155

We are using GitLab for our private project. There are some forked libraries from github, that we want to install as npm module. Installing that module directly from npm is ok and for example this:

npm install git://github.com/FredyC/grunt-stylus-sprite.git

...works correctly too, but doing the same for GitLab, just changing domain gets me this error.

npm WARN `git config --get remote.origin.url` returned wrong result (git://git.domain.com/library/grunt-stylus-sprite.git)
npm ERR! git clone git://git.domain.com/library/grunt-stylus-sprite.git Cloning into bare repository 'D:\users\Fredy\AppData\Roaming\npm-cache\_git-remotes\git-git-domain-com-library-grunt-stylus-sprite-git-6f33bc59'...
npm ERR! git clone git://git.domain.com/library/grunt-stylus-sprite.git fatal:unable to connect to git.domain.com:
npm ERR! git clone git://git.domain.com/library/grunt-stylus-sprite.git git.domain.com[0: 77.93.195.214]: errno=No error
npm ERR! Error: Command failed: Cloning into bare repository 'D:\users\Fredy\App
Data\Roaming\npm-cache\_git-remotes\git-git-domain-com-library-grunt-stylus-spr
ite-git-6f33bc59'...
npm ERR! fatal: unable to connect to git.domain.com:
npm ERR! git.domain.com[0: xx.xx.xx.xx]: errno=No error

From the web interface of GitLab, I have this URL git@git.domain.com:library/grunt-stylus-sprite.git. Running this against npm install it tries to install git module from npm registry.

However using URL: git+ssh@git.domain.com:library/grunt-stylus-sprite.git is suddenly asking me for the password. My SSH key doesn't include passphrase, so I assume it wasn't able to load that key. Maybe there is some configuration for that I have missed ? Key is located at standard location in my home directory with the name "id_rsa".

I am on Windows 7 x64.

UPDATE

Since NPM v3 there is built-in support for GitLab and other sources (BitBucket, Gist), from where you can install packages. It works for public and private ones so it's not exactly related to this, but some might find it useful.

npm install gitlab:<gitlabname>/<gitlabrepo>[#<commit-ish>]

Check out documentation: https://docs.npmjs.com/cli/install

I you want to work with private repos in Gitlab you are required to manage your credentials/auth-token in your .npmrc. See here: https://docs.gitlab.com/ee/user/packages/npm_registry/#authenticate-to-the-package-registry

StephanB
  • 315
  • 2
  • 17
FredyC
  • 3,999
  • 4
  • 30
  • 38
  • 1
    so what is the actual gitlab url I use? I just see `` i tried several variations and it still says project not found. – chovy Jan 19 '17 at 08:02
  • 1
    `$ npm i -S git+ssh://git@gitlab.com/org/repo.git` does not work – chovy Jan 19 '17 at 08:04
  • Gitlab npm registry can also be used for private packages without any issues. Authentification can be handled in .npmrc file, see here: https://stackoverflow.com/a/42648251/4236831 – StephanB Dec 20 '21 at 10:07

11 Answers11

216

You have the following methods for connecting to a private gitlab repository

With SSH

git+ssh://git@git.mydomain.com:Username/Repository#{branch|tag}
git+ssh://git@git.mydomain.com/Username/Repository#{branch|tag}

With HTTPS

git+https://git@git.mydomain.com/Username/Repository#{branch|tag}

With HTTPS and deploy token

git+https://<token-name>:<token>@gitlab.com/Username/Repository#{branch|tag}
sidhuko
  • 3,274
  • 1
  • 17
  • 22
  • Yeah, that's pretty much what I have figured out. You can even specify branch or tag like `Repository#1.2.3`. I will change answer tick since this is more accurate. – FredyC Nov 19 '14 at 15:29
  • 1
    @jamessidhu I am not sure but its asking me password even with SSH. Upon giving password it is giving me error. Any idea how to resolve it? – codesnooker May 14 '15 at 08:37
  • @codesnooker Have you setup a [SSH key in Gitlab](http://doc.gitlab.com/ce/ssh/README.html)? If keys aren't authorised between your machine and remote it'll default to password like access to a server. – sidhuko May 15 '15 at 09:37
  • The issue is with Yosemite. SSH is not working on WIFI. I plugged In LAN cable and was able to do the commit. Thanks for your solution. – codesnooker May 23 '15 at 23:51
  • 5
    This actually only works for me with true URL syntax, e.g. `git+ssh://git@git.mydomain.com/Username/Repository` (note the / separating host and username). This may be a yarn specific thing, perhaps the suggested example does work with npm – Ivo van der Wijk Dec 27 '16 at 12:10
  • Current docs suggest both work so it maybe it is the git service you're connecting too, or, you're on a latest of npm and they've broken/removed this feature. I've not looked further but edited per your suggestion. Thanks! :) – sidhuko Jan 03 '17 at 13:58
  • Could you provide more details please? – sidhuko Jan 20 '17 at 10:59
  • That worked for me: `git+ssh://git@gitlab.com:mydomain/myrepo.git` – JulienD May 16 '18 at 09:18
  • 2
    deploy token works great. `` in the example looks like `gitlab+deploy-token-17034`, it's not the arbitrary name you assign to the token. – Mr5o1 Sep 23 '18 at 03:08
  • git+https worked for me. You HAVE to have `#branch` at the end. – chovy Feb 26 '20 at 20:01
  • You would be exposing your keys to the git history since the package.json file is usually committed. What you need is deploy keys. – Logus Graphics Feb 22 '21 at 21:21
  • Then you're exposing your deploy keys. You should have read only access on any key you generate. It is a solution to do it temporary before you publish a package. It's a good solution if you're waiting on a PR to be merged to an open source package. – sidhuko Feb 24 '21 at 02:00
  • It would be nice if you could clearly state which parts of those URLs are placeholders. – Jonas Rosenqvist Apr 26 '21 at 05:54
  • Personally it worked with SSH but not with deploy token, locally – Konrad May 04 '21 at 13:00
  • Similar findings as @Mr5o1, gitlab called and it refers to as "password" in the UI. https://docs.gitlab.com/ee/user/project/deploy_tokens/index.html#usage – Tom Mertz Aug 24 '22 at 01:10
49

Update

As @felix mentioned in comments (thanks @felix) using deploy token is much more relevant for reading a private registry on gitlab. This way is the token is compromised, attacker just can read that repository and cannot make changes.

Creating a Deploy Token

  1. Log in to your GitLab account.
  2. Go to the project you want to create Deploy Tokens for.
  3. Go to Settings > Repository.
  4. Click on Expand on Deploy Tokens section.
  5. Choose a name and optionally an expiry date for the token.
  6. Choose the desired scopes. <= select read_repository
  7. Click on Create deploy token.
  8. Save the deploy token somewhere safe. Once you leave or refresh the page, you won’t be able to access it again.

Old answer

Goto User Settings > Access Tokens and create a new access token with read_registry permission.

enter image description here

Copy generated token, we need it for our package.json file.

enter image description here

Now in package.json add the dependency as below:

"my-module": "git+https://Xaqron:token@gitlab.com/Xaqron/my-module"

Replace Xaqron with your username and token with the generated token. You can specify branch and tag at the end of url by #{branch|tag}.

Note: Since access token is located in package.json anyone who has access to this project can read the repository, so I assume your project is private itself.

Xaqron
  • 29,931
  • 42
  • 140
  • 205
  • 6
    The other way is to create a Deploy Token for that specific repository. Then it doesn't grant read access for all of your repos. `"private-module": "git+https://gitlab+deploy-token-username:deploy-token@gitlab.com/you/project",` – Chris Sattinger Nov 13 '18 at 09:52
  • `npm ERR! enoent undefined ls-remote -h -t https://puump:pass@gitlab.com/puump/puump-content.git` – chovy Feb 25 '20 at 23:58
  • 2
    @chovy: Install `git` [see](https://stackoverflow.com/questions/56473680/npm-install-shows-error-with-git-not-found) – Xaqron Feb 26 '20 at 09:44
  • 4
    I want also point out that if your project is inside a group, then you should define this: `"private-module": "git+https://gitlab+deploy-token-username:deploy-token@gitlab.com/group_name/project"`, so instead of `your username`, you have to define `group_name` before the project name – sfarzoso Jul 08 '20 at 09:57
38

Instead of git://, use git+ssh:// and npm should do the right thing.

isaacs
  • 16,656
  • 6
  • 41
  • 31
9

Although the question is about Gitlab, this question is quite well ranked in google search, so here is some more information about how to fix a similar issue I got with Github.

For me, only changing the url didnt make it work. Here are the steps I had to take to fix this :

  • git+ssh://git@github.com:owner/repo.git#master
  • Create a deploy key and add it to the repo
  • Edit git config (~/.ssh/config create the file if it doesnt exist) to force the use of the DeployKey instead of the default ssh key

After that the npm install simply worked. All the other options and solutions resulted of the npm install breaking

Sephy
  • 50,022
  • 30
  • 123
  • 131
8

For me set the package.json as below works.

"dependencies": {
    "<module-name>": "git+http://<username>:<token>@url.git",
}

The token is get from your "Profile Settings - Access Token".

shentaoy
  • 648
  • 7
  • 5
  • This worked for me as well. I'm working behind a proxy with self signed certificate. – Stefano Mozart Mar 21 '18 at 17:19
  • this actually worked for me but I wonder if it is a good idea to leave the token in the package.json since other might use it for writing ? gitlab (at least in my case) is not allowing me to create a read-only access token but only a full-access one. what do you think? – cancerbero Mar 28 '18 at 21:20
  • Note: GitLab 10.7 (released April 2018) added project-level "Deploy Tokens". These should be used instead of a user-level "Access Token". [docs link](https://docs.gitlab.com/ee/user/project/deploy_tokens/) –  Jan 16 '20 at 12:18
7

None of the other answers worked for me for a private gitlab.com repo...

This works however:

npm i -S git+ssh://git@gitlab.com:<org>/<project>.git

Its just the git ssh clone url from the project page's "clone" input field with git+ssh:// added to the front of it.

chovy
  • 72,281
  • 52
  • 227
  • 295
6

Just for anyone else who stumbles across this, I couldn't get it working over HTTPS at all - seems it doesn't support the direct link to the repo (e.g. https://git.domain.com/user/somerepo.git), nor does it support the .tar, .tar.bz or .zip archive versions.

It only seems to work with the .tar.gz archive.

Full example (with tagged version):

https://git.domain.com/user/somerepo/repository/archive.tar.gz?ref=v1.2.3

chrisfrancis27
  • 4,516
  • 1
  • 24
  • 32
3

As far as I can tell where you're going wrong is the git:// protocol. GitLab only supports HTTP(s) and SSH for clones. So you must use one of those methods instead of the git protocol.

Sam Gleske
  • 950
  • 7
  • 19
3

Gitlab now has a package registry where it's possible to build, deploy and host npm packages. With private repositories, it's possible to provide fine-grain access control over the repository contents and the packages.

NPM Packages can be installed from private Gitlab repositories by adding a .npmrc file alongside package.json. More info here. Although it gets complicated when using multiple deploy tokens for different repositories in the same codebase.

With Gitlab it's possible to access the package .tgz file directly with HTTPS and deploy token. Simply add the project dependency like this:

"@foo/bar": "https://<username>:<token>@gitlab.com/api/v4/projects/<project-id>/packages/npm/@foo/bar/-/@foo/bar-1.0.0.tgz"

@foo/bar is present twice in the URL. @foo is the project scope and bar is the module name and 1.0.0 is the module name. project-id (8-digit numeric) is the Gitlab project ID, which can be seen from the project page under the name. It's possible to even omit @foo from the module name(but not the link).

Using multiple modules with the same scope and different deploy tokens makes managing private repositories secure. Also Deploy tokens may only have access to package registry which means, the end-user will not be able to access the complete source code from the repositories.

Palash Bansal
  • 708
  • 4
  • 9
1

This solution only works with yarn, not npm, but...

If you need to install the dependency in an environment that has neither git nor ssh executables available (like inside docker), you can create a tarball link using repo access key with read API access and then reference it like this:

package.json

{
  "dependencies": {
    "your-lib-name": "https://gitlab.com/api/v4/projects/1234567/repository/archive?private_token=ABC_123asdfg&sha=abcdef0123456789abcdef0123456789abcdef01",

Where:

  • 1234567 is your Project ID, which can be seen on it's gitlab Project overview page.
  • ABC_123asdfg is the project Access Key with API Read permission that you created
  • abcdef0123456789abcdef0123456789abcdef01 is the commit hash
Klesun
  • 12,280
  • 5
  • 59
  • 52
0

if you want a secure way that works both in your gitlab pipelines and locally (ssh locally and https + CI_JOB_TOKEN in pipelines):

Locally:

  • place the dependency in your package.json like this "package-name": gitlab:group-name/repo-name#2.5.31 -> this way you can download it through ssh locally

Additional CI setup:

  • go to the repo that you want to reference by npm and enable token access of the repo where the pipeline runs. enter image description here
  • place this somewhere in front of your npm install command git config --global url."https://gitlab-ci-token:$CI_JOB_TOKEN@gitlab.com".insteadOf "ssh://git@gitlab.com" -> this way you can download it also in the pipeline.
Julian Dm
  • 363
  • 2
  • 17