Currently we have a two-steps dependency installation process:
Download assets / tarballs from a private repository using the preinstall hook (currently only GitHub is supported)
Install tarball using a file:...tgz dependency
We download the tarballs to a local directory <project-root>/.npm-private, which has several caveats:
[trn] does not seem to work when transitive dependencies download private dependencies
[dup] each project downloads duplicate versions of private dependencies to their local .npm-private folder
[ver] no support for npm version schemes like ^1.2.3
[trn] and [dup] could be solved by downloading & referencing tarball dependencies using a central location ~/.npm-private instead of <project-root>/.npm-private.
[ver] could be solved by breaking up multi repos to separate npm packages and using the standard npm git support:
We use the local user's .gitconfig in order to tell git to use https:// with credentials instead of ssh:// (the pass may be a GitHub access token).
Currently we have a two-steps dependency installation process:
preinstall
hook (currently only GitHub is supported)file:...tgz
dependencyWe download the tarballs to a local directory
<project-root>/.npm-private
, which has several caveats:^1.2.3
[trn] and [dup] could be solved by downloading & referencing tarball dependencies using a central location
~/.npm-private
instead of<project-root>/.npm-private
.[ver] could be solved by breaking up multi repos to separate npm packages and using the standard npm git support:
We use the local user's
.gitconfig
in order to tell git to use https:// with credentials instead of ssh:// (the pass may be a GitHub access token).That way we can use ssh:// urls in our package.json without exposing user credentials (see Git URLs as Dependencies):
Another solution: We skip the
.gitconfig
part and use GitHub with SSH instead.