Using Node.js you want to use NPM packages for reusable parts of the apps you create, that is a common sense. At the same time not everything makes sense as a public module unfortunately. Right now we are using Bitbucket at work for private repositories but there is a problem. How to use them as NPM modules? We do not want to publish them to the public npmjs.org but still want to have an ability to install them easily.

After googling and experimenting I have found simple solution.
First create new user in your organization with obscure password and give it read access to the repo. It is best to assign really obscure password but do not fool yourself. This is convenient but you must sacrifice security a bit. You should always consider how in your context that would be important.

Change example from below to:
user - username
PASS - password of the user
organization - owner of the project (you can find it in bitbucket url to your project)
project - your project name

"dependencies": {  
    **"private-lib": "git+https://user:PASS@bitbucket.org/organization/project.git#v1.0.0"**  
}

After that standard npm install should work fine.

Security:
You can argue that if someone has access to your package.json file then it is a no brainer that he has access to the rest of the repository as well, so why I talking about it being security risk?
Mostly because other people in the team... If anyone else in your company will reuse that user for other projects/purposes then one leaked project will mean all of them being public...

Feedback or Comments?

← Home

Want to learn more?

Sign up to get a digest of my articles and interesting links via email every month.