Host your own private NPM repository with Verdaccio

After reading Dinesh Pandiyan’s story about publishing your own NPM packages, I remembered the week I spent setting up a private NPM registry for my company. Some of the struggle was due to not fully understanding all the moving parts (there’s a Cloudformation template, an Ansible role, and then the registry software itself), but I thought it might be a nice thing to write up here anyway, in case it can help someone else.

Verdaccio logo

The Basics

The frontend development team came to me, saying they wanted a Verdaccio install to house their custom NPM packages. Theoretically, this is fairly straightforward to install. It requires node and npm, can be installed with npm install --global verdaccio, and is started with verdaccio. Simple enough!

Some customization

Since we run everything in AWS, there was some extra work that needed to be done for Verdaccio to be a reliable production piece of software. The developers wanted to ensure the data would never be lost — if the instance was terminated it would come back, since it’s created in a Cloudformation stack, but (by default) the packages would not be recovered. I changed the storage location in the config file to point to an EFS device, so the data would persist. The htpasswd file was also moved to the EFS device, so user logins would not be lost if the instance was terminated (I also renamed it .htpasswd for convention’s sake).

A much larger issue was the fact that the software is run via the verdaccio command, in the foreground, as opposed to having a conventional start/stop/restart. The options were to either use nohup:

nohup verdaccio &>/home/ec2-user/verdaccio/verdaccio.log &

or run it in screen, with pm, or with forever. I looked around and found an init script template instead, and we’ve successfully been using that.

A small problem

One issue I ran into, which I still cannot for the life of me explain, is that attempting to create the Verdaccio files manually before running the program prevents it from working. On its first run, Verdaccio will create the directory and few config files it needs to get going. Once it has been started and stopped the first time, the files can be edited and moved accordingly. This proved slightly difficult to handle in the Ansible role before I put in the init script. If you plan to install Verdaccio via configuration management, keep this in mind.

But whatever you do

If you set up a Verdaccio registry of your own, make sure you secure it! Right now, our repo is restricted via AWS security groups to just our office IPs, so anyone with the link can access and push to it. If your install will be open to the internet, though, make sure you lock it down!

Our Verdaccio instance has been up since November, with no problems to date. If you or your team is developing NPM packages and you don’t (or can’t!) put them in a public registry, maybe give Verdaccio a try. If you prefer to use Docker, they’ve got a pre-built image for that, too.

Like what you read? Give Eva Gonciarczyk a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.