Rush StackShopBlogEvents
跳至主要内容

NPM 仓库认证

一个 **私有 NPM 仓库** 使您的单体仓库能够发布用于内部使用的 NPM 包。它的工作原理与公共 https://npmjs.net.cn/ 仓库相同,只是访问私有仓库需要授权。每个用户都需要获取一个访问令牌,该令牌通常存储在他们计算机上的 ~/.npmrc 文件 中。

大多数大型单体仓库最终都会需要一个私有 NPM 仓库。它对于以下情况很有用

  • 在团队之间私下共享代码
  • 代理访问公共仓库,以提高可靠性、审计包使用情况并应用安全筛选
  • 通过安装预构建的工具包来加快 CI 操作,而不是在调用工具之前执行 rush install && rush build
  • 在将包发布到公共 NPM 仓库之前测试安装行为
  • 发布第三方包的包装器或临时分叉
    (与 GitHub URL 依赖项 相比,NPM 包提供了正确的语义化版本控制和更好的缓存语义。)

一些流行的提供商是

并且为了测试目的,Verdaccio 是一款轻量级 Node.js 服务器,可以在 https://# 上运行,并实现了一个完整的私有仓库,具有代理功能。

仓库映射

私有仓库的映射在 单体仓库 .npmrc 文件 中指定。

下面是一个示例配置,该配置从私有仓库安装公司包,但从公共仓库获取所有其他包。公司包由它们的 @example NPM 范围标识。

common/config/rush/.npmrc

# Map your company's NPM scope ("@example") to the private registry URL:
@example:registry=https://my-registry.example.com/npm-private/

# Otherwise, all other packages come from the public NPM registry:
registry=https://registry.npmjs.org/
always-auth=false

# Here we specify how the package manager should authenticate to the private registry.
# For security reasons, CI jobs should obtain their tokens from environment variables.
# The exact syntax depends on your registry provider.  If a line references an environment
# variable that is undefined, Rush will ignore that line.  This avoids producing an invalid
# string that might interfere with a developer who obtains their credentials from ~/.npmrc.
//my-registry.example.com/npm-private/:_password=${MY_CI_TOKEN}
//my-registry.example.com/npm-private/:username=${MY_CI_USER}
//my-registry.example.com/npm-private/:always-auth=true

更常见的是,您的私有仓库将充当 **缓存代理**,以便它也可以提供来自公共 NPM 仓库的包。在这种情况下,不需要映射 NPM 范围。您的设置可能如下所示

common/config/rush/.npmrc

# Map everything to the private registry URL
registry=https://my-registry.example.com/npm-private/
always-auth=true

# Here we specify how the package manager should authenticate to the private registry.
# For security reasons, CI jobs should obtain their tokens from environment variables.
# The exact syntax depends on your registry provider.  If a line references an environment
# variable that is undefined, Rush will ignore that line.  This avoids producing an invalid
# string that might interfere with a developer who obtains their credentials from ~/.npmrc.
//my-registry.example.com/npm-private/:_password=${MY_CI_TOKEN}
//my-registry.example.com/npm-private/:username=${MY_CI_USER}

有关 **.npmrc** 设置的查找优先级的详细信息,请参阅 .npmrc 页面。

使用“rush setup”提示输入凭据

Rush 最近引入了实验性功能,其中 rush install 可以检测到用户仓库凭据是否缺失或过期。如果是,则会提示他们运行 rush setup,该命令将引导用户完成获取令牌的过程,然后更新他们的 **~/.npmrc** 文件。新设置将与该文件的任何现有内容智能合并。

rush setup 交互的示例如下所示

NPM credentials are missing or expired

==> Fix this problem now? (y/N) Yes

This monorepo consumes packages from an Artifactory private NPM registry.

==> Do you already have an Artifactory user account? (y/n) Yes

Please open this URL in your web browser:

  https://my-company.jfrog.io/

Your user name appears in the upper-right corner of the JFrog website.

==> What is your Artifactory user name? example-user

Click "Edit Profile" on the JFrog website.  Click the "Generate API Key" button if you haven't already done so
previously.

==> What is your Artifactory API key? ***************

Fetching an NPM token from the Artifactory service...

Adding Artifactory token to: /home/example-user/.npmrc

最初的实现仅支持 JFrog Artifactory 服务。其他服务将在将来实现。

要使用此功能,只需在您的 artifactory.json 配置文件中为 "registryUrl" 字段赋值,并将 "enabled": true 设置为 true。文件模板包含有关可用于自定义对话框的其他可选设置的文档。

另请参阅