Self hosting / private packages

[piranna]

Is there any way to publish private packages, and doing it with Github Actions linked to private Github repositories?

[lucacasonato]

No, JSR does not support private packages. We are planning to handle private package usecases by letting organizations self host JSR. This is however not yet available.

[soundstep]

I found JSR to be attractive but not being able to self-host a private registry would be a blocker for us. Or a cheap way to have private package could be considered. We currently use Artifactory for example. Side note, not being able to set upstream registries would also be a blocker, some companies give us access to their codebase via access to their own NPM registries. Upstreams are great for providing other sources without the need to migrate and disturb the current workflow.

[silverwind]

Also looking forward to try this as a private proxy-registry in place of verdaccio because of verdaccio's bad performance. Hosting of @scopes would be a requirement, along with being able to proxy all other requests to another registry.

[soundstep]

We are also using Verdaccio for testing and enabling some pre-merge CI runs. Being able to run a local version of JSR maybe even with Verdaccio behind the scene would be great.

On Thu, 21 Mar 2024 at 17:26, silverwind @.***> wrote:

Also looking forward to try this as a private proxy-registry in place of verdaccio https://github.com/verdaccio/verdaccio because of verdaccio's bad performance. Hosting of defined @scopes would be a requirement, along with being able to proxy all other requests to another registry.

— Reply to this email directly, view it on GitHub https://github.com/jsr-io/jsr/issues/203#issuecomment-2013125779, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABARLMFZ5AMPVK3CS3ZSG3YZMJ53AVCNFSM6AAAAABEH7R632VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJTGEZDKNZXHE . You are receiving this because you commented.Message ID: @.***>

-- www.soundstep.com

[shinebayar-g]

If JSR can somehow support git url as a dependency, that would solve private registry for a lot of folks. With SSH authentication to the git repository, it becomes dead simple to use. However npm doesn't support installing packages from sub directory of the git repository. But yarn does!

[silverwind]

If JSR can somehow support git url as a dependency, that would solve private registry for a lot of folks. With SSH authentication to the git repository, it becomes dead simple to use. However npm doesn't support installing packages from sub directory of the git repository. But yarn does!

Git dependencies are wrong on many levels imho:

• Git content is not immutable
• Git repos or their content can easily be deleted which breaks dependants
• SSH connectivity is often not available in security-restricted environments

The prime benefit of a registry is that the content is immutable and it can be traced back to the source via provenance. So I would recommend to not support volatile and insecure git dependencies at all.

Also the request you have is not relevant to JSR a registry at all, this is something only between your client (npm) and said git repository.

[shinebayar-g]

Deno literally downloads from a URL / git repository.

Also the request you have is not relevant to JSR a registry at all, this is something only between your client (npm) and said git repository.

https://www.npmjs.com/package/jsr is a CLI (client) that interacts with a website called https://jsr.io/, it just happens to be embedded in a npm package. Maybe my comment should belong to https://github.com/jsr-io/jsr-npm/issues

[ericlery]

We are planning to handle private package usecases by letting organizations self host JSR.

Nice, some ask for self hosting documentation and more simplicity #150