0

I am using a private npm registry (AWS CodeArtifact). To make configuration easier for devs, I have created an .npmrc file in the project directory that contains private (scoped) registry url.

I added a command to the package.json file upgrade that will:

  1. get auth token using aws cli
  2. store auth token in the local .npmrc file using:
        "pc:login": "FOR /F %T IN ('aws codeartifact get-authorization-token --domain my-org  --domain-owner 55555555555 --region us-east-2 --query authorizationToken --output text --duration-seconds 900') do (npm config set //my-org-5555555555555.d.codeartifact.us-east-2.amazonaws.com/npm/my-org/:_authToken %T --userconfig .npmrc)",
        "pc:upgrade": "yarn run pc:login && yarn upgrade @my-org/my-package"

so all a dev have to do is run yarn pc:upgrade.

However, the auth token is stored in the local .npmrc, so there is a chance of having the token checked in (the lowest expiration allowed by AWS is 15 minutes) and I would like to avoid that.

Options I have considered:

  1. add && npm config delete //my-org-55555....:authToken to the end of pc:upgrade to remove the token. This is unreliable, in case operation is terminated early.
  2. add .npmrc file to .gitignore so it is never checked in. However, this will require registry url setting to be stored somewhere else (I could put it in user config, but that would require extra configuration).

If it would be possible to have two .npmrc files in a project directory - I could have one git-tracked with registry url, and have another one "private" and git-ignored.

THX-1138
  • 21,316
  • 26
  • 96
  • 160

1 Answers1

0

The solution is to store authToken in user's npmrc. This allows me to store the registry URL in the project-local, shared, .npmrc file, while auth token would be kept local to the user's box.

The fix is to replace --userconfig .npmrc to --local in my pc:login script.

THX-1138
  • 21,316
  • 26
  • 96
  • 160