Get Started with private npm packages
Bytesafe Community Edition (CE) is a free, robust security platform designed to protect organizations from open source software supply chain attacks. It’s an ideal tool to manage your JavaScript projects and packages securely. Here’s a simple guide to get you started with Bytesafe CE and JavaScript.
Setting Up Bytesafe CE
Bytesafe CE is configured to use PostgreSQL for data management and Redis for efficient caching. It stores package artifacts on the local file system, making it a convenient solution for many use cases. For more information on configurable options in Bytesafe CE, see the docs.
Quickstart Using Docker Compose
Bytesafe CE can be installed quickly using Docker Compose, as explained in the following step-by-step guide:
- Download the sample
docker-compose.yml
file to your host from the Bytesafe Community Edition Git repository. - Create an .env file with a unique and secret value for the DATA_ENCRYPTION_KEY environment variable.
- Use Docker Compose to start Bytesafe Community Edition, PostgreSQL, and Redis.
$ curl -O https://raw.githubusercontent.com/bitfront-se/bytesafe-ce/master/docker-compose.yml
$ echo "DATA_ENCRYPTION_KEY='$(cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w 50 | head -n 1)'" > .env
$ docker compose up
You can then open a web browser and create your workspace owner account at http://localhost:8081/.
After creating the workspace owner account, go ahead and create your first npm registry. Let’s call it “npm-firewall”.
Working with JavaScript Packages
Once you have Bytesafe CE installed and running, you can start managing your JavaScript projects and packages. Bytesafe offers full support for the JavaScript ecosystem with private npm registries for your packages and dependencies. You can interact with Bytesafe using your regular tools, such as npm
for installing and npm publish
for uploading JavaScript packages.
Note: This post provides a general overview of getting started with Bytesafe CE and JavaScript. For more detailed information, see the JavaScript packages | Bytesafe documentation.
Specify a default npm registry
To remove the need for explicitly stating which registry to use for each request, you can add the configuration to your npm configuration file.
To configure npm, edit the .npmrc
file in your project’s directory or the user-level .npmrc
file:
# access token for a registry is stored in .npmrc file
registry=http://localhost:8081/r/npm-firewall/
always-auth=true
//localhost:8081/r/npm-firewall/:_authToken={TOKEN}
Publish a JavaScript package using npm
Note: If you have previously installed a package you might want to run npm cache clean --force
to make sure packages are downloaded from Bytesafe and avoid using the local cache.
To publish (upload) packages using npm
, you need to set up your .npmrc
file (see above).
You can then publish (a built package) with:
$ npm publish
Install a JavaScript package using npm
To install JavaScript packages using npm
, use the following command. The syntax below assumes you have added the user, token, and registry in your npm configuration file:
$ npm install {PACKAGE}
Using yarn
Bytesafe is compatible with yarn
. To add or publish npm packages using yarn
, see the examples below.
# publish a package to Bytesafe using yarn publish
$ yarn --registry https://localhost:8081/r/npm-firewall/ publish {PACKAGE}
...
Note: If you have previously installed a package you may want to run yarn cache clean [<module_name...>]
to make sure packages are downloaded from Bytesafe and avoid using the local cache.