Alternatives to Hard-Coded Shrinkwrap URLs for npm Dependencies

Alternatives to Hard-Coded Shrinkwrap URLs for npm Dependencies

AuthorFullName__c
JFrog Support
articleNumber
000004218
ft:sourceType
Salesforce
FirstPublishedDate
2018-11-13T23:25:14Z
lastModifiedDate
2018-11-13
VersionNumber
5

Hard coding NPM dependency URLs is not best practice and shrinkwrap URLs are known to have issues when interacting with proxies. Engaging in either practice can result in the following errors:

  • Npm install -ddd will show resolution ignoring .npmrc configurations
    • Usually going to registry.npmjs.org
  • Resolution results in a 400 error
    • One possible error is "418 I'm a teapot"
  • If registry.npmjs.org is unavailable the resolution can time out

Although Artifactory does not support shrinkwrapped URLs for npm dependencies and hard-coded URLs are outside of Artifactory’s control, there are several ways to address these issues:

  1. Ignore shrinkwrap, using the argument:
    1. npm install <package-name> --no-shrinkwrap
    2. Note: This introduces a risk that a version of a dependency install will be a different version than the one    defined in shrinkwrap
  2. Change dependencies
    1. Change registry.npmjs.org to <artifactory:port>/artifactory/api/npm/npmjs in package.json
    2. Note: This can be a tedious process especially with a large number of dependencies.
  3. Sideload the artifact
    1. Users resolve to a virtual Repository
    2. Periodically copy the contents of the remote cache to the local repository
    3. Note: This approach may cause a delay in your getting the latest artifacts.
More information is available HERE.