Publishing private repository with public dependencies
Simply using https
or ssh
links in package.json can backfire for people who have or didn’t have used any additional security measures like 2FA or SSH.
https: "git+https://github.com/OWNER/REPO.git"
- would fail when 2FA is set up, and would fail on token authorization.
ssh: "git@github.com:OWNER/REPO.git"
- obviously fails when no SSH key is defined.
(Its recommended to have one)
So We decided to use Github Package Registry that allows you to easily publish public/private repos (currently GPR is in open beta). All instructions how to publish/install a package are here
create personal access token for CLI
But the latter link, can be misleading. (Although is assuming that everyone in organization has their own PAT generated, which might be a much better solution).
When you setup your .npmrc
with this config:
registry=https://npm.pkg.github.com/${OWNER}/:_authToken=${PERSONAL_ACCESS_TOKEN}
during npm install
it will try to download any package’s dependency from your OWNER
domain even though its dependencies are public.
So you can use a config like this to avoid having public dependencies published in your domain.
${OWNER}:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${PERSONAL_ACCESS_TOKEN}
e.g
@bobrimperator:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=my-generated-token-with-read-permission
Further references: Setting up fontawesome pro in your project
Tweet