Skip to main content
Connect Private Packages
GitHub Registry - Private packages

GitHub Registry - Private packages

When letting Aikido update your dependencies in repositories with private packages, Aikido needs access to the private packages so that it can properly update your lockfiles. You can now provide private package configuration in Aikido for this.

For now, this is only supported for JavaScript dependencies.

Prerequisites

NPM

For NPM and PNPM package managers, your repository must include an .npmrc file at the root of the repository with some configuration to tell npm which packages to download from your private registry.

If your private package names look like this: @pied-piper/*** and are hosted on GitHub's npm registry, your file should look something like this:

@pied-piper:registry=https://npm.pkg.github.com

Aikido can then inject the token when it is updating the dependencies. You can find more info about it from NPM here.

YARN

We currently only support Yarn 3 and up versions when updating dependencies in projects with private packages. This means that your repository must include a .yarnrc.yml configuration file containing some basic configuration to download the private packages.

If your private package names look like this: @pied-piper/*** and are hosted on GitHub's npm registry, your .yarnrc.yml file should already contain the following snippet:

npmScopes:
  pied-piper:
    npmRegistryServer: "https://npm.pkg.github.com"

Aikido can then inject the token when it is updating the dependencies. You can find more information from Yarn here.

Configuration in Aikido

1. With an .npmrc config file in the repository

Once the prerequisites are fulfilled, you can configure Aikido to authenticate with your private registry when updating the dependencies by following the steps below:

  1. Go to your account's settings page for the autofixer in Aikido, here.

  2. Click on "Manage private registry connection", and the configuration modal will now be shown.

  3. First, fill in the host. E.g., if you are using GitHub's npm registry, you need to fill in the host, being: npm.pkg.github.com without the URL scheme.

  4. Fill in the token used to authenticate. In case of GitHub's npm registry, you will need to create a Personal Access Token and enter that. Aikido securely encrypts any tokens until just before they are used. Find more information about GitHub's registry here.

  5. Click "Save" to save the configuration

2. Without an .npmrc config file in the repo

Sometimes, there are multiple packages or even multiple registries connected to your repo, or you have a .gitignore rule for the .npmrc file. In this case, you can also provide the full .npmrc config file as configuration.

  1. Go to your account's settings page for the autofixer in Aikido, here.

  2. Click on "Manage private registry connection", and the configuration modal will now be shown.

  3. Fill in the contents of the .npmrc file. The example shows a configuration for @aikidoSecurity packages hosted on GitHub packages.

  4. Click "Save" to save the configuration.