How to use (environment) variables for a package.json dependency in npm?

Question

In npm, I want to be able to install a package from a private GitHub repo as a dependency through the git+https way without having to hardcode the actual github_username:personal_access_token, but rather plug them into the dependency string as (environment) variables.

So instead of

package.json:

...
"dependencies": {
  ...
  "my-private-github-repo": "git+https://<github_username>:<personal_access_token>@github.com/some/package.git",
  ...
}

I would like something like this:

package.json:

...
"dependencies": {
  ...
  "my-private-github-repo": "git+https://${github_username}:${personal_access_token}@github.com/some/package.git",
  ...
}

Hardcoding credentials is a major no-no when applying version control to package.json which I'd like to be able to do.

What is the best way to do this?

Answer 1

1. Create .env file at the same directory level where package.json resides.
2. Mention PERSONAL_ACCESS_TOKEN=******************************* into .env file
3. Don't forget to add .env into .gitingore list which will prevent exposing key to outside world while you make git commit to your repo.
4. Now you can add your dependency in package.json as below,

"dependencies": {
...
  "my-private-github-repo": "git+https://${ENV.PERSONAL_ACCESS_TOKEN}@github.com/USER/abcd-repo-3.4.0.git",
  ...
}

There are other ways using 'DOTENV' npm package, but it could not do much when we are trying to resolve "Github" package dependency. Above seems to be straight forward solution.