Downloading packages to CI or deployment servers

In our last tutorial, we introduced private packages, what they are and who can have a private package.

The tutorial that you are about to read, will cover the download of packages to CI/deployment servers.

Downloading packages to CI/deployment servers

Whenever you are using deployment servers or when you are testing with Continuous Integration servers, you will have to download your private packages to those servers. The steps are to follow are outlined below:

  • You will have to create a new auth token
  • You should set up a .npmrc file that is specific to the project
  • You should configure the ci/deployment server to provide the auth token

Creating a new authentication token

Lots of things has changed in npm, one of them is that npm now requires that you should use auth tokens to authenticate in the CLI. Whenever you need to generate an auth token, you should use npm token create.

token d97a6e1f-cb87-0000-94e0-e06fe03c8a5c
readonly false
created 2019-11-21T16:57:25.427Z

npm Creating a new authentication token

There are lots of things that you can do with the new token. Check our tutorial on working with tokens for more details.

Setting up a project-specific .npmrc file

To set up a project-specific .npmrc file, you should set up a custom .npmrc file in your project folder. You should this to authenticate the deployment or CI with npm.

Setting up environment variables

If you want to make this more secure when pushing it up to the server, this token can be set as an environment variable on the server.

You will also have to add this to your environment variables on your development machine. In Linux or OSX, you would have to add this line to your ~/.profile:

export NPM_TOKEN="00000000-0000-0000-0000-000000000000"

then, you will have to refresh your environment variables:

source ~/.profile

Checking in your .npmrc

Once you have set up your environment variables, you can then check in the .npmrc, and replacing your token with the environment variable.


How to Invalidate a Token

Although, npm does not derive the token from your password, but when you change your password the token will become invalid. A token can also be invalidated when you log out from a machine that is logged in with that particular token.

`npm token revoke` will be a better choice (see our tutorial on working with tokens for more information on this )


In this tutorial, you have learnt:

  • The steps required to download to CI/deployment server
  • how to create a new authentication token?
  • how to set up a project-specific .npmrc file
  • how to set environment variables?
  • how to check in your .npmrc
  • how to invalidate a token?

Previous: Working with private packages
Next: Docker and private packages