I'm using Gem Fury for some of our private packages. I set the yarn registry to use their proxy for public and our private node modules:
yarn config set registry "https://npm-proxy.fury.io/$GEMFURY_TOKEN/username"
GEMFURY_TOKEN is set in .bash. yarn config get registry produces:
https://npm-proxy.fury.io/$(GEMFURY_TOKEN)/username
When we run yarn, the yarn.lock file will generate this:
[email protected]:
version "0.1.0"
resolved "https://npm.fury.io/username/private-module/-/0.1.0.tgz?auth=<GEMFURY TOKEN>"
dependencies:
ember-cli-babel "^5.1.6"
[email protected]:
version "0.1.4"
resolved "https://npm.fury.io/username/private-module-2/-/0.1.4.tgz?auth=<GEMFURY TOKEN>"
dependencies:
ember-cli-babel "^5.1.6"
ember-inflector "^1.9.6"
I don't want private tokens in the git repository. Is there a way I can exclude the token from being added to the yarn.lock file on generation?
Try to set up npm as described in Gem Fury documentation.
The crucial parts are setting always-auth to true and using npm login
If this doesn't help then you can use Git pre-commit hooks that will remove credentials from yarn.lock when changes are commited to Git repository.