We have setup our NPM config file (.npmrc) with a private registry.
registry=https://artifactory.someHost.com/npm/libs
When we run NPM or YARN our 1st level dependencies are pulled from this registry successfully.
However, if the 1st level dependencies are dependent upon a 2nd level dependency then the 2nd level dependency will be pulled via github or what ever repository is defined in the 1st level dependency.
We would like to force all dependencies to be pulled through our private repository and only our private repository.
How can we configure this?
Did you do the steps described in https://www.jfrog.com/confluence/display/RTF/Npm+Registry#NpmRegistry-AutomaticallyRewritingExternalDependencies ?
Artifactory seems to support this by rewriting dependencies to keep your dependency tree limited to your Artifactory server.
Quoting it,
Packages requested by the Npm client frequently use external dependencies as defined in the packages' package.json file. These dependencies may, in turn, need additional dependencies. Therefore, when downloading an npm package, you may not have full visibility into the full set of dependencies that your original package needs (whether directly or transitively). As a result, you are at risk of downloading malicious dependencies from unknown external resources.
To manage this risk, and maintain the best practice of consuming external packages through Artifactory, you may specify a "safe" whitelist from which dependencies may be downloaded, cached in Artifactory and configure to rewrite the dependencies so that the Npm client accesses dependencies through a virtual repository as follows:
Select the Enable Dependency Rewrite checkbox in the npm virtual repository advanced configuration. Specify a whitelist pattern of external resources from which dependencies may be downloaded. Specify the remote repository in which those dependencies should be cached. It is preferable to configure a dedicated remote repository for that purpose so it is easier to maintain.