Contents x
    npm (Node.js)
    • 01 Sep 2023
    • 6 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    npm (Node.js)

    • Updated on 01 Sep 2023
    • 6 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    A ProGet npm feed is a repository that is compatible with the npm client for NodeJS. ProGet npm feeds support both scoped and unscoped npm packages.

    npm Feed Limitations

    The npm client does not support the use of Windows Integrated Authentication, so ProGet attempts to disable its use for npm API endpoints in favor of basic HTTP authentication. However, disabling Windows Authentication on a URL basis does not work in every environment. If you have trouble getting this to work, you can create a second website in IIS for ProGet with Windows Authentication disabled without purchasing a separate license.

    Build Metadata and npmjs.org

    Although the npm semantic versioning documentation mentions support for SemVer2, there is some inconsistency with build metadata (i.e., versions with a "+" symbol in them). The build metadata is not exposed in many npmjs.org queries, whereas it is exposed in ProGet queries. When using a connector to npmjs.org, this may present unexpected behavior in the npm client, such as packages not found.

    This appears to be limited to a very small number of packages (such as @hot-loader/react-dom; we may change this behavior if it's a continued problem, but please contribute to the discussion at NPM Connector returns plus "+" in versions on the forums.

    npm audit and Proxying

    Npm Audit Proxying is an experimental feature. The npm Audit API is undocumented and npm, Inc. does not support third-party implementations. However, ProGet may attempt to forward requests to the audit endpoint to npmjs.org or a connector. This may stop working if npmjs.org changes the API or blocks ProGet's requests. You can configure the proxy URL in ProGet 5.3 by navigating to the Manage Feed page on your npm feed.

    Creating an npm Feed

    Click on the Feeds tab in the navigation bar to see a list of feeds in the system.

    Click the Create New Feed button and select npm.

    Supply a value for the Feed Name field. This will be the name of your private npm registry, and should contain characters that can be easily typed in a URL. For example, you could use private-npm.

    Click the Create Feed button, and you should be automatically directed to the newly created registry.

    If your ProGet server has access to the Internet, you should see a list of packages from npmjs.org. These are called connector packages and are not hosted on your ProGet instance, but transparently proxied from another server.

    Once you have created the npm feed, you can add a connector for npmjs.org directly to your feed or by clicking on the Connectors tab at the top of the page.

    This way you can access this extensive library in addition to your private ones. Connectors also allow filtering if you want to include only a subset of the external packages; however, by default, no filtering is applied. For more information about connectors, see the documentation.

    Setting up npm

    First, you need to tell npm where to look for its registry; by default, it is configured for npmjs.org. Use the following command and replace proget with the name/port of your ProGet server and private-npm with the name of the npm feed you created above.

    [~]$ npm config set registry http://proget/npm/private-npm

    Installing Packages

    npm packages are installed using npm. To install a package from a ProGet feed, first you will need to set up npm using the command above, then use the following command :

    npm install {package-name}@{package-version}

    npm Token Authentication

    To authenticate to your feed, you'll need to add an _auth token to your .npmrc file. This base-64 encoded token will be sent to ProGet as an authentication header.

    Creating an Auth Token

    An _auth token is a username and password string «username»:«password» that's been base64-encoded We strongly recommend using api as the username, and API Key as the password for this token. You can create one by navigating to Admin > API Key & Access Logs. Feed Access is all that's required, and you can further restrict this key by associating it to a user you've already given specific permissions

    Base64 Encoding is Required

    npm only supports base64-encoded tokens, and you'll need to use a tool to help you create one. You can search on Google to find a website that can do it for you, use the btoa() function in your browser's development console, or a Powershell Script.

    Example: PowerShell Script to Encode an API Key

    Replace «api-key» in the script below with your key.

    [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("api:«api-key»"))

    The encoded auth token will be written in the console.

    Example: Encode in your Web Browser

    Press F12 to open the Developer Tools, click on the "Console", then run the following script (replace «api-key»).

    btoa('api:«api-key»')

    The encoded auth token will be written in the console below.

    For npm version 9.4 and above

    npm 9.4+ requires that auth tokens are scoped to a server and url. The following command will add the appropriate value to your .npmrc file.

    [~]$ npm config set //«proget-server»/npm/«npm-feed-name»/:_auth «encoded-auth-token»
[~]$ npm config set //«proget-server»/npm/«npm-feed-name»/:email «your-email-address»

    Make sure to also replace «proget-server» with the name and port of your ProGet server and «npm-feed-name» with the name of your npm feed. It is also recommended that you set the email associated with this registry.

    npm login support

    When using the npm login and the npm adduser commands in npm 9 and above, ProGet 2023.17 or greater is required.

    For npm versions 8 and below

    The following command will add the appropriate value to your .npmrc file.

    [~]$ npm config set always-auth true
[~]$ npm config set _auth «encoded-auth-token»
[~]$ npm config set email «your-email-address»

    Example Steps for Create an npm API Token

    First, create a key by going to ProGet > Admin > API Keys, and entering the value apikey12345 for the key. Make sure that Feed API is checked.

    Next, encode api:apikey12345 as a base64 string using this PowerShell.

    [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("api:apikey12345"))

    With a value of api:apikey12345, PowerShell (or any base64 encoder) will will output YXBpOmFwaWtleTEyMzQ1.

    From there, you can execute the following NPM commands:

    • For npm version 9.4 and above
      1. Run npm config set //proget/npm/private-npm:_auth YXBpOmFwaWtleTEyMzQ1
      2. Run npm config set //proget/npm/private-npm:email support@inedo.com
    • For npm version 8 and below
      1. Run npm config set always-auth true
      2. Run npm config set _auth YXBpOmFwaWtleTEyMzQ1
      3. Run npm config set email support@inedo.com

    After that, it should work. Remember, apikey12345 is just a sample value for illustration purposes; it can be anythying, and should not be the value we use in our documentation.

    Using scoped registries

    To use a registries for scoped packages, you'll need to specify the scope and namespace.

    Before setting the auth token, you'll need to set a configuration scope.

    [~]$ npm config set @«scope-name»:registry «feed-api-endpoint»

    Then, you'll need to set a namespace-qualified auth token with these commands:

    [~]$ npm config set //«proget-server»/npm/«npm-feed-name»/:_auth «encoded-auth-token»
[~]$ npm config set //«proget-server»/npm/«npm-feed-name»/:email «your-email-address»

    For example, if you wanted to scope the @kramerica packages to the private-npm feed on the packages.kramerica.corp server, you'd run these commands:

    [~]$ npm config set @kramerica:registry https://packages.kramerica.corp/npm/private-npm
[~]$ npm config set //packages.kramerica.corp/npm/private-npm:_auth YXBpOmFwaWtleTEyMzQ1
[~]$ npm config set //packages.kramerica.corp/npm/private-npm:email support@kramerica.corp

    Advanced: Authenticating using an npmrc file

    The npm config command is the more reliable and safe way to make configuration changes because it contains proper safeguards and validation checks to ensure proper structure in the npmrc file. There are times where you may need to edit the npmrc file directly or create a custom npmrc file to use with the --userconfig parameter to the npm command.

    The npmrc file can be stored:

    • per-project (/path/to/my/project/.npmrc)
    • per-user ($HOME/.npmrc or via the environment variable $NPM_CONFIG_USERCONFIG)
    • global ($PREFIX/etc/npmrc or via the environment variable $NPM_CONFIG_GLOBALCONFIG)
    • npm's installation directory (/path/to/npm/npmrc)
    • User specified with the --userconfig parameter

    Example for npm version 9 and above

    Using the examples from above:

    registry=http://proget/npm/private-npm
always-auth=true
//proget/npm/private-npm:_auth=YXBpOmFwaWtleTEyMzQ1

    For scoped registries, you can also add @kramerica:registry=http://proget/npm/private-npm right after your registry.

    Example for npm version 8 and below

    Using the examples from above:

    registry=http://proget/npm/private-npm
always-auth=true
//proget/npm/private-npm:username=api
//proget/npm/private-npm:_password=YXBpa2V5MTIzNDU=

    The password in this case is a Base 64 encoded version of just your password.

    For scoped registries, you can also add @kramerica:registry=http://proget/npm/private-npm right after your registry.

    Publishing a Package

    You can also publish packages to ProGet using npm. First, configure npm token authentication for your feed using an account or an API key that has the Add Package permission, then run the npm publish command. For example:

    [~]$ npm publish package.tgz
    Was this article helpful?
    What's Next
    Windows-first DevOps Tools.
    Products
    Company
    Support
    Follow us
    My Inedo
    Connect with Inedo
      Copyright © Inedo LLC. All Rights Reserved