Install npm module from gitlab private repository

Question

We are using GitLab for our private project. There are some forked libraries from github, that we want to install as npm module. Installing that module directly from npm is

Answer 1

Although the question is about Gitlab, this question is quite well ranked in google search, so here is some more information about how to fix a similar issue I got with Github.

For me, only changing the url didnt make it work. Here are the steps I had to take to fix this :

• git+ssh://git@github.com:owner/repo.git#master
• Create a deploy key and add it to the repo
• Edit git config (~/.ssh/config create the file if it doesnt exist) to force the use of the DeployKey instead of the default ssh key

After that the npm install simply worked. All the other options and solutions resulted of the npm install breaking

Answer 2

Instead of git://, use git+ssh:// and npm should do the right thing.

Answer 3

Gitlab now has a package registry where it's possible to build, deploy and host npm packages. With private repositories, it's possible to provide fine-grain access control over the repository contents and the packages.

NPM Packages can be installed from private Gitlab repositories by adding a .npmrc file alongside package.json. More info here. Although it gets complicated when using multiple deploy tokens for different repositories in the same codebase.

With Gitlab it's possible to access the package .tgz file directly with HTTPS and deploy token. Simply add the project dependency like this:

"@foo/bar": "https://<username>:<token>@gitlab.com/api/v4/projects/<project-id>/packages/npm/@foo/bar/-/@foo/bar-1.0.0.tgz"

@foo/bar is present twice in the URL. @foo is the project scope and bar is the module name and 1.0.0 is the module name. project-id (8-digit numeric) is the Gitlab project ID, which can be seen from the project page under the name. It's possible to even omit @foo from the module name(but not the link).

Using multiple modules with the same scope and different deploy tokens makes managing private repositories secure. Also Deploy tokens may only have access to package registry which means, the end-user will not be able to access the complete source code from the repositories.

Answer 4

Just for anyone else who stumbles across this, I couldn't get it working over HTTPS at all - seems it doesn't support the direct link to the repo (e.g. https://git.domain.com/user/somerepo.git), nor does it support the .tar, .tar.bz or .zip archive versions.

It only seems to work with the .tar.gz archive.

Full example (with tagged version):

https://git.domain.com/user/somerepo/repository/archive.tar.gz?ref=v1.2.3

Answer 5

For me set the package.json as below works.

"dependencies": {
    "<module-name>": "git+http://<username>:<token>@url.git",
}

The token is get from your "Profile Settings - Access Token".

Answer 6

Update

As @felix mentioned in comments (thanks @felix) using deploy token is much more relevant for reading a private registry on gitlab. This way is the token is compromised, attacker just can read that repository and cannot make changes.

Creating a Deploy Token

1. Log in to your GitLab account.
2. Go to the project you want to create Deploy Tokens for.
3. Go to Settings > Repository.
4. Click on Expand on Deploy Tokens section.
5. Choose a name and optionally an expiry date for the token.
6. Choose the desired scopes. <= select read_repository
7. Click on Create deploy token.
8. Save the deploy token somewhere safe. Once you leave or refresh the page, you won’t be able to access it again.

Old answer

Goto User Settings > Access Tokens and create a new access token with read_registry permission.

Copy generated token, we need it for our package.json file.

Now in package.json add the dependency as below:

"my-module": "git+https://Xaqron:token@gitlab.com/Xaqron/my-module"

Replace Xaqron with your username and token with the generated token. You can specify branch and tag at the end of url by #{branch|tag}.

Note: Since access token is located in package.json anyone who has access to this project can read the repository, so I assume your project is private itself.