Using per project registries
Bytesafe supports using unique registries for each project. By setting up a registry and promoting a consistent workflow users can enable reproducible package installs and builds.
For each project there are users that are responsible for managing the set of dependencies and intentionally modify the contents of a registry.
Actions associated with managing / modifying packages and registry content:
- Creating / cloning registries and initial
- Adding all package versions to the registry
- Adding new packages and updating versions when required
- Adding project level .npmrc files
package-lock.jsonmodyfications to repository
Likewise, projects have users, testers and build processes that mainly wants to consume the contents of a registry without making any modifications.
Actions for consuming registry contents WITHOUT modifying:
- Complete install of dependencies using
Leverage a per project registry to control the available package versions for a project. Together with intentional interactions with a registry, users can make sure all team members and build chains get and use the same intended package versions.
Creating and managing a project registry
After a registry has been setup, it is important that all team members and build tools use commands and workflows that suit their needs.
Npm client offers two different commands for installing all package dependencies,
npm install and
Adding and modifying registry contents with npm install
npm install is the preferred option when adding new dependencies to a project, while allowing updates of the dependencies or any lockfiles.
It can be used either to install a single package version or for complete installs.
- Installs dependencies defined in
- If a lockfile is available, it will be used as the source to resolve the dependencies.
- If no lockfile is available,
npm installwill create a new
- If a dependency is missing or is updated as part of the install, both
package.jsonand lockfiles will be updated as well.
npm install can update package versions and alter lockfiles, it should not be used if the intention is to recreate an exact state and set of dependencies defined by some other members of the team.
Users should prefer
npm ci for such scenarios.
Adding project dependencies to a registry
Packages can be added to the registry, using either a npm client (
npm install) or Bytesafe CLI.
Using an existing
package.json file, all dependencies can be installed and added using
npm install together with
If the project has an existing
package-lock.json file or any other lockfile, users should delete the lockfile before running
This prevents the lockfile resolving dependencies using another package source than the intended registry.
# Install all dependencies for a project
$ npm --registry 'https://workspace.bytesafe.dev/r/example-registry/' install
To add new project dependencies, both to the project and to the registry, use
npm install together with requested package version.
# Install and add a single dependencies to a project
$ npm --registry 'https://workspace.bytesafe.dev/r/example-registry/' install 'package@version'
Commit lockfiles and project level .npmrc files
Make sure other team members use the same dependencies, by commiting any new lockfiles or changes to your repository.
For an extra level of control, teams should add a project level
.npmrc file directing package requests to a specific registry.
# default registry to be used by npm clients
# always-auth true forces clients to send credentials to Bytesafe servers
Missing packages in your registry after running npm install?See our troubleshooting page on how to resolve missing packages
Installing project dependencies without modifying them
The command npm ci (clean install) is intended to be used to get a reproducible state of dependencies (
node_modules) after the install.
This is preferred for build environments (CI/CD) or any scenario where a user want to install a set of dependencies as defined by other team member (testing or contribution to other members project).
- Can only be used for complete installs
- Requires existing lockfile
- Does not alter the state of either the
package-lock.jsonfiles (unlike npm install)
- Compares dependencies between
package-lock.json, if any discrepancies are found it exits with error.
node_modulesexists, it will delete this folder and contents
npm ci is the preferred option when installing and adding packages WITHOUT any intention of modifying or altering the set of dependencies used.
# Clean install all project dependencies without modifying them
$ npm --registry 'https://workspace.bytesafe.dev/r/example-registry/' ci