npm install of private package fails when package has public dependencies


Lets say I have a private npm repository, hosted within JFrog artifactory:
In this repository I published one npm package: my-package, which builds fine. my-package has a dependency (or more) to public npm packages e.g. lodash.

However, when I create a new project and attempt to install my-package I get the following error:

$ npm install my-package --registry
npm ERR! code E404
npm ERR! 404 Not Found - GET - not_found
npm ERR! 404
npm ERR! 404  'lodash^4.17.11' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 It was specified as a dependency of 'my-package'
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users\<username>\AppData\Roaming\npm-cache\_logs\2019-04-29T12_47_51_647Z-debug.log

It appears as though npm is searching within my private repository for all the dependencies my-package requires when I specify the --registry option when running an npm install. However, my-package is dependent upon public dependencies, which are not in my private registry.

My Question

How to install an npm package from a private registry that has public dependencies? Perhaps this is also just a JFrog issue?

Any help would be greatly appreciated!


By specifying a registry with: --registry npm is attempting to resolve all necessary packages, by name and version, from your private repository location:

To resolve these public dependencies which your private library depends upon you have two options:

  1. Set up a Virtual Npm Registry. (Recommend this approach)
  2. Package all necessary dependencies within your private repository.

A Virtual Repository defined in Artifactory aggregates packages from both local and remote repositories. This allows you to access both locally hosted npm packages and remote proxied npm registries from a single URL defined for the virtual repository.

By setting up a virtual repository which references both your private repository location and the default public npmjs location you will be able to download your private libraries as well as any public npm package by specifying your above mentioned registry.

Since you mentioned JFrog take a look at their confluence page which walks you through the process of creating a virtual repository.

However, if you decide to use option 2 you will have to package all the necessary dependencies within your private repository. Then your private library will be able to properly pull the dependencies it’s dependent upon. I would advise against this approach since you will be duplicating work already provided by npmjs and you will additionally have to keep updating your private repository to include new libraries or newer versions of existing libraries.

Hopefully that helps!

Answered By – Nathan

Answer Checked By – Robin (AngularFixing Admin)

Leave a Reply

Your email address will not be published.