Search code examples
node.jsnpmpackagereadonlynpm-registry

Use auth token to query a private NPM registry for a given package version, but without filesystem access?

The purpose of this effort is to be able to test whether a package version exists in a private registry, without having to touch the filesystem / config files. For packages in public registries this is perfectly straightforward: npm view lpad@2.0.1 produces some information about that published version, but (as of this writing) npm view lpad@201.0.0 does not have any information or output. I'm using this to infer the existence of packages.

I can also pass a private registry URL to npm view <packagename>, as in npm view <packagename> --registry https://private.registry/path/. This seems to hit the private registry even though it isn't explicitly mentioned in the npm-view documentation (but it's described in the npm-search documentation, so I take this to mean it's a documented API feature).

To be able to talk to private registries at all, I can use an authentication token in the query according to these npm instructions for doing it in a CI/CD workflow: put it into the .npmrc file like this:

//your_registry/:_authToken 12345

Or more securely, //your_registry/:_authToken $TOKEN and set the TOKEN environment variable to 12345 elsewhere.

What I can't figure out how to do is use npm view against a private npm registry, without writing to the .npmrc file.

I plan to be running several queries in parallel from the same machine, so to avoid race conditions in the .npmrc file, I'd rather pass the authentication directly in each command. I assume that with an auth token, this is just a simple curl command but I haven't had much luck finding information on how the NPM API works. (The npm-registry-client doesn't appear to do anything related to view/find; it has access which sets an access level).

Am I missing something blindingly obvious? Where can I find a guide on the request format for view and/or search functions of an NPM registry? What is the curl command that includes sending the auth token, package name, and version and receives some indication of whether it exists?

Solution

  • Found the answer here: https://github.com/npm/registry/blob/master/docs/user/authentication.md

    #!/bin/sh
curl -H 'Authorization: Bearer $TOKEN' https://your_registry/$PACKAGE/$VERSION

    If the package does not exist, it will return {}. If it does, you'll get the package information.