DEV Community

loading...
Cover image for Why you should host public npm packages in a private registry

Why you should host public npm packages in a private registry

sumstrm profile image Andreas Sommarström Originally published at bytesafe.dev Updated on ・3 min read

This post talks about how using a private npm registry to proxy the public npm registry helps to identify and control the packages you use. And increase the security of your code supply chain.

Want to manage the package dependencies you use for your projects? Reduce your dependency on the public npm registry? Or perhaps enforce security policies? Then read on.

Its a good idea to know of and manage the package you use

Millions of developers use the public npm registry every day and with over 1.5 million packages it is a critical source for open source packages.

But the convenience of packages from the public registry and the development speed all those available open source packages entail, comes with downsides. It gets increasingly hard to keep track of and manage all those dependencies.

To avoid blindly trusting code from external sources, users should take steps to improve the control over dependencies and overall security when using npm. It is a necessity for any organization that wants to manage their code supply chain.

And one of the first things that is usually mentioned for improved npm security is the use of a private npm registry to host your packages.


Fully managed private npm registries with Bytesafe

Control over dependencies — How?

There are multiple ways a private registry enables better dependency management:

  • Central hub for all your required package versions: Private and public together, possibly from multiple upstream sources.
  • Identification and visualization of dependencies: With all required packages in one place it enables identification of potential issues. Additionally the proxy caches your packages, removing the worry that an essential package version will be unpublished in the future.
  • Single package source: With all developers using the same registry that contains the same versions, you can ensure all users build and test consistently. Removing the potential issue of unknowingly using different versions of a dependency.

Improved security — How?

Using a private registry as a proxy enables a layer of separation between your organization and the outside world.

Interested in npm package security? Read my related post on avoiding dependency confusion.

Setting up and using a private registry is easy

Bytesafe offers hosted private npm registries that by default can be used to proxy the public npm registry.

Allowing for access to public npm packages as well as all the additional benefits that Bytesafe offers to your workflow.

Alt Text

When using Bytesafe, developers configure their npm client to interact with the private registry instead of the (default) public registry. With a configured upstream, any packages not available in the private registry will be fetched from the upstream registry instead (like registry.npmjs.org in this example).

Before new packages are pulled into your registries, they are checked against any active security policies, to make sure they do not violate any rules you have configured.

# Authenticate to Bytesafe using the npm client
$ npm --registry https://example.bytesafe.dev/r/default/ login
Username: bytesafe
Password:
Email(this IS public): you@example.com
Logged in as bytesafe on https://example.bytesafe.dev/r/default/.
# Work with the regular tooling (but direct your requests to private registry)
$ npm --registry https://example.bytesafe.dev/r/default/ publish
...
Enter fullscreen mode Exit fullscreen mode

With the npm client no longer directly linked to the public registry, it results in the following workflow:

Developers - publish/install package versions to/from the Bytesafe private registry — no direct interactions with the public registry. No need to change any behavior or usage patterns.
Private registry - holds all public and private packages and any required dependencies. If a package version is required that is not in the proxy registry it is pulled from upstreams.
Upstreams registries - provides package versions (when required) and is the target for push of packages from private registry. Upstreams can be either a single registry or multiple registries.

Recap

Setting up and using a private npm registry is an easy and effective way to keep your dependencies in check and improve security when using npm.
Without impacting or changing the workflow for developers.

Bytesafe offers hosted, private, reliable and private npm registries. And it's free to use for individual developers (so feel free to signup if you need a private registry). Manage, collaborate and secure your code supply chain with Bytesafe!

Discussion (0)

pic
Editor guide