[英]When running yarn, yarn.lock file is generated with private token from bash
I'm using Gem Fury for some of our private packages. 我将Gem Fury用于我们的某些私人包裹。 I set the yarn registry to use their proxy for public and our private node modules: 我将yarn注册表设置为将它们的代理用于公共和私有节点模块:
yarn config set registry "https://npm-proxy.fury.io/$GEMFURY_TOKEN/username"
GEMFURY_TOKEN
is set in .bash
. GEMFURY_TOKEN
在.bash
设置。 yarn config get registry
produces: yarn config get registry
产生:
https://npm-proxy.fury.io/$(GEMFURY_TOKEN)/username
When we run yarn
, the yarn.lock
file will generate this: 当我们运行yarn
, yarn.lock
文件将生成以下内容:
private-module@0.1.0:
version "0.1.0"
resolved "https://npm.fury.io/username/private-module/-/0.1.0.tgz?auth=<GEMFURY TOKEN>"
dependencies:
ember-cli-babel "^5.1.6"
private-module-2@0.1.4:
version "0.1.4"
resolved "https://npm.fury.io/username/private-module-2/-/0.1.4.tgz?auth=<GEMFURY TOKEN>"
dependencies:
ember-cli-babel "^5.1.6"
ember-inflector "^1.9.6"
I don't want private tokens in the git repository. 我不想在git存储库中使用私人令牌。 Is there a way I can exclude the token from being added to the yarn.lock
file on generation? 有什么办法可以在生成时将令牌排除在添加到yarn.lock
文件之外?
Try to set up npm
as described in Gem Fury documentation . 尝试按照Gem Fury文档中的说明设置npm
。 The crucial parts are setting always-auth
to true
and using npm login
关键部分是将always-auth
设置为true
并使用npm login
If this doesn't help then you can use Git
pre-commit hooks that will remove credentials from yarn.lock
when changes are commited to Git
repository. 如果这没有帮助,那么您可以使用Git
预提交挂钩 ,当将更改提交到Git
存储库时,它将从yarn.lock
删除凭证。
We solved this problem recently, but the Gemfury documentation doesn't really make it obvious. 我们最近解决了这个问题,但是Gemfury文档并没有使它变得显而易见。 If you need to pull or push in your CI build then I don't think you should use npm login
as that will modify your home .npmrc
, which isn't very helpful. 如果您需要拉入或推入CI构建,那么我认为您不应该使用npm login
因为那样会修改您的home .npmrc
,这并不是很有帮助。 We found that all you need to do is change your project's .npmrc
to use the shared organization account. 我们发现您所需要做的就是更改项目的.npmrc
以使用共享的组织帐户。 This way you can have your project's .npmrc
version controlled so your developers and your CI server can read from the same registry URL while keeping your lock file token-free: 这样,您可以控制项目的.npmrc
版本,以便您的开发人员和CI服务器可以从相同的注册表URL读取,同时保持锁文件不使用令牌:
@MY_ORG:registry=https://npm-proxy.fury.io/MY_ORG/
always-auth=true
//npm-proxy.fury.io/MY_ORG/:_authToken=${GEMFURY_TOKEN}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.