17

I'm using Gem Fury for some of our private packages. I set the yarn registry to use their proxy for public and our private node modules:

yarn config set registry "https://npm-proxy.fury.io/$GEMFURY_TOKEN/username"

GEMFURY_TOKEN is set in .bash. yarn config get registry produces:

https://npm-proxy.fury.io/$(GEMFURY_TOKEN)/username

When we run yarn, the yarn.lock file will generate this:

private-module@0.1.0:
  version "0.1.0"
  resolved "https://npm.fury.io/username/private-module/-/0.1.0.tgz?auth=<GEMFURY TOKEN>"
  dependencies:
    ember-cli-babel "^5.1.6"

private-module-2@0.1.4:
  version "0.1.4"
  resolved "https://npm.fury.io/username/private-module-2/-/0.1.4.tgz?auth=<GEMFURY TOKEN>"
  dependencies:
    ember-cli-babel "^5.1.6"
    ember-inflector "^1.9.6"

I don't want private tokens in the git repository. Is there a way I can exclude the token from being added to the yarn.lock file on generation?

tk421
  • 5,775
  • 6
  • 23
  • 34
Danielle Adams
  • 260
  • 1
  • 12

2 Answers2

3

Try to set up npm as described in Gem Fury documentation. The crucial parts are setting always-auth to true and using npm login

If this doesn't help then you can use Git pre-commit hooks that will remove credentials from yarn.lock when changes are commited to Git repository.

SergeyLebedev
  • 3,673
  • 15
  • 29
  • Yes, I'm afraid that might be the only practical option so far. What I don't like about it is that it requires so much discipline from the developer (adding the hook every time you create a new repo that uses private packages), and it's rather low level and not generic: you might have to customise the hook for a specific pattern depending on your private registry. And finally, what if you're using something else than Git? I'll keep the bounty running for now, but you just might win it. – Miklos Aubert Mar 09 '18 at 15:13
  • 1
    BTW have you tried to set up `yarn` as described here; https://gemfury.com/help/private-yarn/, does it still saves credentials in `yarn.lock` then? – SergeyLebedev Mar 09 '18 at 22:46
  • 1
    Also here is a feature request exactly on your issue: https://github.com/yarnpkg/yarn/issues/5024, but `yarn` maintainers refused to implement it – SergeyLebedev Mar 09 '18 at 22:50
  • We managed to solve the problem by using a similar setup as the one described in the Gem Fury documentation you mentioned (we are using MyGet). If you would kindly update your answer to reflect this, I think this would make a great canonical answer. The crucial parts are setting `always-auth` to `true` and using `npm login`. – Miklos Aubert Mar 13 '18 at 17:48
  • Thanks for the responses, all. – Danielle Adams May 25 '18 at 17:23
1

We solved this problem recently, but the Gemfury documentation doesn't really make it obvious. If you need to pull or push in your CI build then I don't think you should use npm login as that will modify your home .npmrc, which isn't very helpful. We found that all you need to do is change your project's .npmrc to use the shared organization account. This way you can have your project's .npmrc version controlled so your developers and your CI server can read from the same registry URL while keeping your lock file token-free:

@MY_ORG:registry=https://npm-proxy.fury.io/MY_ORG/
always-auth=true
//npm-proxy.fury.io/MY_ORG/:_authToken=${GEMFURY_TOKEN}
user11239923
  • 11
  • 2