Today I Learned

Publishing private repository with public dependencies

Simply using https or ssh links in package.json can backfire for people who have or didn’t have used any additional security measures like 2FA or SSH.

https: "git+https://github.com/OWNER/REPO.git" - would fail when 2FA is set up, and would fail on token authorization. ssh: "git@github.com:OWNER/REPO.git" - obviously fails when no SSH key is defined. (Its recommended to have one)

So We decided to use Github Package Registry that allows you to easily publish public/private repos (currently GPR is in open beta). All instructions how to publish/install a package are here

create personal access token for CLI

installing a package

But the latter link, can be misleading. (Although is assuming that everyone in organization has their own PAT generated, which might be a much better solution).

When you setup your .npmrc with this config:

registry=https://npm.pkg.github.com/${OWNER}/:_authToken=${PERSONAL_ACCESS_TOKEN}

during npm install it will try to download any package’s dependency from your OWNER domain even though its dependencies are public.

So you can use a config like this to avoid having public dependencies published in your domain.

${OWNER}:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${PERSONAL_ACCESS_TOKEN}

e.g

@bobrimperator:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=my-generated-token-with-read-permission

Further references: Setting up fontawesome pro in your project