NPM in a corporate world

Spoilers: this article makes an incredibly basic clone of an NPM repo, with just the dependencies required for the job required of NPM, then makes it available for developers to run an npm install  on.

The Problem

It seems like every modern front-end framework is wrapped tightly around NPM. In a way it makes sense, manually updating dependencies and dependencies of dependencies is a pain. Having something automagically connect to the interwebz and suck down the latest and greatest is far more convenient.

Unfortunately, that’s also the sort of thing that makes corporates panic and spill awful machine-generated-coffee. The idea of new, potentially untested code being quietly pulled into the system, as a result of a new dependency, an updated dependency, or a new dependency of a dependency of left-paid, can bring a slightly harder frown to even the most seasoned project manager.

There are options to host a private NPM repository – Nexus even supports it out-of-the-box. There are a couple of problems though – a proxy repository doesn’t do anything to prevent extra dependencies from being added, a hosted repository requires that we re-publish all of the packages (and is more setup)… what if all we want is a really basic repo that has the versions of the packages we want, and nothing else?

Baking an NPM shrinkwrap

Well, shrinkwrap kinda does that. It produces a complete list of all dependencies, and their versions, plus where to download them from. They’re still downloaded from remote servers, but it’s almost exactly what we need.

Looking at the produced JSON file, it’s fairly easy to understand – what we need to do is pull these packages down locally, and push them somewhere where we can point our local NPM installs at.

So, let’s do that. There’s a complete code listing at the end of the article, but it’s fairly easy. We’re going to need somewhere to host these files – I ended up putting them on a Nexus repository (a standard one, not an NPM one), but theoretically you could host them anywhere.

To start, we need to define a couple of locations – a path to the generated npm-shrinkwrap.json file, a temporary directory that we’ll produce the repo in, the existing repo that we’re replacing (we probably don’t technically need this, it could be deduced, but it’s easier to just define it) and finally the repo where the files will be found. Also, a regex to pick up the lines we’re interested in is handy.

One of the other fun challenges with corporates is a tendency to MitM SSL connections – this can make setting up working https challenging with quick programs like this. Obviously, to ensure that you’re downloading the dependencies that you intend to and not some compromised version, you should set it up properly. Otherwise, you could just hack around the problem by forcing to go through http.

That’s the setup done – let’s start on the file.

We need to read in all of the lines, process them one by one while building up a new JSON, then write that out somewhere.

Next up, we’ll parse each line of the JSON file, and see if it has a URL we’re interested in. If not, we just add it to our new JSON file unchanged. If it does have a URL, we’ll download the file and rewrite that line of the JSON to point to our new repo.

Rebuilding the JSON is pretty easy – we reassemble the line, swapping out the middle captured group for the new URL that points to our new repo.

Downloading the file is even easier – we have our to and from paths, and we can grab some code to do it from StackOverflow 😉 It might not be the fastest, but it’s fast enough.

That’s it – after running the program, you’ll find a list of directories in your temp folder. Upload that to your repo (whatever it is), then replace your existing shrinkwrap JSON file with the generated one (also in the temp folder).

I acknowledge that an actual repository is probably better, but it’s best to take nice, safe, baby steps with corporates as you lead them slowly into the bright new world.

Feel free to comment if this helped you in any way, or if I’ve offended a deep sense of what is right in the world with my abomination of a package manager repo!

Tagged with: , , , , , , , ,
Posted in Front-end, Javascript, Technology

Leave a Reply