To enable calculation of npm package metadata in local repositories so they are, in effect, npm registries, set the Package Type to npm when you create the repository:
Artifactory allows you to define any layout for your npm regsitries. In order to upload packages according to your custom layout, you need to package your npm files using
This creates the .tgz file for your package which you can then upload to any path within your local npm repository.
A Remote Repository defined in Artifactory serves as a caching proxy for a registry managed at a remote URL such as
Artifacts (such as tgz files) requested from a remote repository are cached on demand. You can remove downloaded artifacts from the remote repository cache, however, you can not manually deploy artifacts to a remote npm registry.
To define a remote repository to proxy a remote npm registry follow the steps below:
A Virtual Repository defined in Artifactory aggregates packages from both local and remote repositories.
This allows you to access both locally hosted npm packages and remote proxied npm registries from a single URL defined for the virtual repository.
To define a virtual npm registry, create a virtual repository, set the Package Type to be npm, and select the underlying local and remote npm registries to include in the Basic settings tab.
Click "Save & Finish" to create the repository.
The fields under External Dependency Rewrite are connected to automatically rewriting external dependencies for npm packages that need them.
Enable Dependency Rewrite
|When checked, automatically rewriting external dependencies is enabled.|
Remote Repository For Cache
|The remote repository aggregated by this virtual repository in which the external dependency will be cached.|
A white list of Ant-style path expressions that specify where external dependencies may be downloaded from. By default, this is set to
For example, if you wish to limit external dependencies to only be downloaded from
When accessing an npm repository through Artifactory, the repository URL must be prefixed with api/npm in the path. This applies to all npm commands including
For example, if you are using Artifactory standalone or as a local service, you would access your npm repositories using the following URL:
Or, if you are using Artifactory SaaS the URL would be:
To use the npm command line you need to make sure npm is installed. Npm is included as an integral part of recent versions of .
Please refer to on GitHub or the.
Once you have created your npm repository, you can select it in the Tree Browser and click Set Me Up to get code snippets you can use to change your npm registry URL, deploy and resolve packages using the npm command line tool.
To replace the default registry with a URL pointing to an npm repository in Artifactory (the example below uses a repository with the key
npm config set registry http://localhost:8081/artifactory/api/npm/npm-repo
We recommend referencing a Virtual Repository URL as a registry. This gives you the flexibility to reconfigure and aggregate other external sources and local repositories of npm packages you deployed.
Note that If you do this, you need to use the
Once the npm command line tool is configured, every
npm install command will fetch packages from the npm repository specified above. For example:
$ npm install request npm http GET http://localhost:8081/artifactory/api/npm/npm-repo/request npm http 200 http://localhost:8081/artifactory/api/npm/npm-repo/request npm http GET http://localhost:8081/artifactory/api/npm/npm-repo/request/-/request-2.33.0.tgz npm http 200 http://localhost:8081/artifactory/api/npm/npm-repo/request/-/request-2.33.0.tgz
The npm command line tool requires that sensitive operations, such as
publish, are authenticated with the server using basic HTTP authentication.
To support authentication you need to edit your
.npmrc file and enter the following:
username:password) as encoded strings
npm publishwill not work if your email is not specified in
always-auth = true
You can use the following command to get these strings directly from Artifactory:
$ curl -uadmin:password "http://localhost:8081/artifactory/api/npm/auth" _auth = YWRtaW46e0RFU2VkZX1uOFRaaXh1Y0t3bHN4c2RCTVIwNjF3PT0= email = email@example.com always-auth = true
Artifactory does not support the
There are two ways to deploy packages to a local repository:
package.jsonfile and add a publishConfig section to a local repository:
npm publish --registry
By default, Artifactory allows anonymous access to npm repositories. This is defined in the Admin module under Security | General. For details please refer to Allow Anonymous Access.
If you want to be able to trace how users interact with your repositories you need to uncheck the Allow Anonymous Access setting. This means that users will be required to enter their username and password as described in Setting Your Credentials above.
Artifactory uses GitHub Enterprise as its default OAuth provider. If you have an account, you may use your GitHub Enterprise login details to be authenticated when using
Artifactory supports a variety of ways to search of artifacts. For details please refer to Searching Artifacts.
Artifactory also supports
npm search [search terms ...], however, packages may not be available immediately after being published for the following reasons:
When publishing a package to a local repository, Artifactory calculates the search index asynchronously and will wait for a "quiet period" to lapse before indexing the newly published package.
Since a virtual repository may contain local repositories, a newly published package may not be available immediately for the same reason.
You can specify the indexing "quiet period" (time since the package was published) by setting the following system properties (in
In the case of remote repositories, a new package will only be found once Artifactory checks for it according to the Retrieval Cache Period setting.
Artifactory annotates each deployed or cached npm package with two properties:
You can use Property Search to search for npm packages according to their name or version.
The npm client saves caches of packages that were downloaded, as well as the JSON metadata responses (named
The JSON metadata cache files contain URLs which the npm client uses to communicate with the server, as well as other ETag elements sent by previous requests.
We recommend removing the npm caches (both packages and metadata responses) before using Artifactory for the first time. This is to ensure that your caches only contain elements that are due to requests from Artifactory and not directly from
The default cache directory on Windows is
%APPDATA%\npm-cache while on Linux it is
Artifactory fully supports. The support is transparent to the user and does not require any different usage of the npm client.
By default, the npm client encodes slash characters ('/') to their ASCII representation ("%2f") before communicating with the npm registry. If you are running Tomcat as your HTTP container (the default for Artifactory), this generates an "HTTP 400" error since Tomcat does not allow encoded slashes by default. In order work with npm scoped packages, you can override this default behavior by defining the following property in the
Note that since Artifactory version 4.4.3, the bundled Tomcat is configured by default to enable encoded slashes. If you are using a previous version you will need to adjust the Tomcat property above.
If Artifactory is running behind a reverse proxy, make sure to disable URL decoding on the proxy itself in order to work with npm scope packages.
For Apache, add the "AllowEncodedSlashes NoDecode" directive inside the <VirtualHost *:xxx> block.
Scopes can be associated with a separate registry. This allows you to seamlessly use a mix of packages from the public npm registry and one or more private registries.
For example, you can associate the scope
@jfrog with the registry
http://localhost:8081/artifactory/api/npm/npm-local/ by manually altering your
~/.npmrc file and adding the following configuration:
@jfrog:registry=http://localhost:8081/artifactory/api/npm/npm-local/ //localhost:8081/artifactory/api/npm/npm-local/:_password=cGFzc3dvcmQ= //localhost:8081/artifactory/api/npm/npm-local/:username=admin //localhost:8081/artifactory/api/npm/npm-local/:firstname.lastname@example.org //localhost:8081/artifactory/api/npm/npm-local/:always-auth=true
From Artifactory 3.5.3, you can use the following command to get these strings directly from Artifactory:
$ curl -uadmin:password "http://localhost:8081/artifactory/api/npm/npm-local/auth/jfrog"
When using scope authentication, npm expects a valid email address. Please make sure you have included your email address in your Artifactory user profile.
The password is just a base64 encoding of your Artifactory password, the same way used by the old authentication configuration.
While npm scope packages have been available since version 2.0 of the npm command line tool, we highly recommend using npm scope packages with Artifactory only from version 2.1.9 of the npm command line tool.
Packages requested by the Npm client frequently use external dependencies as defined in the packages'
package.json file. These dependencies may, in turn, need additional dependencies. Therefore, when downloading an Npm package, you may not have full visibility into the full set of dependencies that your original package needs (whether directly or transitively). As a result, you are at risk of downloading malicious dependencies from unknown external resources. To manage this risk, and maintain the best practice of consuming external packages through Artifactory, you may specify a "safe" whitelist from which dependencies may be downloaded, cached in Artifactory and configure to rewrite the dependencies so that the Npm client accesses dependencies through a virtual repository as follows:
In the example below the external dependencies will be cached in "npm" remote repository and only package from
https://github.com/jfrogdev are allowed to be cached.
When downloading an Npm package, Artifactory analyzes the list of dependencies needed by the package.
If any of the dependencies are hosted on external resources (e.g. on
github.com), and those resources are specified in the white list,
Artifactory will download the dependency from the external resource.
Artifactory will cache the dependency in the remote repository configured to cache the external dependency.
Artifactory will then modify the dependency's entry in the package's package.json file indicating its new location in the Artifactory remote repository cache before returning it to the Npm client.
Consequently, every time the Npm client needs to access the dependency, it will be provisioned from its new location in the Artifactory remote repository cache.
Artifactory lets you view selected metadata of an npm package directly from the UI.
In the Tree Browser, drill down to select the tgz file you want to inspect. The metadata is displayed in the Npm Info tab.