HOWTO: Proxy Packages from the npm Registry in ProGet
With ProGet you can create "Feeds" to proxy packages from the npm Registry (www.npmjs.com) and install them just as you would when installing them from the npm Registry directly.
Using ProGet as a proxy will cache packages, allowing teams to access them even if the npm Registry is down. ProGet will also let you audit packages and assess any vulnerabilities, as well as tell you which packages are being downloaded and used frequently.
This guide will cover how to set up a feed to proxy packages. We'll also cover how to create a private registry for your internal packages as an alternative to the npm Registry's paid private repositories (npm Teams/npm Pro).
Step 1: Create a New Feed
First, we will create an npm feed that will proxy packages from the www.npmjs.com.
Start by selecting "Feeds" and "Create New Feed". Next, select "npm Packages", as we will be creating feeds to proxy and host npm packages.
Now select "Connect to npmJS.org" which will allow us to proxy packages from the npm Registry.
Then select "No, Create One Feed", as we will be creating a single feed to proxy npm packages. From here, name the feed (we will call it public-npm
for this guide). Then click "Create Feed".
We are then presented with several options. Keeping these checked will allow your feed to use ProGet's Vulnerability Scanning and Blocking amd Licensing Detection and Blocking features. This will allow you to use npm audit
to scan packages for vulnerabilities. Select "Set Feed Features", which will create the feed, and redirect you to the newly created public-npm
feed, now populated with packages proxied from the npm Registry.
Step 3: Add the Feed to npm Clients
For your team to install packages from the public-npm
feed, you'll need to add it as a source in their npm clients. For this, you will need feed's URL. This can be found at the top right of the feed's page.
Now configure your npm client with your public-npm
feed with npm config
:
Using npm
$ npm config set registry http://«proget-url»/npm/«feed-name»
Or in Yarn with yarn config
:
$ yarn config set registry http://«proget-url»/npm/«feed-name»
You can confirm that the feed has been set correctly by using npm get registry
for npm, yarn config get registry
for Yarn.
(Optional) Authenticating to Your npm Feed
By default your public-npm
feed does not require authentication and can be viewed anonymously. However, you may want to make your feed private and require authentication to access. Authentication is done by creating an _auth
token and then configuring it in your npm client.
(Optional) Auditing npm Packages
If you enabled "Scan for Security Vulnerabilities" when you created a feed you can use npm-audit to scan for vulnerabilities in packages by simply running either npm audit
or yarn audit
.
Using npm audit
with Vulnerability Scanning and Blocking, lets you assess vulnerabilities in packages, and how they impact your organization.
You can also set up Policies & Compliance Rules to create rules for vulnerabilities, licenses, deprecated packages, etc. Setting these up lets you block any packages that are considered "noncompliant".
(Optional) Creating a Package Approval Flow
In this guide we looked at proxying packages from the npm Registry. However, with no form of approval, developers will be able to install any OSS packages without oversight. In many cases, it's important to include some form of oversight in development or production, which can be done by creating a "Package Approval Flow".
To set up a package approval flow, refer to HOWTO: Approve and Promote Open-source Packages. This guide uses NuGet feeds as an example, but the steps are identical when creating npm package feeds.
After creating your "Unapproved" and "Approved" feeds, follow the steps in "Add the Feed to npm Cients" to add the "Approved" feed (e.g. npm-approved
) as a source in your npm client using npm config
:
$ npm config set registry http://«proget-url»/npm/npm-approved
Or in Yarn with yarn config
:
$ yarn config set registry http://«proget-url»/npm/npm-approved