Git repository upstreams

Connecting private and public Git repositories to Bytesafe

Bytesafe supports the use of Git repositories as upstreams, allowing you to install modules without the need to publish them first. Both public and private Git repositories can be connected to your Bytesafe registries, and you can have multiple npm modules in the same Git repository. All the Bytesafe plugins and policies are applied to modules from a Git repository, just as from any other upstream.

You can add a Git repository either by using the GitHub integration or directly as an External URL in the upstream settings for a registry.

Multiple modules in a Git repository

Bytesafe finds all modules within a Git repo and makes them available for install (this is very useful for monorepos). Currently only modules from the default branch (.i.e “master” or “main) are found.

Package versions

Bytesafe creates syntetic SemVer versions to represent Git commits, branches and tags. The versions have the format 0.0.0-git.{timestamp}.{commit hash}.



The timestamp is used to order the versions by time (i.e a later commit have a higher semver version)


All Git branches in a repo is returned as a dist-tag. To install a package version from with a branch, simply use the branch name as a tag.

npm install module@new-feature-branch

An additional latest tag is added pointing to the HEAD of the default Git branch (i.e “master” or “main”). To install the latest version in the master or main branch, use the latest tag (or omit tag or version all together).

npm install module@latest
npm install module


All versions pointed to be a dist-tag is returned, i.e. if latest tag points to version 0.0.0-git.20200502231826.db1442a0556c2b133627ffebf476a78a1ced64b9, then that version will be available and is callable from the package manager.

Additionally, Git branches and tags, that have a name that looks like a SemVer, are returned as a version (i.e. v1.0.0, 1.0.0, etc.).

npm install module@1.0.0
npm install

Finally, package versions from package.json in select Git branches are returned (currently “master”, “main” and “latest”)

GitHub Integration

The GitHub integration allows easy access to private and public Git reposistories as upstream, where authentication is handled automatically (i.e. no need to manually administer access tokens etc).

To add GitHub repositories as upstreams, select GitHub repository in the drop-down list and add it as an upstream to the registry (no additional fields are required).

For additional details, installation and configuration of the integration, see GitHub integration documentation.

Coming soon: Dependency analysis of GitHub repositories

External URL upstreams

Any Git repository accessable via HTTP can be added as an upstream to a Bytesafe registry using an URL (must end in .git).

Adding Git repositories as an external URL is the option when:

  • Adding a public Git repository
  • Adding a private Git repository (using a username + password)

To add a Git repository as an upstream, select External URL in the drop-down list when adding upstreams and enter the URL to repository (must end in .git).

Private Git repositories

Accessing private Git repositories require both a username and a password. If only have an access token for your Git repository, you can usually use that token as the password, leaving the username empty.