How can I shim access to a private repository with scoped npm packages on a machine that can't access it?

Question

Let's say I have a private, scoped NPM repository that lives behind a corporate firewall. I'd like to set my project up on another computer that will not connect to the VPN, so it will not be able to access that private repo.

How can I set up my project to easily import those dependencies from local folders and/or my local npm cache and skip the private repo?

That is, if my package.json file has...

"dependencies": {
   "@privateRepo/some-library-framework": "4.2.1"
}

... and I can't get to the server, but I can get the files that are needed and would've been installed from another node_modules folder that lives on a machine that can access the repo.

I tried taking the files from the packages in @privateRepo and using npm cache add D:\path\to\lib\with\packageDotJsonInside for each of them, but still got...

Not Found - GET https://registry.npmjs.org/@privateRepo%2some-library-framework - Not found

... when I tried to npm i the rest.

I think that means that I need to set something up in .npmrc like is described here...

registry=https://registry.npmjs.org/
@test-scope:registry=http://nexus:8081/nexus/content/repositories/npm-test/
//nexus:8081/nexus/content/repositories/npm-test/:username=admin
//nexus:8081/nexus/content/repositories/npm-test/:_password=YWRtaW4xMjM=
email=…

... where you'd normally set up auth, but where you're also setting up the URL to a scoped package. I think I want to set up @privateRepo:registry=http://localhost/something/something here.

But I think that also implies I would at least need to create a local webserver (or npm repo?) to answer requests (and then maybe I'm looking for something like verdaccio?).

So, simplest case, is there a way to force the app to use the cached version or is there more I need to shim? If not, what's the easiest way to create a local repo to serve those packages in the place of the private repo?

Answer 1

Seeing nothing better, the easiest answer does seems to be setting up a local npm repo. You can then set up your .npmrc to point to localhost for the scoped private registry instead of the "real" version behind a VPN.

And as it turns out, Verdaccio actually does exactly this -- you could also use it to host a "real" private repo, including behind your firewall, but installing on your dev box will allow you to provide your npm packages to any new codebase locally.

---

This is described in some detail by this video that's linked on Verdaccio's docs site. Here's the quick version:

• Install verdaccio: npm install --global verdaccio
• Run verdaccio: verdaccio
  • You can then check out its interface at http://localhost:4873/ (or elsewhere if you changed defaults)
• Create a user: npm adduser --registry http://localhost:4873
• Login: npm login --registry http://localhost:4873
  • You can now log in as that user on the web UI too, if you want.
• Navigate to your packages' files. Navigate into the folder that's package specific.
  • That is, if you pull all of your packages from another project's node_modules, you need to go into each folder where the individual package's package.json file lives to publish it.
• Publish the package: npm publish --registry http://localhost:4873
  • You can double-check that it "took" by refreshing the web UI.
• Repeat for each additional package.

That's it! You now have an npm repo for the packages you can use to remove the VPN requirement for running npm i. Just schlep the new versions of the packages over to your local npm and publish them as appropriate.

You will need to set up a scoped entry for this registry in your .npmrc, but you were already doing that for your repo behind the firewall, so no big deal, right?

Ready to move the check for a better answer, but this seems like it oughta work.