We have a frontend JS project that uses multiple public and private packages, all pointed at NPM's repositories. Our current build pipelines are AWS-based, and to acquire the private packages we just add an .npmrc file with the appropriate token at build time, then npm install (or actually yarn install) like normal. This works great, as local devs continue to point to NPM like a stock setup, and private access keys are managed either on a per-developer level or at the build level, with varying permissions.
In evaluating Azure DevOps Pipelines we want to do the same, but all the recent instructions seem to require creating an Azure Artifacts fronting for NPM, and additionally using this mirror locally for development as well. That seems like overkill for something that already has an established pattern. Is following this path, running vsts-npm-auth, etc., all required for downloading the required dependencies, or can we just stick with a setup similar to what we have, inject the .npmrc file at build time, and install anyway?
Do I have to use Azure Artifacts to access private NPM packages?
We don't have to use Azure Artifacts to hold private packages, but it's a recommended way.
We can use Azure Artifacts feed to hold private packages and consume those packages in build pipeline using npm task. And if we set up the npmjs.org as public upstream source, we can use both private and public packages easily.
But if you use third-party packages repos instead of Azure Artifacts to hold private packages, Npm/Npm authenticate task enables us to use packages from them. See this:
If your .npmrc contains Azure Artifacts registries from a different organization or use a third-party authenticated package repository, you'll need to set up npm service connections and specify them in the customEndpoint input.