'Alternative to NPM

I am working on a project where we handle private data that we cannot risk sharing due to security problems.

We have several packages that we have developed for use in applications. We want to control the versions of the packages, but we don't have it in private NPM; they are primarily in bitbucket:

We are currently using to integrate it as a dependency. But we wanted to version control those core packages, and we couldn't find a suitable replacement for NPM. I don't know if I'm explaining myself well, but I would like to know a good way to simulate something similar to NPM using bitbucket.

Flow:

We deploy the module to the instance, then the app... after that, we link the module to the app. Using

We run NPM LINK and then in the app, we run NPM LINK NAME

There is another way to do it?

I fixed this problem. That is why I am editing this question!

Leave the idea of ​​starting to open the topic, but that initial idea is only for very specific local tests, but it is not the most elegant! Saying this: we have to automatically install the private packages, they are hosted on bitbucket. The best way I found is a mix between user authentication and ssh for the server environment. how it works: is easy this is an example of how the package would look

"dependencies": {
"@companyName/example": "git+ssh://[email protected]:companyName/npm_example.git"
}

I literally copied this from bitbucket

  • it looks like this when copied ([email protected]:companyName/install_example.git) just add the git+ssh:// <- headers

Example of ssh clone

In this way, if a developer tries to carry out the installation, he has to enter his username and password to be able to install, if he does not have permissions, he cannot install the packages!

Now to use the ssh keys and that everything is clean you must create a private key and a public key.

Then registering the public key on the server with read-only access by default bitbucket allows you to do that cleanly! Go to your repository settings, then access shh register your public key

Best Part: "SHH access" Pipelines

script:
 - mkdir -p ~/.ssh
 - (umask 077 ; echo $MY_PRIVATE_KEY | base64 --decode > ~/.ssh/id_rsa)
 - cat ~/.ssh/id_rsa
 - echo "Host bitbucket.org" >> ~/.ssh/config
 - echo " IdentityFile ~/.ssh/id_rsa" >> ~/.ssh/config
 - echo " IdentitiesOnly yes" >> ~/.ssh/config
 - echo " UserKnownHostsFile=/dev/null" >> ~/.ssh/config
 - echo " StrictHostKeyChecking no" >> ~/.ssh/config
 - cat ~/.ssh/config

Add tow variables to bitbucket "Repository settings" > "Repository variables" Repository variables

By using this solution, your team has seamless access, and when you deploy, SSH takes care of the authentication, no usernames or passwords are exposed, and only the server administrator has access to the data. To clean sensitive information from the server watch the end!

enter image description here

Note that we only clean the data that can be used to clone the repository, and that's it

Remember this guide will help you understand the process, use this as an example. There are many things written about this on the internet. I tried to use them and this example was what solved the problem for me. You can put the most elegant and clean scripts, I'm going to leave you the links of everything I read to clarify... Finally, it is complicated to carry out the deployment in bitbucket without having access to that image that is generated. For that, I reproduced that same image in docker which gave me the possibility to enter it and see what was happening. < It is an idea!

link and credits

best of the best

hosting private npm modules

Advanced features in Bitbucket Pipelines

Using GitHub with SSH

PRIVATE GIT REPO

How can I install an npm package from my bitbucket repository?

enter link description here

node.jsnpmsshbitbucketbitbucket-pipelines


Solution 1:[1]

Yes, you can use dependencies directly from Bitbucket (no need for a private NPM registry). From Git URLs as Dependencies:

git+ssh://[email protected]:npm/cli.git#v1.0.27
git+ssh://[email protected]:npm/cli#semver:^5.0
git+https://[email protected]/npm/cli.git
git://github.com/npm/cli.git#v1.0.27

Any of these are valid values for dependencies, so you can write in your package.json, e.g.:

"dependencies": {
  "esd": "git+ssh://[email protected]:youraccount/yourproject#v5.1.0",
  ..
}

where v5.1.0 is a tag.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 DᴀʀᴛʜVᴀᴅᴇʀ

Related Questions