[FEATURE] Could support for other repositories or external private repos (via packages.json) be added to package dependencies?

[cxtal]

I have the following scenario:

• I am running a private npm repo holding various packages that are not published publicly since some of them are not important, with no production values, test or attempts and thusly have no general reason to be on a public repo,
• the packages on the private repo are developed using Subversion (SVN) as a version control system.
• I have other people (customers) that need to run npm install when installing other software that includes only some packages from my private repo as dependencies.

The general consensus and documentation in this configuration hints to the following solutions:

• tell customers to edit npmrc and add my private repo as a source repo but customers would then have to use my repo as a proxy repo (?) to install other packages, never mind that doing so would mean adding the private repo to the user profile which may be unwanted in general,
• run a git repo because npm already supports installing packages from git directly including packages.json support but I do not want to use git for some projects.
• tell customers to just add the package manually but that complicates the setup process considerably,
• use various extensions written such as npm-svn-crutch [1] or npm-svn [2] but unfortunately those packages only support svn:// URLs such that it would require running svnserve and would thereby add another level of complexity - let alone being, as the name implies, "a crutch",
• use a tarball [3] but this does seem like excessive effort; also, placing the "URL to the tarball in place of a version" in package.json sounds like a design abstraction aberration or type violation (is the value in package.json supposed to be an URL or a version?).

We are going the last option, tarball via CI but there has got to be some other better way. For example, composer [4] for PHP seamlessly seems to support multiple VCS types for dependencies [5,6] so could something similar be added to npm?

Not sure why npm is so exclusively tied to git. SVN aside, how about, say bazaar, mercurial or others maybe? For instance, some of the private repos contain resources (let's say, graphics) that are worked on by third parties such that the complexity of git is not needed albeit distracting.

[1] https://github.com/jtrussell/svn-npm-crutch - Allow node modules to be installed from svn repos.
[2] https://github.com/emolchanov/npm-svn - Allow to install node modules from svn repos.
[3] https://docs.npmjs.com/files/package.json#urls-as-dependencies - You may specify a tarball URL in place of a version range.
[4] https://getcomposer.org/ - composer for PHP
[5] https://getcomposer.org/doc/articles/handling-private-packages-with-satis.md - handling private packages
[6] https://getcomposer.org/doc/05-repositories.md#types - repository types

[ljharb]

Typically you'd publish all your private packages under a scope, and you'd tell them to add a registry for that scope to npmrc.

[cxtal]

Typically you'd publish all your private packages under a scope, and you'd tell them to add a registry for that scope to npmrc.

Thank you - I did not know about scopes. Too bad it requires an extra step. Would be cool if that could be automatically be set-up with a single npm command line call.

Otherwise, I can foresee customers even now claiming that they have searched for npmrc, but they did not find it, so they ended up formatting the hard-drive and eating a full tub of toothpaste due to ... me.

[ljharb]

It can; you can craft an npm config command that will do it for them.

[Bartman250]

i have a requirement where i need to pull NPM packages from multiple private Repos. In this case both repos where in Gitlab NPM repos owned by different organisations.

I raised the issue initially with gitlab here:
https://gitlab.com/gitlab-org/gitlab/-/issues/259641#note_426545614

So I tried to configure the .npmrc like this:

@project-1:registry=https://gitlab.com/api/v4/packages/npm/
//gitlab.com/api/v4/packages/npm/:_authToken=TOKEN1

@project-1:registry=https://gitlab.com/api/v4/packages/npm/
//gitlab.com/api/v4/packages/npm/:_authToken=TOKEN2

In this case, the Tokens are project level tokens with read repository only permissions.
Depending on the order that you put these projects in, it will download the first one, but not the second.
I assume that the token is stored and not replaced for the second call.

If you need anymore information let me know - happy to help

(for the moment I've reverted to downloading and unpacking the tars manually - which is pretty ugly, and no doubt my CTO will come after me at some point and scream 'tech debt' at me and make me watch the phantom menace 10 times with the Darth Maul fight missing).

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.