npm (Node.js)
npm (Node Package Manager) is the widely used package manager for JavaScript, enabling developers to manage and share libraries, frameworks, and utilities.
Using ProGet Feeds as npm repositories will let you to consolidate your package management and maintain control over which packages are used in your organization. In addition to publishing and hosting your private npm packages, ProGet can serve as a proxy for public npm repositories, helping you cache and control dependencies that are pulled from npmjs.com.
This page covers setting up npm and Yarn clients with ProGet. Additionally, you can also use pnpm with ProGet. The commands are similar, but we recommend reading the official documentation for details.
Adding an npm Feed as a Source
To publish and install packages from your npm feed in ProGet, you'll need to add it as a source in your npm client. To do this you will need to use the npm config set registry command:
$ npm config set registry http://«proget-url»/npm/«feed-name»
Or in Yarn, by using the yarn config set registry command:
$ yarn config set registry http://«proget-url»/npm/«feed-name»
You can confirm that the feed has been set correctly by using npm get registry for npm, yarn config get registry for Yarn.
For more information, as well as how to proxy npm packages, you can read our HOWTO: Proxy Packages from the npm Registry in ProGet guide.
Authenticating to npm Feeds
By default, npm feeds in ProGet do not require authentication and can be viewed anonymously. However, you can set a feed to require authentication to access.
Feeds can be authenticated with a username and password string «username»:«password» but we strongly recommend using an API key instead. You can read more about creating one on our API Key page.
When creating an API Key, fill in the fields by selecting "Feeds ("Use Certain Feeds)" as the "Feed Type" and selecting the Conda feed to authenticate to. Make sure that the required permission boxes are checked, and then select "Save".
To authenticate you'll need to add an _auth token. This is the string api:«api-key» (or «username»:«password») that's been base64-encoded.
[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("api:«api-key»"))
Or press F12 to open the Developer Tools, click on the "Console", then run the following script:
btoa('api:«api-key»')
If you haven't already, configure your npm client with your npm feed using the npm config set registry command:
$ npm config set registry http://«proget-url»/npm/«feed-name»
Using npm/yarn login
The easiest way to authenticate with an npm feed is to use the npm login command. To log in to a ProGet feed:
npm login --registry http://«proget-url»/npm/«feed-name»
or
yarn login --registry http://«proget-url»/npm/«feed-name»
You will then be prompted for a user name and password. To use an API key, enter api as the user name
and your API key as the password.
(Advanced) Authenticating using an .npmrc or .yarnrc file
Using the CLI to authenticate is preferred, but if you need to configure authentication noninteractively, you can
edit the .npmrc or .yarnrc configuration files directly. For example, to use an API key with your ProGet feed,
your configuration files should look like this:
npm
registry=http://proget/npm/private-npm
always-auth=true
//proget/npm/private-npm:_authToken=«API KEY»
Yarn
registry "http://proget/npm/private-npm"
always-auth true
_authToken=«API KEY»
For more information, see Auth related configuration
in the npm documentation.
Using scoped registries
To use a registry for scoped packages, you'll need to specify the scope and namespace.
Before setting the auth token, you'll need to set a configuration scope with npm config set:
$ npm config set @«scope-name»:registry «feed-api-endpoint»
Or in Yarn with yarn config set:
$ yarn config set @«scope-name»:registry «feed-api-endpoint»
For example, if you wanted to scope the @kramerica packages to the private-npm feed on the packages.kramerica.corp server, you'd run these commands:
$ npm config set @kramerica:registry https://packages.kramerica.corp/npm/private-npm
$ npm config set //packages.kramerica.corp/npm/private-npm:_authToken «API KEY»
$ npm config set //packages.kramerica.corp/npm/private-npm:email support@kramerica.corp
The same example can be applied to Yarn with yarn config set instead.
Installing npm Packages
After creating an npm feed and setting it up in your npm client, you can install packages using the npm install command:
$ npm install «package-name»@«package-version»
Or in Yarn using the yarn add command:
$ yarn add «package-name»@«package-version»
Vulnerabilities & npm Audit
Starting in ProGet 2023.22, npm audit support has been added to pull vulnerability data directly from ProGet. You can also use yarn audit in Yarn for similar functionality. This is enabled by default on all npm feeds that have the vulnerability display and blocking feed feature enabled. Support can be enabled, disabled, or configured to proxy to a remote source by navigating to the npm feed's "Manage Feed" page and configuring npm audit setting.
Using npm audit together with ProGet's Vulnerability Scanning and Blocking allows you to assess detected vulnerabilities and how they affect your organization.
If you previously have configured your npm feed to use an npm audit proxy and want to use ProGet's vulnerability details instead, you will need to change the npm audit settings on your feed's Manage Feed page.
You can also use ProGet's Policies & Compliance Rules to define rules about licensing, vulnerability, deprecation, etc. This will let you block download or usage of any packages you have defined as "noncompliant".
Prior to ProGet 2023.22
Npm Audit Proxying is an experimental feature. ProGet may attempt to forward requests to the audit endpoint to npmjs.org or a connector. This may stop working if npmjs.org changes the API or blocks ProGet's requests. You can configure the proxy URL in ProGet 5.3 by navigating to the "Manage Feed" page on your npm feed.
Creating and Publishing Your Own Packages
You can also create and publish packages to ProGet using npm. First, you will need to authenticate to your npm feed using an account or an API key that has the "Add Package" permission, then run the npm publish command:
$ npm publish package.tgz
Or run yarn publish if using Yarn:
$ yarn publish package.tgz
This command will publish package.tgz to your npm feed in ProGet. For a more detailed guide on creating and publishing your own npm packages you can read HOWTO: Publish npm Packages to a Private Registry in ProGet
Troubleshooting
Error: Unable to query https://npm.pkg.github.com/
GitHub npm connectors work a bit differently than other connectors. GitHub does not implement the full npm API specification so certain things like package count and the search API are not working. To get around this in ProGet, you will need to make sure that you have updated to at least ProGet 2023.20 and then use the following settings:
- On the General tab
- For the URL use
https://npm.pkg.github.com/<OWNER> - For Authentication
- Use Basic authentication
- For the username, use your GitHub username
- For the password, use your and then use a Personal Access Token (classic)
- On the Advanced tab
- Check "Exact package name match only"
- Check "Do not perform health check"
That should allow you to search for the package by the exact package name and allow your npm applications to pull the packages properly.
Please note that partial name searches may not return any values from your GitHub connector since GitHub has not implemented the search API.
Error: Unable to Disable Windows Integrated Authentication
The npm client does not support the use of Windows Integrated Authentication, so ProGet attempts to disable its use for npm API endpoints in favor of basic HTTP authentication. However, disabling Windows Authentication on a URL basis does not work in every environment. If you have trouble getting this to work, you can create a second website in IIS for ProGet with Windows Authentication disabled without purchasing a separate license.