Using Private Registry NPM Packages in Cloud Builds
npm-pack, who knew?
If you work within a large organization you’re probably familiar with publishing NPM packages to a private registry that your company keeps tight reigns on. In most cases, this causes little to no friction in the development cycle because more than likely your pipeline builds all run within the same walls and your builds have access to the packages they need during build time.
However, it’s likely that at some point you’ll run into the need to have builds run on an external cloud service where access to these private NPM packages becomes challenging. Now sure, we could plead with the AppSec team to allow the cloud instance to have outside access but they’re a very troubled and paranoid group that intentionally likes to make our lives harder. All in the name of “security”, am I right? I kid, I kid. But we’ll show them, npm-pack will save the day.
The fine folks at NPM have built-in a pretty handy little action that will fetch any NPM package and download it locally as a tarball file. It’s as easy as running:
npm pack @scope/pkgThere are a few other optional flags that you can use to set your storage location, etc. Check out the docs for this command at https://docs.npmjs.com/cli/v7/commands/npm-pack.
Now you may be wondering, that’s great that I have these silly tarball files but now I have to unpack them and move them somewhere? How am I going to even import them? This is garbage, don’t you care about the developer experience?
As it turns out our dependencies managed within our package.json can reference these local files instead of specifying a registry version. So "@scope/pkg": "1.0.0"becomes "@scope/pkg": "file:path/to/file". The documentation for this is at https://docs.npmjs.com/cli/v7/configuring-npm/package-json#local-paths.
That’s it. From here your package can be referenced and used like any other package installed in node_modules folder. To update the version you’ll run another npm-pack and reference it accordingly. You’ll also need to be sure and check these files into your repo so they’re there when the build needs them.
