251

Npm sounds like a great platform to use within an organization, curious if a private repo is possible, like with Nexus/Maven. Nothing comes up on Google :(

adam
  • 3,888
  • 2
  • 20
  • 15
  • 1
    Below is quite neat documentation, how to do that: http://clock.co.uk/tech-blogs/how-to-create-a-private-npmjs-repository This is same as pvorb explained in his answer. – ramesh.mimit Feb 06 '13 at 11:45
  • 2
    Note that the _clock.co.uk_ post is a **complete** duplicate of the npm registry. For a local cache of your required dependencies, the best solution that I've found is [npm_lazy](https://github.com/mixu/npm_lazy). The doc on [my fork](https://github.com/bergerjac/npm_lazy) may be slightly easier to follow. – Jake Berger Oct 15 '13 at 14:54
  • 1
    I know I'm a little late to the discussion, but I would just like to add that we have recently added private npm registry support to our (free) product [ProGet](http://inedo.com/proget) – Karl Harnagy Sep 24 '14 at 18:18
  • 2
    As noted below, Nexus now supports hosted and proxy npm repos. – Zac Thompson Feb 06 '15 at 19:03
  • 13
    Over the years there have become many options available. Anybody coming back to this should read all the answers and not just the one I accepted in 2011. – adam Mar 20 '15 at 19:57
  • i still can't find any registry which would have authorization for even reading it, and 12factorapp support. For example npm-register have htpasswd files, which is i have no idea how to put them into docker swarm unless you rebuild container. verdaccio doesn't follow 12factorapp also, everything done in config, you also need to rebuild container. nexus costs insane money. – holms Jun 20 '18 at 11:50
  • the link in the first comment returns 404 – Ouss Apr 14 '22 at 10:16

15 Answers15

217

https://github.com/isaacs/npmjs.org/ : In npm version v1.0.26 you can specify private git repositories urls as a dependency in your package.json files. I have not used it but would love feedback. Here is what you need to do:

{
    "name": "my-app",
    "dependencies": {
        "private-repo": "git+ssh://git@yourgitserver.com:my-app.git#v0.0.1",
    }
}

The following post talks about this: Debuggable: Private npm modules

ebdr
  • 2,229
  • 2
  • 12
  • 8
108

I don't think there is an easy way to do this.

A look at the npm documentation tells us, that it is possible:

Can I run my own private registry?

Yes!

The easiest way is to replicate the couch database, and use the same (or similar) design doc to implement the APIs.

If you set up continuous replication from the official CouchDB, and then set your internal CouchDB as the registry config, then you'll be able to read any published packages, in addition to your private ones, and by default will only publish internally. If you then want to publish a package for the whole world to see, you can simply override the --registry config for that command.

There's also an excellent tutorial on how to create a private npm repository in the clock blog.

EDIT (2017-02-26):

Not really new, but there are now paid plans to host private packages on npm.

Over the years, npm has become a factor for many non-Node.js companies, too, through the huge frontend ecosystem that's built upon npm. If your company is already running Sonatype Nexus for hosting Java projects internally, you can also use it for hosting internal npm packages.

Other options include JFrog Artifactory and Inedo ProGet, but I haven't used those.

friederbluemle
  • 33,549
  • 14
  • 108
  • 109
pvorb
  • 7,157
  • 7
  • 47
  • 74
93

There is an easy to use npm package to do this. https://www.npmjs.org/package/sinopia

In a nutshell, Sinopia is a private/caching npm repository server that you can setup with zero configuration.

Sinopia can be used to :

  • publish own private packages without exposing it to the public
  • cache only public packages that are used (there is no need to have to replicate the whole public registery)
  • override public packages with a modified version that have been produced internally.
Younes
  • 1,635
  • 1
  • 19
  • 33
TiQP
  • 943
  • 6
  • 4
  • 13
    Sinopia seems to be no longer maintained. Last commit was over 8 months ago as of today (7 March 2016). It looks great and works well but be careful around maintainability. – Ray Booysen Mar 07 '16 at 14:38
  • 48
    Check out **verdaccio**. It's an actively maintained fork of it: https://github.com/verdaccio/verdaccio – Rotareti Sep 01 '16 at 15:35
  • 1
    does verdaccio support a "private-only" configuration, where it will not query any public registry? – MarkusSchaber Mar 13 '17 at 16:53
  • 1
    @MarkusSchaber You can disable the proxy to another registries. It works offline mode even if the proxy try to access to the network. – Juan Picado Apr 24 '17 at 11:56
  • 1
    I really thing Verdaccio deserves it's own answer today https://stackoverflow.com/a/50815174/336753 I didn't even notice the comment here first. – kub1x Jun 12 '18 at 10:41
64

Verdaccio is what I was looking for and it deserves its own answer ;) It is an actively maintained fork of Sinopia (highly upvoted answer here). It is a npm registry as a npm package, and can be found

here: https://github.com/verdaccio/verdaccio,
here: https://www.verdaccio.org,
and on port number: 4873

Run using PM2

npm i -g verdaccio pm2
pm2 start --name verdaccio `which verdaccio`
pm2 save

Run using docker

docker run -it --rm --detach --name verdaccio -p 4873:4873 verdaccio/verdaccio

Run using Helm

helm repo add verdaccio https://charts.verdaccio.org
helm repo update
helm install verdaccio/verdaccio
serv-inc
  • 35,772
  • 9
  • 166
  • 188
kub1x
  • 3,272
  • 37
  • 38
29

On 14th of April (2015), npm private modules were introduced.

When you pay for private modules, you can:

  • Host as many private packages as you want
  • Give read access or read-write access for those packages to any other paid user
  • Install and use any packages that other paid users have given you read access to
  • Collaborate on any packages that other paid users have given you write access to

Of course it's not free - currently 7$ a month, per user.

And it's still a pretty new service. For example support for organization accounts is missing (as of June 2015):

Currently, private packages are only available for individual users, but support for organization accounts is coming soon. Feel free to create a user for your organization in the meantime, and we can upgrade it to an organization when support is here.

So while not perfect, it's the official npm solution to maintaining private packages, and that itself makes it worth mentioning.

UPDATE

Npm Private Packages are now available, with plans for both individual users and organizations:

  • Unlimited number of public & private packages
  • $7/month/developer
  • Includes one scope name, based on organization name
  • Publish and control access to @org-name/foo

(disclaimer: not even remotely affiliated in any way with npm, Inc.)

Community
  • 1
  • 1
bardzusny
  • 3,788
  • 7
  • 30
  • 30
23

Repository managers with support for private npm registries:

Abel Pastur
  • 1,905
  • 2
  • 24
  • 31
  • 4
    Only the paid versions support npm repositories; the free versions do not. – Boon Aug 06 '15 at 13:20
  • 12
    The free version of Sonatype Nexus 3.0 does, in fact, support npm repos (along with bower and docker repos). – n8n8baby May 03 '16 at 22:31
10

I guess this thread needs an update. If you look at any of the npm registries which are available, they are extremely heavy and they need couchdb. Gemfurry and others need you to fork off from public repos. Some of the npm's like shadow-npm have no recent commits.

Then, we found Reggie. Its got a good commit activity, extremely easy to install and use and has pretty good community support. Its extremely light-weight and you don't have to deal with couchdb, etc.

Pradeep Mahdevu
  • 7,613
  • 2
  • 31
  • 29
9

Forgive me if I don't understand your question well, but here's my answer:

You can create a private npm module and use npm's normal commands to install it. Most node.js users use git as their repository, but you can use whatever repository works for you.

  1. In your project, you'll want the skeleton of an NPM package. Most node modules have git repositories where you can look at how they integrate with NPM (the package.json file, I believe is part of this and NPM's website shows you how to make a npm package)
  2. Use something akin to Make to make and tarball your package to be available from the internet or your network to stage it for npm install downloads.

  3. Once your package is made, then use

    npm install *tarball_url*

EhevuTov
  • 20,205
  • 16
  • 66
  • 71
8

we are using the Sonatype Nexus, version is Nexus Repository ManagerOSS 3.6.1-02. And I am sure that it supports NPM private repository and cached the package.

enter image description here

Xin Meng
  • 1,982
  • 3
  • 20
  • 32
7

This is the easiest way I know - host it in the cloud with the Gemfury private npm registry.

It's free and you can log in with your Github account. It should save you a lot of time, compared to setting up your own database.

alex urdea
  • 127
  • 1
  • 2
5

A little late to the party, but NodeJS (as of ~Nov 14 I guess) supports corporate NPM repositories - you can find out more on their official site.

From a cursory glance it would appear that npmE allows fall-through mirroring of the NPM repository - that is, it will look up packages in the real NPM repository if it can't find one on your internal one. Seems very useful!

npm Enterprise is an on-premises solution for securely sharing and distributing JavaScript modules within your organization, from the team that maintains npm and the public npm registry. It's designed for teams that need:

easy internal sharing of private modules better control of development and deployment workflow stricter security around deploying open-source modules compliance with legal requirements to host code on-premises npmE is private npm

npmE is an npm registry that works with the same standard npm client you already use, but provides the features needed by larger organizations who are now enthusiastically adopting node. It's built by npm, Inc., the sponsor of the npm open source project and the host of the public npm registry.

Unfortunately, it's not free. You can get a trial, but it is commerical software. This is the not so great bit for solo developers, but if you're a solo developer, you have GitHub :-)

Dan
  • 10,282
  • 2
  • 37
  • 64
3

This post talks about how to setup a private registry

  • make sure couchdb is installed in your system

  • Replicating npmjs.org use the following command

    curl -X POST http://127.0.0.1:5984/_replicate -d '{"source":"http://isaacs.iriscouch.com/registry/", "target":"registry", "continuous":true, "create_target":true}' -H "Content-Type: application/json"

Note there is "continuous":true in the command, this utilises CouchDB’s _changes API and will pull any new changes when this API is notified.

If you ever want to stop these replications, you can easily add "cancel":true. Then the script would be

    curl -X POST http://127.0.0.1:5984/_replicate -d '{"source":"http://isaacs.iriscouch.com/registry/", "target":"registry", "continuous":true, "create_target":true, "cancel":true}' -H "Content-Type: application/json"

Then go to npmjs.org readme to install npm (make sure nodejs and git is installed). Blow is all the steps

git clone git://github.com/isaacs/npmjs.org.git
cd npmjs.org
sudo npm install -g couchapp 
npm install couchapp 
npm install semver 
couchapp push registry/app.js http://localhost:5984/registry 
couchapp push www/app.js http://localhost:5984/registry
nickleefly
  • 3,733
  • 1
  • 29
  • 31
  • 1
    The url http://isaacs.iriscouch.com/registry/ is unfortunately dead now. I tried changing it to https://skimdb.npmjs.com/registry/ , which seems to work at first, but it is replicating only the registry index and not the tarballs ... – fuzzyTew Apr 16 '18 at 02:59
  • The [couchapp](https://github.com/npm/npm-registry-couchapp) readme states that couchapp is now kinda deprecated, but it also says the current way to mirror the entire registry is to use [npm-fullfat-registry](https://www.npmjs.com/package/npm-fullfat-registry) – fuzzyTew Apr 16 '18 at 03:07
  • I ended up using [static-registry](https://www.npmjs.com/package/registry-static) for this, which unlike the couchdb solutions requires no configuration at all. – fuzzyTew Apr 16 '18 at 04:47
2

I might be a little late to the party but any of these two might work for you:

  1. http://www.jfrog.com/confluence/display/RTF/Npm+Repositories
  2. https://github.com/krakenjs/kappa
Prabhat
  • 4,066
  • 4
  • 34
  • 41
0

You can also use Aragon Package Manager if you prefer a decentralized approach:

  1. Using APM: http://blog.aragon.one/using-apm-to-replace-npm-and-other-centralized-package-managers/
  2. Deploying APM: https://github.com/aragon/aragonOS#apm
countTheRow
  • 141
  • 8
0

I would like to add to the list the AWS Code Artifact service, looks like a nice approach if your organization is also using AWS git repos.

https://aws.amazon.com/blogs/devops/publishing-private-npm-packages-aws-codeartifact/

cesarpachon
  • 1,179
  • 2
  • 10
  • 23