Installing npm modules from Git repositories

Cover image

Bytesafe now supports Git repositories as registry upstreams. Developers can install a module from Bytesafe, and the appropriate version will be packaged from the Git repository.

Connecting Bytesafe to Git repos provides an alternative for teams that want to share and collaborate on their internal npm modules during development. And at the same time benefit from Bytesafe plugins and policies that can also be applied on modules sourced from Git repositories.

Using Git upstreams with Bytesafe also introduces a more lean, less error prone workflow compared to other main alternatives:

  • Storing local copies of all dependencies (checked out from Git) and using tools like yarn link to manage symlinks. This can work, but is usually tedious and error prone in the long run. It also needs a lot of coordination among developers, which is difficult in a larger team.

  • Pushing all changes to CI/CD systems to build and deploy packages to a registry Setting up CI/CD for every feature branch just to be able to publish and share internal packages in development is not ideal. Plus manually updating the versions and dependencies in package.json for each commit you want to test, is not very ergonomic.

  • Manually point dependencies to a specific Git repository (and branch/commit) Depending directly on Git repositories in package.json is often not optimal, especially if the team has many components, each with their own repository. It also includes the overhead of maintaining a development-only version of package.json.

These alternatives also requires managing of local configuration and bypasses any policies and plugins in Bytesafe.

Git upstreams

When using a Git repository upstream, teams can access internal npm modules in a way that is completely transparent to developers. Without the need for developers to configure anything special, npm modules are easily accessible for your team members' project, with the tools they regularly use.

Example workflow

pull
pull
install
install
install
push
registry.npmjs.org
Bytesafe registry
Git repository
Developer
Developer
Developer

Using a Git repository as one of the upstreams for a registry. Changes pushed to Git are directly available to be fetched by other team members (using their regular npm / yarn / pnpm tooling).

Multiple modules in a Git repository Bytesafe finds all modules in a Git repository and makes them available for install (very useful for monorepos).

Versions, branches and tags

  • Branches and tags Bytesafe understands Git branches and tags, which makes it easy to install versions from feature branches or release tags
  • Latest The dist-tag @latest is mapped to the last commit in main (i.e “master” or “main”) branch
  • Versions The version from package.json in the main branch can also be installed in addition to the versions that the above tags point to

# Installing a package from a Git upstream without specifying a version, installs the latest commit from the main branch

$ npm --registry https://example.bytesafe.dev/r/default/ install 'your-module'

...

# To install and test your project with a new branch of a dependency, just specify the branch when adding the package

$ npm --registry https://example.bytesafe.dev/r/default/ install 'your-module@feature-branch'

Configuring Git upstreams

You can add Git repositories as upstreams to a Bytesafe registry in one of two ways:

  • Using a URL Any repository available over HTTPS and with a URL ending with .git. For private repos you can add a username/password for authentication.
  • Using the Github integration you can connect one or more Github accounts to Bytesafe. Allowing you to easily add repos (both public and private) by selecting them in a drop-down list.

For more on how to connect Git repositories, see the the documentation.

Private and public Both public and private Git repositories can be added as upstreams. The Github integration makes it easy to use private repos without needing to manage tokens.

Treat your Git repos like any registry

Don’t compromise on security, compliance or usability just because the source is a Git repository. Include the Git repository into your Bytesafe workflow instead!

Want to give Git repositories as upstreams a try? Login to your account and configure a Git repository on the upstreams settings.

Don’t have an account yet? Go ahead and Sign up for Bytesafe.

Security is never easy. Let us guide you through the jungle!

We’ll keep you up to date on supply chain security and send you the latest information.