I'm using Gem Fury for some of our private packages. I set the yarn registry to use their proxy for public and our private node modules:
yarn config set registry "https://npm-proxy.fury.io/$GEMFURY_TOKEN/username"
GEMFURY_TOKEN
is set in .bash
. yarn config get registry
produces:
https://npm-proxy.fury.io/$(GEMFURY_TOKEN)/username
When we run yarn
, the yarn.lock
file will generate this:
private-module@0.1.0:
version "0.1.0"
resolved "https://npm.fury.io/username/private-module/-/0.1.0.tgz?auth=<GEMFURY TOKEN>"
dependencies:
ember-cli-babel "^5.1.6"
private-module-2@0.1.4:
version "0.1.4"
resolved "https://npm.fury.io/username/private-module-2/-/0.1.4.tgz?auth=<GEMFURY TOKEN>"
dependencies:
ember-cli-babel "^5.1.6"
ember-inflector "^1.9.6"
I don't want private tokens in the git repository. Is there a way I can exclude the token from being added to the yarn.lock
file on generation?
Try to set up npm
as described in Gem Fury documentation . The crucial parts are setting always-auth
to true
and using npm login
If this doesn't help then you can use Git
pre-commit hooks that will remove credentials from yarn.lock
when changes are commited to Git
repository.
We solved this problem recently, but the Gemfury documentation doesn't really make it obvious. If you need to pull or push in your CI build then I don't think you should use npm login
as that will modify your home .npmrc
, which isn't very helpful. We found that all you need to do is change your project's .npmrc
to use the shared organization account. This way you can have your project's .npmrc
version controlled so your developers and your CI server can read from the same registry URL while keeping your lock file token-free:
@MY_ORG:registry=https://npm-proxy.fury.io/MY_ORG/
always-auth=true
//npm-proxy.fury.io/MY_ORG/:_authToken=${GEMFURY_TOKEN}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.