Changelog NotificationsAPIAikido login

NPM - Private packages

When Aikido updates dependencies in repositories that use private packages, it needs access to those packages to correctly update your lockfiles. You can configure Aikido to authenticate with your private NPM registry to run these updates.

Prerequisites

NPM

For repositories using NPM or PNPM, access to private packages is managed through an .npmrc file. The package manager uses the .npmrc file to know which registry to use and how to authenticate.

You can either:

  • include an .npmrc file in your repository, referencing an environment variable for the token.

  • provide the .npmrc configuration directly in the Aikido interface, here.

If your private package names look like this: @pied-piper/*** and are hosted on GitHub's npm registry, your file should look something like this:

@pied-piper:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=<YOUR_GITHUB_TOKEN>

If a .npmrc file is set in Aikido, we will write the .npmrc file before updating the dependencies. If an .npmrc file is present in the repository, it will be overwritten by the .npmrc file set in Aikido.

You can find more info about .npmrc from NPM here.

YARN

If you’re using Yarn v1, use the .npmrc option in Aikido, here. For Yarn v2 and newer, use the .yarnrc.yml file to configure private package access.

Configuring .yarnrc.yml

Private package access is defined in a .yarnrc.yml file in your project. This file declares npmScopes for your private packages and specifies which registry they use.

If a .yarnrc.yml file is set in Aikido, we write the .yarnrc.yml file next to your yarn.lock file before updating the dependencies. If the .yarnrc.yml file is pressent in the repository, it will be overwritten by the .yarnrc.yml file set in Aikido.

Example .yarnrc.yml

npmScopes:
  aikido-internal-tests:
    npmAuthToken: "<YOUR_GITHUB_TOKEN>"
    npmRegistryServer: "https://npm.pkg.github.com"

You can find more information in the Yarn documentation here.

BUN

Bun can use either .npmrc or bunfig.toml. See the NPM section above for more information about .npmrc.

Configuring bunfig.toml

Private package access is defined in a bunfig.toml file in your project. See the Bun documentation here.

If a bunfig.toml file is set in Aikido, we write the bunfig.toml file next to your bun.lock file before updating the dependencies. If the bunfig.toml file is pressent in the repository, it will be overwritten by the .bunfig.toml file set in Aikido.

Configuration in Aikido

To allow repositories using private packages to be updated, provide your private registry configuration in the Aikido UI. Aikido stores the credentials encrypted and credentials cannot be retrieved through the Aikido UI or API.

  1. Go to Autofix > Settings in Aikido, here.

  2. Click on "Connect Registry", and the selection modal will now be shown.

  1. Select NPM or Yarn to input your .npmrc or .yarnrc.yml file. (Note that for Yarn V1, you will need to select NPM.)

  1. Fill in the contents of the .npmrc file. The example shows a configuration for a scoped package (@pied-piper) hosted on GitHub Packages.

  2. Click "Connect Registry" to save the configuration.

Last updated

Was this helpful?