Verdaccio: Best Practices for Private Modules?

Created on 7 Oct 2018  路  4Comments  路  Source: verdaccio/verdaccio

The documentation currently recommends adding a prefix to private package names. This has a major downside: if a machine is not properly set up, an npm publish could send the package to the public registry, and if there is no package with that name in the public registry it will be added. It's first-come-first-served in the public registry.

As discussed in https://github.com/verdaccio/verdaccio/issues/593#issue-299997996, verdaccio also supports private scopes. The public NPM registry will reject attempts to publish to a scoped module from users who are not maintainers or exactly named as the scope.

For example, foobar-express is (as of this message) not taken on the registry, so anyone could publish to that name by accident. @foobar/express does not currently exist. The only user who can publish the first version to the public registry is the user named "foobar".

Scoping has the additional advantage of not requiring the --registry flag when publishing. You just have to login once, using the --scope parameter to tell the npm client that the login is only for that scope. So the new recommendations would be:

# Login (only required once)
$ npm adduser --registry http://localhost:4873 --scope=@mycompany
# No need to specify --registry when publishing!
$ npm publish

In addition to preventing accidents and simplifying routine commands, it obviates the need for an uplink. The .npmrc file doesn't support package-level registry (so you can't tell it to use one registry for "foobar-express" and a different registry for "bazqux-express"), but it does support scope-level registry. This means you can run a private instance offsite without potentially wasting the bandwidth of proxying the public repo.

With that in mind, would it make sense to change the recommendation in the docs to prefer private scopes instead of prefixed modules? https://github.com/verdaccio/verdaccio/pull/1058 started the process by mentioning the scoped option in README.md

discuss outdated question blog
Source
picture SheetJSDev

Most helpful comment

@SheetJSDev on your remark, _if a machine is not properly set up, an npm publish could send the package to the public registry_.
Even for scoped / private modules I add following to package.json:

  "publishConfig": {
    "registry": "https://MY-REGISTRY"
  }

See also: https://docs.npmjs.com/files/package.json#publishconfig

picture coolsp on 11 Oct 2018
👍7

All 4 comments

if a machine is not properly set up, an npm publish could send the package to the public registry, and if there is no package with that name in the public registry it will be added.

I've been there (I blame myself even I published this project by mistake twice). So since then, I use https://blog.npmjs.org/post/175861857230/two-factor-authentication-protection-for-packages
We don't support 2FA (https://github.com/verdaccio/verdaccio/pull/1034) but I guess might be possible after #1034 is being merged and https://github.com/verdaccio/verdaccio/issues/913 has a PR. 2FA enabled will save a lot of headaches for sure.

Worth to mention that yarn does not support scope from private regiestries yet https://github.com/yarnpkg/yarn/issues/5730 . About pnpm I'm not sure.

In addition to preventing accidents and simplifying routine commands, it obviates the need for an uplink. The .npmrc file doesn't support package-level registry (so you can't tell it to use one registry for "foobar-express" and a different registry for "bazqux-express"), but it does support scope-level registry.

Yes, perhaps we should point it out multi scope-level settings, it's a handy feature that is not well highlight it on npm docs.

This means you can run a private instance offsite without potentially wasting the bandwidth of proxying the public repo.

For those are not aware of it, we should point it out that using the @scope approach the npm client will bypass the proxy, loosing the adventage to cache public dependencies.

I'm agree with the update at #1058 , but I guess we might provide more info to the reader.

juanpicado picture juanpicado on 7 Oct 2018

@SheetJSDev on your remark, _if a machine is not properly set up, an npm publish could send the package to the public registry_.
Even for scoped / private modules I add following to package.json:

  "publishConfig": {
    "registry": "https://MY-REGISTRY"
  }

See also: https://docs.npmjs.com/files/package.json#publishconfig

coolsp picture coolsp on 11 Oct 2018
👍7

I created a document for this, please, feel free to add additions to it.

https://verdaccio.org/docs/en/next/best

juanpicado picture juanpicado on 26 Feb 2019

馃This thread has been automatically locked 馃敀 since there has not been any recent activity after it was closed.
We lock tickets after 90 days with the idea to encourage you to open a ticket with new fresh data and to provide you better feedback 馃and better visibility 馃憖.
If you consider, can attach this ticket 馃摠to the new one as a reference for better context.
Thanks for being a part of the Verdaccio community! 馃挊

lock[bot] picture lock[bot] on 29 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ayusharma picture ayusharma  路  4Comments
kopax picture kopax  路  3Comments
buschtoens picture buschtoens  路  4Comments
MarkLyck picture MarkLyck  路  4Comments
roddy-toomim-sp picture roddy-toomim-sp  路  4Comments