I have a project where we use font awesome 5 library. I followed the instructions that are written here and added an <code>.npmrc</code> file with my auth token. Is this a safe behaviour to put this in a repo? I want the devs to have access to it, but if the repo goes public we might be exposing the token. What is the best practice in situation like this?

UPDATE 2021-05-02 This answer remains questionable - see the comments below. I no longer have access to a private ($paid) npm account anymore, so I can no longer test to answer questions. Perhaps try @konyak's answer. <hr> It is definitely NOT a safe behavior to put the token in any git checked file, including .npmrc. Below are the steps your team can take to safely leverage your npm token. There are two different environments to consider: <ol> <li>each developer's local dev machine</li> <li>the app's deployment platform</li> </ol> <h3>local dev</h3> Following the Global Set Up instructions you linked to in your question, is not the solution. Create the .npmrc file similar to the "Per project" instructions, but substitute your real token with a variable name, prefixed by <code>$</code>. ie: <pre class="prettyprint"><code>@fontawesome:registry=https://npm.fontawesome.com/ //npm.fontawesome.com/:_authToken=$TOKEN </code></pre> npm will detect an environment variables file named <code>.env</code>. So, in a <code>.gitignore</code>d .env file, add your secret key value pair, ie: <pre class="prettyprint"><code>TOKEN=ABC123 </code></pre> You can also prefix the variable name with "NPM_CONFIG_", according to the <code>npm-config</code> docs, ie: <pre class="prettyprint"><code>NPM_CONFIG_TOKEN=ABC123 </code></pre> Now, when the dev runs <code>npm i</code>, font-awesome dependencies will load from the private repo. NOTE: Don't follow the current npm-config docs about the environment variables syntax! See this stack overflow answer, ie: <pre class="prettyprint"><code>👎 BAD npm-config ENVIRONMENT VAR SYNTAX 👎 ${TOKEN} </code></pre> <pre class="prettyprint"><code>👍 GOOD npm-config ENVIRONMENT VAR SYNTAX 👍 $TOKEN </code></pre> <h3>app deployment platform</h3> Do all the steps from the local dev section above, PLUS: <ul> <li>create an environment variable on the platform with the same name as in the .npmrc file.</li> </ul> If your app host is Netlify, see their Build Environment Variables docs.

https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow Export your secret token into your session, e.g., <code>export NPM_TOKEN="00000000-0000-0000-0000-000000000000"</code> Inside your <code>~/.npmrc</code>, add <code>//registry.npmjs.org/:_authToken=${NPM_TOKEN}</code>

Using auth tokens in .npmrc

I have a project where we use font awesome 5 library. I followed the instructions that are written here and added an .npmrc file with my auth token.

Is this a safe behaviour to put this in a repo? I want the devs to have access to it, but if the repo goes public we might be exposing the token.

What is the best practice in situation like this?

Why do I need npm token?

An access token is an alternative to using your username and password for authenticating to npm when using the API or the npm command-line interface (CLI). An access token is a hexadecimal string that you can use to authenticate, and which gives you the right to install and/or publish your modules.

Where can I get npm token?

If you would like to know where to buy BackPacker Coin at the current rate, the top cryptocurrency exchange for trading in BackPacker Coin stock is currently VinDAX. You can find others listed on our crypto exchanges page.

UPDATE 2021-05-02

This answer remains questionable - see the comments below. I no longer have access to a private ($paid) npm account anymore, so I can no longer test to answer questions.

Perhaps try @konyak's answer.

It is definitely NOT a safe behavior to put the token in any git checked file, including .npmrc.

Below are the steps your team can take to safely leverage your npm token.

There are two different environments to consider:

each developer's local dev machine
the app's deployment platform

local dev

Following the Global Set Up instructions you linked to in your question, is not the solution.

Create the .npmrc file similar to the "Per project" instructions, but substitute your real token with a variable name, prefixed by $. ie:

@fontawesome:registry=https://npm.fontawesome.com/
//npm.fontawesome.com/:_authToken=$TOKEN

npm will detect an environment variables file named .env. So, in a .gitignored .env file, add your secret key value pair, ie:

TOKEN=ABC123

You can also prefix the variable name with "NPM_CONFIG_", according to the npm-config docs, ie:

NPM_CONFIG_TOKEN=ABC123

Now, when the dev runs npm i, font-awesome dependencies will load from the private repo.

NOTE: Don't follow the current npm-config docs about the environment variables syntax! See this stack overflow answer, ie:

👎 BAD npm-config ENVIRONMENT VAR SYNTAX 👎

${TOKEN}

👍 GOOD npm-config ENVIRONMENT VAR SYNTAX 👍

$TOKEN

app deployment platform

Do all the steps from the local dev section above, PLUS:

create an environment variable on the platform with the same name as in the .npmrc file.

If your app host is Netlify, see their Build Environment Variables docs.

https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow

Export your secret token into your session, e.g., export NPM_TOKEN="00000000-0000-0000-0000-000000000000"

Inside your ~/.npmrc, add //registry.npmjs.org/:_authToken=${NPM_TOKEN}

Using auth tokens in .npmrc

Tags:

npm

environment-variables

font-awesome

mdmb

People also ask

2 Answers

local dev

app deployment platform

Brian Zelip

konyak

Recent Activity

Donate For Us

Using auth tokens in .npmrc

Tags:

npm

environment-variables

font-awesome

mdmb

People also ask

2 Answers

local dev

app deployment platform

Brian Zelip

konyak

Related questions

Recent Activity

Donate For Us