authenticated
unpublish: $authenticated
proxy: npmjs
keepAliveTimeout: 60
enabled: true
- { type: stdout.format: pretty.level: http }
Copy the code
Let’s take a look at some of the values in the default configuration one by one:
Storage Indicates the storage location of published packages. By default, the packages are stored in ~/. Config /Verdaccio/
The directory where the plugins are located
This section describes how to configure the Web interface
Auth user related, such as registration, authentication plug-in (default htpasswd)
Uplinks provide access to external packages, such as NPM and CNPM sources
Packages allows you to configure permissions for publishing, deleting, and viewing packages
Server Private library server configuration
The middlewares middleware is configured to support NPM audit by default
Configuration of information output by logs terminal
Next, we will modify the corresponding values in the Verdaccio configuration file to support the above functions.
2.1 Enabling Search
When we have a private NPM inventory of many packages, we have trouble finding a package. Verdaccio supports search, which is controlled by search and defaults to false, so here we need to turn it on:
search: true
Copy the code
With this enabled, we can perform normal search operations in the search bar on the page of the private NPM library.
2.2 Permission control
Permission control refers to the fact that we need packages published on the private NPM library to be viewable only by team members. Otherwise, staff cannot see everything. So, back to Verdaccio, we need to do these two things:
- Restrict viewing of NPM packages to registered users only
- Disallow user registration (after team members have registered)
Accordingly, here we need to modify the configuration files of Pacakges and Auth. Packages are used to configure permissions for publishing packages, viewing packages, and deleting packages. Let’s take a look at the default configuration:
'@ * / *':
access: $all
publish: $authenticated
unpublish: $authenticated
proxy: npmjs
'* *':
access: $all
publish: $authenticated
unpublish: $authenticated
proxy: npmjs
Copy the code
The key here represents the package name for which the permissions need to be matched. For example, for the first one, if we publish a package name like @wjc/test it will be hit. Each rule has four parameters. The proxy represents if in private library of NPM could not find, will be the agent to NPMJS corresponding unlinks the NPMJS ( The remaining three parameters, which are used to set package-related permissions, have three optional values $all, $anonymous, and $authenticated. So, let’s take a look at the meanings of these three parameters:
Access Controls the access permission of the package
Publish Control package publish permission
Unpublish Indicates the delete permission of the control package
$authenticated is the only authenticated permission set to $authenticated:
'@ * / *':
access: $authenticated
publish: $authenticated
unpublish: $authenticated
proxy: npmjs
'* *':
access: $authenticated
publish: $authenticated
unpublish: $authenticated
proxy: npmjs
Copy the code
After setting up packages, we also need to change the value of auth because there is no limit to the number of registered users, meaning that if your private NPM library is deployed in an extranet environment, anyone can register users with the NPM adduser command.
Obviously, this is not allowed, so here we need to set auth’s max_users to -1, which means to disable registered users:
max_users: - 1
Copy the code
To enable user registration, set the specified number (greater than 0)
2.3 Releasing a package to push a spike group
Release package push pin group, which means that every time we release a package, the robot of pin group can inform us of the information of the package we release.
First of all, here we need to have a nail group of robots corresponding to the Webhook (access can be viewed in the nail documents). Then add notify to the Verdaccio configuration file:
method: POST
headers: [{'Content-Type': 'application/json; charset=utf-8'}]
endpoint:****, # Webhook for nailing robots
content: '{"color":"green","message":" New package released: *{{ name }}*","notify":true,"message_format":"text"}'
Copy the code
Method and HEADERS represent the request method and entity type, respectively. The endpoint represents the Webhook address requested. Content represents the basic template for getting published information, and the value of Message in the template will be the content of the message sent by the robot of the pinning group (name represents the name of the published package).
Suppose we publish a private package named verdaccio-npm-demo, and we get a notification in the peggroup accordingly:
Three, basic use
Now that Verdaccio is configured. So, we are ready to release our first private package .
3.1 Registered Users
First, we need to register a user:
npm adduser --registry http://localhost:4873/
Copy the code
It then asks you for a username, password, and email address to log into the private NPM library:
3.2 Deleting a User
Since there are registered users, it is inevitable that in some cases we will need to delete a user to prevent it from logging into the private NPM library.
As mentioned earlier, Verdaccio uses htpasswd for authentication by default. Accordingly, the registered user information will be stored in the ~ /. Config/verdaccio/htpasswd file:
wuliu:pWxgur/1w5v1I:autocreated The 2021-02-18 T07:58:57. 827 z
Copy the code
Here a record corresponds to a user, that is, if this record is deleted, then the user cannot log in, that is, the user is deleted.
3.3 Adding and Switching sources
Here we switch sources via NRM for operational purposes. If you do not have NRM installed, you can install it first:
npm i -g nrm
Copy the code
Then, use NRM to add a source:
nrm add mynpm http://localhostm:4873/
Copy the code
Mynpm here stands for short for your source, which you can name as you like.
Next, we can run the NRM ls command to see the existing source:
You can see by default using the source of NPM is, so here we need to switch it into private NPM corresponding to the source:
nrm use mynpm
Copy the code
After good source switch, we after NPM I will go to the private library search packet, if there is no will go to (because the proxy configuration above) to find the package.
3.4 release
To publish, run directly in the root directory of the project that needs to publish the package (let’s say our package here is called verdaccio-npm-demo2) :
npm publish
Copy the code
We can then see our published package on the interface of the private NPM library:
Of course, Verdaccio can do a lot more, such as integrated Git Action automatic package issuance, custom authentication plug-ins, etc. However, after all the work we’ve done above, the private NPM library is ready for production at . Finally, if there is any improper expression or mistake in the article, students are welcome to make an Issue.
Thumb up 
If you get something from this post, please give me a “like”. This will be my motivation to keep sharing. Thank you
My name is Wu Liu. I like innovation and source Code manipulation, and I focus on source Code (Vue 3, Vite), front-end engineering, cross-end and other technology learning and sharing. Welcome to follow my wechat official account: Code Center.