Login/Register
npm install private github repositories by dependency in package.json
Asked Answered
Solved node.jsgithubdependenciesnpmpackage.json
C

13

297

I'm trying to install github private repository by npm that includes other private github repositories as dependency.

Have tried a lot of ways and posts but none is working. Here is what i'm doing :

npm install git+https://github.com/myusername/mygitrepository.git

in package.json is like : 

"dependencies": {
    "repository1name": "git+https://github.com/myusername/repository1.git",
    "repository2name": "git+https://github.com/myusername/repository2.git"
}

What is the the right way to do it?

Concoction answered 22/4, 2014 at 4:34 Comment(2)
git+https://<token-from-github>:[email protected]/<user>/<GitRepo>.git It supports authentication and works fine in all cases.Concoction
you need to specify the branch, commit or tag for it to work EJ: #master->git+github.com/myusername/repository2.git#masterEthnic
C
128

The following worked just fine in all scenarios i needed : 

"dependencies": {
"GitRepo": "git+https://<token-from-github>:[email protected]/<user>/<GitRepo>.git"
}
Concoction answered 25/10, 2014 at 9:27 Comment(18)
Do you have a reference link for this solution?Shonna
@Ian : I read it somewhere but don't have reference link. I'm using it in production for over a year without any problem. You can get oauth token from Github as : Settings -> Applications -> Personal Access Token -> Generate new token. This token can have read/write or both privileges as per your use case.Concoction
@lan : for bitbucket you can use following syntax : git clone https://<bitbucket-team-token>:[email protected]/<team>/<BitRepo> <bitbucket-team-token> can be obtained from : Team -> Manage Team -> API KeyConcoction
@vashishatashu, thanks for a great idea. However, I get "fatal: blahblah not found" when trying this, even though I have granted access to the user in question to the repo. Any ideas?Connally
Is there a specific npm command I need to execute for this to work? I'm using npm install but I'm just getting the plain files instead of an actual git clone..Ninety
Does this work for private repos that I have access to?Clachan
@Clachan : Yes this is exactly what the above given syntax works. If you face any problem just let me know.Concoction
@vashishatashu, it was working on node 4, but for my current version of node it does not work. If I include the git information into the package.json and I run npm -i I don't get any error, but it does not install the package. You know why? This are my versions: node --version v6.2.1 npm --version 3.9.3Clachan
Here's a nice article on this technique: web.archive.org/web/20170506085956/http://rzrsharp.net/2013/07/…Bemoan
@Clachan : I am still on node v4 and right now do not have a active Github plan so can not say what's wrong.Concoction
I used this reference: help.github.com/articles/…Syrupy
There is more detail on this other StackOverflow post https://mcmap.net/q/13496/-how-to-use-private-github-repo-as-npm-dependencyJolyn
How should be for gitlab private servers?Dipterocarpaceous
Hi , i want to deploy my repo as a public repo so i don't want to disclose the token, what can be done ?Locomobile
Hi, Can you specify a folder I need in the repository?Koontz
Since your own access token from Github is visible directly in your package.json, it does not seem to be a safe solution.Pensive
If you push your code to a repository, your token will be visible to anyone with access to the repository.Ridiculous
This solution isn't secure, you should use the solution below that creates ~/.gitconfig file, rather than storing your gh token in your package.json. The gh token is supposed to be treated like a password so ...Lawn
A
197

Try this:

"dependencies" : {
  "name1" : "git://github.com/user/project.git#commit-ish",
  "name2" : "git://github.com/user/project.git#commit-ish"
}

You could also try this, where visionmedia/express is name/repo:

"dependencies" : {
   "express" : "visionmedia/express"
}

Or (if the npm package module exists):

"dependencies" : {
  "name": "*"
}

Taken from NPM docs

Agate answered 22/4, 2014 at 4:50 Comment(10)
npm ERR! Failed resolving git HEAD (github.com/user/reponame.git) fatal: ambiguous argument 'commit-ish': unknown revision or path not in the working tree.Concoction
Doesn't work. the #xxxx isn't required as if not given its considered to be master and all my work is in master. Any other idea?Concoction
Same outcome if you remove the header (#commit-ish)?Agate
What's the name of your repository?Agate
I can't reveal its for some client. actually if i remove dependencies, it works just fine. 1 module gets installed. The issue starts when i give git dependencies.Concoction
Does the git repositories have a package.json file?Agate
If the dependencies exist in the npm package module you could also try "name1" : "*"Agate
Did get the desired result by using git+ssh method. Still couldn't get it through git-http.Concoction
@vashishatashu, regarding fatal: ambiguous argument 'commit-ish': unknown revision or path not in the working tree. Pretty obvious that commit-ish is just a sample word which you should replace with a sha of a specific commit that you need. (or remove that #commit-ish at all if you need the latest commit in your master branch)Yazbak
As of version 1.1.65, you can refer to GitHub urls as just “foo”: “user/foo-project”. npmjs docs referenceRheinland
C
128

The following worked just fine in all scenarios i needed : 

"dependencies": {
"GitRepo": "git+https://<token-from-github>:[email protected]/<user>/<GitRepo>.git"
}
Concoction answered 25/10, 2014 at 9:27 Comment(18)
Do you have a reference link for this solution?Shonna
@Ian : I read it somewhere but don't have reference link. I'm using it in production for over a year without any problem. You can get oauth token from Github as : Settings -> Applications -> Personal Access Token -> Generate new token. This token can have read/write or both privileges as per your use case.Concoction
@lan : for bitbucket you can use following syntax : git clone https://<bitbucket-team-token>:[email protected]/<team>/<BitRepo> <bitbucket-team-token> can be obtained from : Team -> Manage Team -> API KeyConcoction
@vashishatashu, thanks for a great idea. However, I get "fatal: blahblah not found" when trying this, even though I have granted access to the user in question to the repo. Any ideas?Connally
Is there a specific npm command I need to execute for this to work? I'm using npm install but I'm just getting the plain files instead of an actual git clone..Ninety
Does this work for private repos that I have access to?Clachan
@Clachan : Yes this is exactly what the above given syntax works. If you face any problem just let me know.Concoction
@vashishatashu, it was working on node 4, but for my current version of node it does not work. If I include the git information into the package.json and I run npm -i I don't get any error, but it does not install the package. You know why? This are my versions: node --version v6.2.1 npm --version 3.9.3Clachan
Here's a nice article on this technique: web.archive.org/web/20170506085956/http://rzrsharp.net/2013/07/…Bemoan
@Clachan : I am still on node v4 and right now do not have a active Github plan so can not say what's wrong.Concoction
I used this reference: help.github.com/articles/…Syrupy
There is more detail on this other StackOverflow post https://mcmap.net/q/13496/-how-to-use-private-github-repo-as-npm-dependencyJolyn
How should be for gitlab private servers?Dipterocarpaceous
Hi , i want to deploy my repo as a public repo so i don't want to disclose the token, what can be done ?Locomobile
Hi, Can you specify a folder I need in the repository?Koontz
Since your own access token from Github is visible directly in your package.json, it does not seem to be a safe solution.Pensive
If you push your code to a repository, your token will be visible to anyone with access to the repository.Ridiculous
This solution isn't secure, you should use the solution below that creates ~/.gitconfig file, rather than storing your gh token in your package.json. The gh token is supposed to be treated like a password so ...Lawn
K
113

For those of you who came here for public directories, from the npm docs: https://docs.npmjs.com/files/package.json#git-urls-as-dependencies

Git URLs as Dependencies

Git urls can be of the form:

git://github.com/user/project.git#commit-ish
git+ssh://user@hostname:project.git#commit-ish
git+ssh://user@hostname/project.git#commit-ish
git+http://user@hostname/project/blah.git#commit-ish
git+https://user@hostname/project/blah.git#commit-ish

The commit-ish can be any tag, sha, or branch which can be supplied as an argument to git checkout. The default is master.

Koroseal answered 9/3, 2016 at 13:15 Comment(4)
What does "for public directories" mean?Peepul
As of version 1.1.65, you can refer to GitHub urls as just “foo”: “user/foo-project”. npmjs docs referenceRheinland
What does the protocol git+https:// mean? Use git protocol for cloning and pull new changes while pushing through https?Resistor
npm install npm ERR! code 128 npm ERR! An unknown git error occurred npm ERR! command git --no-replace-objects ls-remote ssh://[email protected]/liihuu/KLineChart.git npm ERR! Warning: Permanently added 'github.com,20.205.243.166' (ECDSA) to the list of known hosts. npm ERR! [email protected]: Permission denied (publickey). npm ERR! fatal: Could not read from remote repository. npm ERR! npm ERR! Please make sure you have the correct access rights npm ERR! and the repository exists.Pellikka
G
94

The accepted answer works, but I don't like much the idea to paste secure tokens into the package.json

I have found it elsewhere, just run this one-time command as documented in the git-config manpage.

git config --global url."https://${GITHUB_TOKEN}@github.com/".insteadOf [email protected]:

GITHUB_TOKEN may be setup as environmnet variable or pasted directly

and then I install private github repos like: npm install user/repo --save

works also in Heroku, just setup the above git config ... command as heroku-prebuild script in package.json and setup GITHUB_TOKEN as Heroku config variable.

Gewgaw answered 28/10, 2016 at 19:30 Comment(5)
This also works in Microsoft Visual Studio Team Services Build Chain, where I execute it as a "command" just before the npm install step.Systemic
Spectacular! Great solution for CI environments! I did have to modify it a bit; I had to change the end to ...insteadOf ssh://[email protected]Orientalize
This doesn't seem to affect my npm. It's still using ssh when running npm install user/repo --save. Is there something I need to configure?Protamine
Excellent solution for CI environment where setting up SSH is a pain(CloudBuild)! Thank you very much for this one!Fumigate
Amazing. For me, similar as @ScottRippey, I had to change the end to .insteadOf "https://github.com"Alcahest
B
74

There are multiple ways to do it as people point out, but the shortest versions are:

// from master
"depName": "user/repo",

// specific branch
"depName": "user/repo#branch",

// specific commit
"depName": "user/repo#commit",

// private repo
"depName": "git+https://[TOKEN]:[email protected]/user/repo.git"

e.g. 

"dependencies" : {
  "hexo-renderer-marked": "amejiarosario/dsa.jsd#book",
  "hexo-renderer-marked": "amejiarosario/dsa.js#8ea61ce",
  "hexo-renderer-marked": "amejiarosario/dsa.js",
}
Brenneman answered 2/8, 2016 at 22:52 Comment(4)
Succinct answer for public repositories, which unfortunately was not the OP's question. Still, it helped me and I appreciated it.Bespeak
I updated my answer to include the private repo caseBrenneman
how would you write as to take a folder from a repo as a dependency ? for instance from my repo i want to take /src/util as a packageArnelle
If you are using a tag created by npm version patch or something like that make sure you include the 'v' "some-repo" : "myusername/some-repo#v1.1..2"Foulk
J
31
"dependencies": {
  "some-package": "github:github_username/some-package"
}

or just

"dependencies": {
  "some-package": "github_username/some-package"
}

https://docs.npmjs.com/files/package.json#github-urls

Jepum answered 31/7, 2017 at 17:10 Comment(0)
H
14

Since Git uses curl under the hood, you can use ~/.netrc file with the credentials. For GitHub it would look something like this:

machine github.com
  login <github username>
  password <password OR github access token>

If you choose to use access tokens, it can be generated from:

Settings -> Developer settings -> Personal access tokens

This should also work if you are using Github Enterprise in your own corporation. just put your enterprise github url in the machine field.

Hydrolysate answered 10/4, 2018 at 15:35 Comment(2)
worked for me with machine github.com login <token> on one line and "package": "https://github.com/acme/privaterepo.git#commit-ish" or directly with npm install https://github.com/acme/privaterepo.git#commit-ishLentigo
This worked! Possibly the only solution for https without using token to url. But can you tell that is it safe to store password unencrypted like this ?Insurgent
T
9

Here is a more detailed version of how to use the Github token without publishing in the package.json file.

  1. Create personal github access token
  2. Setup url rewrite in ~/.gitconfig
git config --global url."https://<TOKEN HERE>:[email protected]/".insteadOf https://[email protected]/
  1. Install private repository. Verbose log level for debugging access errors.
npm install --loglevel verbose --save git+https://[email protected]/<USERNAME HERE>/<REPOSITORY HERE>.git#v0.1.27

In case access to Github fails, try running the git ls-remote ... command that the npm install will print

Tungstite answered 23/5, 2019 at 12:9 Comment(0)
B
2

Further, in order to make key's access secure

  1. Create .env file at the same directory level where package.json resides.
  2. Mention PERSONAL_ACCESS_TOKEN=******************************* into .env file
  3. Dont forget to add '.env' into .gitingore list which will prevent exposing key to outside world while you make git commit to your repo.
  4. Now you can add your dependency in package.json as below,

Package.json

"dependencies": { ... "my-private-github-repo": "git+https://${ENV.PERSONAL_ACCESS_TOKEN}@github.com/USER/abcd-repo-3.4.0.git", ... }

There are other ways using 'DOTENV' npm package, but it could not do much when we are trying to resolve "Github" package dependency. Above seems to be straight forward solution.

Botha answered 18/5, 2021 at 16:55 Comment(0)
C
1

There's also SSH Key - Still asking for password and passphrase

Using ssh-add ~/.ssh/id_rsa without a local keychain.

This avoids having to mess with tokens.

Cantus answered 16/1, 2020 at 15:45 Comment(0)
L
1

If you want to add the dependency that is not anchored to master nor to a particular commit, you can do it by using semver. Like that:

"dependencies": {
  "some-package": "github:github_username/some-package#semver:^1.0.0"
}
Lytta answered 5/11, 2021 at 11:36 Comment(0)
A
1

Note that the github repos that you try to add as a dependency to your package.json file needs to have its own package.json file defined.

Aromatize answered 2/2, 2022 at 17:13 Comment(0)
G
0

For my private repository reference I didn't want to include a secure token, and none of the other simple (i.e. specifying only in package.json) worked. Here's what did work:

  1. Went to GitHub.com
  2. Navigated to Private Repository
  3. Clicked "Clone or Download" and Copied URL (which didn't match the examples above)
  4. Added #commit-sha
  5. Ran npm install
Goins answered 27/6, 2017 at 23:17 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.