Changelog NotificationsAPIAikido login

NPM - Private packages

When Aikido updates dependencies in repositories that use private packages, it needs access to those packages to correctly update your lockfiles. You can configure Aikido to authenticate with your private registry to run these updates.

Prerequisites

NPM

For repositories using NPM or PNPM, access to private packages is managed through an .npmrc file. The package manager uses the .npmrc file to know which registry to use and how to authenticate.

You can either:

  • include an .npmrc file in your repository, referencing an environment variable for the token.

  • provide the .npmrc configuration directly in the Aikido interface, here.

If your private package names look like this: @pied-piper/*** and are hosted on GitHub's npm registry, your file should look something like this:

@pied-piper:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=<YOUR_GITHUB_TOKEN>

If a .npmrc file is set in Aikido, we will write the .npmrc file before updating the dependencies. If an .npmrc file is present in the repository, it will be overwritten by the .npmrc file set in Aikido.

You can find more info about .npmrc from NPM here.

YARN

If you’re using Yarn v1, use the .npmrc option in Aikido, here. For Yarn v2 and newer, use the .yarnrc.yml file to configure private package access.

Configuring .yarnrc.yml

Private package access is defined in a .yarnrc.yml file in your project. This file declares npmScopes for your private packages and specifies which registry they use.

If a .yarnrc.yml file is set in Aikido, we write the .yarnrc.yml file next to your yarn.lock file before updating the dependencies. If the .yarnrc.yml file is pressent in the repository, it will be overwritten by the .yarnrc.yml file set in Aikido.

Example .yarnrc.yml

npmScopes:
  aikido-internal-tests:
    npmAuthToken: "<YOUR_GITHUB_TOKEN>"
    npmRegistryServer: "https://npm.pkg.github.com"

You can find more information in the Yarn documentation here.

Configuration in Aikido

To allow repositories using private packages to be updated, provide your private registry configuration in the Aikido UI. Aikido stores the credentials encrypted and credentials cannot be retrieved through the Aikido UI or API.

  1. Go to Autofix > Settings in Aikido, here.

  2. Click on "Manage Private Registry Connection", and the configuration modal will now be shown.

    Configure access to a private package registry using .npmrc settings.

  3. Fill in the contents of the .npmrc file. The example shows a configuration for multiple scoped packages (@aikidoSecurity, @pied-piper, and @internal-tools) hosted on GitHub Packages.

  4. Click "Apply Changes" to save the configuration.

Last updated

Was this helpful?