2020-06-23 00:09:42 +05:30
---
stage: Package
2023-01-13 00:05:48 +05:30
group: Package Registry
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2020-06-23 00:09:42 +05:30
---
2021-03-11 19:13:27 +05:30
# npm packages in the Package Registry **(FREE)**
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
For documentation of the specific API endpoints that the npm package manager client uses, see the [npm API documentation ](../../../api/packages/npm.md ).
2022-01-26 12:08:38 +05:30
2023-01-13 00:05:48 +05:30
Learn how to build an [npm ](../workflows/build_packages.md#npm ) or [yarn ](../workflows/build_packages.md#yarn ) package.
2021-01-29 00:20:46 +05:30
2023-03-04 22:38:38 +05:30
Watch a [video demo ](https://youtu.be/yvLxtkvsFDA ) of how to publish npm packages to the GitLab Package Registry.
2021-01-29 00:20:46 +05:30
2023-03-04 22:38:38 +05:30
## Publish to GitLab Package Registry
2020-03-13 15:44:24 +05:30
2023-03-04 22:38:38 +05:30
### Authentication to the Package Registry
2020-03-13 15:44:24 +05:30
2023-03-04 22:38:38 +05:30
You need an token to publish a package. There are different tokens available depending on what you're trying to achieve. For more information, review the [guidance on tokens ](../../../user/packages/package_registry/index.md#authenticate-with-the-registry ).
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
- If your organization uses two factor authentication (2FA), you must use a personal access token with the scope set to `api` .
- If you are publishing a package via CI/CD pipelines, you must use a CI job token.
2021-03-08 18:12:59 +05:30
2023-03-04 22:38:38 +05:30
Create a token and save it to use later in the process.
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
### Naming convention
2019-12-04 20:38:33 +05:30
2023-04-23 21:23:45 +05:30
Depending on how the package is installed, you may need to adhere to the naming convention.
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
You can use one of two API endpoints to install packages:
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
- **Instance-level**: Use when you have many npm packages in different GitLab groups or in their own namespace.
- **Project-level**: Use when you have few npm packages and they are not in the same GitLab group.
2021-01-29 00:20:46 +05:30
2023-03-04 22:38:38 +05:30
If you plan to install a package through the [project level ](#install-from-the-project-level ), then you do not have to adhere to the naming convention.
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
If you plan to install a package through the [instance level ](#install-from-the-instance-level ), then you must name your package with a [scope ](https://docs.npmjs.com/misc/scope/ ). Scoped packages begin with a `@` have the format of `@owner/package-name` . You can set up the scope for your package in the `.npmrc` file and by using the `publishConfig` option in the `package.json` .
2019-12-04 20:38:33 +05:30
2023-04-23 21:23:45 +05:30
- The value used for the `@scope` is the root of the project that is hosting the packages and not the root
2023-03-04 22:38:38 +05:30
of the project with the source code of the package itself. The scope should be lowercase.
- The package name can be anything you want
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
| Project URL | Package Registry in | Scope | Full package name |
| ------------------------------------------------------- | ------------------- | --------- | ---------------------- |
| `https://gitlab.com/my-org/engineering-group/analytics` | Analytics | `@my-org` | `@my-org/package-name` |
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
Make sure that the name of your package in the `package.json` file matches this convention:
2019-12-21 20:55:43 +05:30
2020-03-13 15:44:24 +05:30
```shell
2023-03-04 22:38:38 +05:30
"name": "@my-org/package-name"
2019-12-26 22:10:19 +05:30
```
2019-12-21 20:55:43 +05:30
2023-03-04 22:38:38 +05:30
## Publishing a package via the command line
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
### Authenticating via the `.npmrc`
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
Create or edit the `.npmrc` file in the same directory as your `package.json` . Include the following lines in the `.npmrc` file:
2019-12-04 20:38:33 +05:30
2020-03-13 15:44:24 +05:30
```shell
2023-03-04 22:38:38 +05:30
@scope:registry =https://your_domain_name/api/v4/projects/your_project_id/packages/npm/
//your_domain_name/api/v4/projects/your_project_id/packages/npm/:_authToken="${NPM_TOKEN}"
2019-12-04 20:38:33 +05:30
```
2023-03-04 22:38:38 +05:30
- Replace `@scope` with the [root level group ](#naming-convention ) of the project you're publishing to the package to.
- Replace `your_domain_name` with your domain name, for example, `gitlab.com` .
- Replace `your_project_id` is your project ID, found on the project's home page.
2023-04-23 21:23:45 +05:30
- `"${NPM_TOKEN}"` is associated with the token you created later in the process.
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
WARNING:
Never hardcode GitLab tokens (or any tokens) directly in `.npmrc` files or any other files that can
be committed to a repository.
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
### Publishing a package via the command line
2021-12-11 22:18:48 +05:30
2023-03-04 22:38:38 +05:30
Associate your [token ](#authentication-to-the-package-registry ) with the `"${NPM_TOKEN}"` in the `.npmrc` . Replace `your_token` with a deploy token, group access token, project access token, or personal access token.
2021-12-11 22:18:48 +05:30
```shell
2023-03-04 22:38:38 +05:30
NPM_TOKEN=your_token npm publish
2020-03-13 15:44:24 +05:30
```
2023-03-04 22:38:38 +05:30
Your package should now publish to the Package Registry.
2020-03-13 15:44:24 +05:30
2023-03-04 22:38:38 +05:30
## Publishing a package via a CI/CD pipeline
2022-04-04 11:22:00 +05:30
2023-03-04 22:38:38 +05:30
### Authenticating via the `.npmrc`
2020-03-13 15:44:24 +05:30
2023-03-04 22:38:38 +05:30
Create or edit the `.npmrc` file in the same directory as your `package.json` in a GitLab project. Include the following lines in the `.npmrc` file:
2020-03-13 15:44:24 +05:30
```shell
2023-03-04 22:38:38 +05:30
@scope:registry =https://your_domain_name/api/v4/projects/your_project_id/packages/npm/
//your_domain_name/api/v4/projects/${CI_PROJECT_ID}/packages/npm/:_authToken=${CI_JOB_TOKEN}
2020-03-13 15:44:24 +05:30
```
2023-03-04 22:38:38 +05:30
- Replace `@scope` with the [root level group ](#naming-convention ) of the project you're publishing to the package to.
- The `${CI_PROJECT_ID}` and `${CI_JOB_TOKEN}` are [predefined variables ](../../../ci/variables/predefined_variables.md ) that are available in the pipeline and do not need to be replaced.
2020-03-13 15:44:24 +05:30
2023-03-04 22:38:38 +05:30
### Publishing a package via a CI/CD pipeline
2021-04-29 21:17:54 +05:30
2023-03-04 22:38:38 +05:30
In the GitLab project that houses your `.npmrc` and `package.json` , edit or create a `.gitlab-ci.yml` file. For example:
2021-01-29 00:20:46 +05:30
```yaml
image: node:latest
stages:
- deploy
deploy:
stage: deploy
script:
2021-09-04 01:27:46 +05:30
- echo "//${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/packages/npm/:_authToken=${CI_JOB_TOKEN}">.npmrc
2021-01-29 00:20:46 +05:30
- npm publish
2020-03-13 15:44:24 +05:30
```
2023-03-04 22:38:38 +05:30
Your package should now publish to the Package Registry when the pipeline runs.
2021-06-08 01:23:25 +05:30
2023-03-04 22:38:38 +05:30
## Install a package
2021-06-08 01:23:25 +05:30
2023-03-04 22:38:38 +05:30
If multiple packages have the same name and version, when you install a package, the most recently-published package is retrieved.
2021-06-08 01:23:25 +05:30
2023-03-04 22:38:38 +05:30
You can install a package from a GitLab project or instance:
2021-06-08 01:23:25 +05:30
2023-03-04 22:38:38 +05:30
- **Instance-level**: Use when you have many npm packages in different GitLab groups or in their own namespace.
- **Project-level**: Use when you have few npm packages and they are not in the same GitLab group.
2021-06-08 01:23:25 +05:30
2023-03-04 22:38:38 +05:30
### Install from the instance level
2021-06-08 01:23:25 +05:30
2023-03-04 22:38:38 +05:30
WARNING:
2023-04-23 21:23:45 +05:30
To install a package from the instance level, the package must have been published following the scoped [naming convention ](#naming-convention ).
2021-06-08 01:23:25 +05:30
2023-03-04 22:38:38 +05:30
1. Authenticate to the Package Registry
2021-01-29 00:20:46 +05:30
2023-04-23 21:23:45 +05:30
If you would like to install a package from a private project, you would have to authenticate to the Package Registry. Skip this step if the project is not private.
2021-01-29 00:20:46 +05:30
2023-03-04 22:38:38 +05:30
```shell
npm config set -- //your_domain_name/api/v4/packages/npm/:_authToken=your_token
```
2021-10-27 15:23:28 +05:30
2023-03-04 22:38:38 +05:30
- Replace `your_domain_name` with your domain name, for example, `gitlab.com` .
- Replace `your_token` with a deploy token, group access token, project access token, or personal access token.
2021-10-27 15:23:28 +05:30
2023-03-04 22:38:38 +05:30
1. Set the registry
2021-01-29 00:20:46 +05:30
2023-03-04 22:38:38 +05:30
```shell
npm config set @scope:registry https://your_domain_name.com/api/v4/packages/npm/
```
2021-12-11 22:18:48 +05:30
2023-03-04 22:38:38 +05:30
- Replace `@scope` with the [root level group ](#naming-convention ) of the project you're installing to the package from.
- Replace `your_domain_name` with your domain name, for example `gitlab.com` .
- Replace `your_token` with a deploy token, group access token, project access token, or personal access token.
2021-12-11 22:18:48 +05:30
2023-03-04 22:38:38 +05:30
1. Install the package
2021-01-29 00:20:46 +05:30
2023-03-04 22:38:38 +05:30
```shell
npm install @scope/my -package
```
2021-04-17 20:07:23 +05:30
2023-03-04 22:38:38 +05:30
### Install from the project level
2021-01-29 00:20:46 +05:30
2023-03-04 22:38:38 +05:30
1. Authenticate to the Package Registry
2021-11-18 22:05:49 +05:30
2023-04-23 21:23:45 +05:30
If you would like to install a package from a private project, you would have to authenticate to the Package Registry. Skip this step if the project is not private.
2021-01-29 00:20:46 +05:30
```shell
2023-03-04 22:38:38 +05:30
npm config set -- //your_domain_name/api/v4/projects/your_project_id/packages/npm/:_authToken=your_token
2021-01-29 00:20:46 +05:30
```
2023-03-04 22:38:38 +05:30
- Replace `your_domain_name` with your domain name, for example, `gitlab.com` .
- Replace `your_project_id` is your project ID, found on the project's home page.
- Replace `your_token` with a deploy token, group access token, project access token, or personal access token.
2022-07-23 23:45:48 +05:30
2023-03-04 22:38:38 +05:30
1. Set the registry
2021-11-18 22:05:49 +05:30
```shell
2023-03-04 22:38:38 +05:30
npm config set @scope:registry =https://your_domain_name/api/v4/projects/your_project_id/packages/npm/
2021-11-18 22:05:49 +05:30
```
2023-03-04 22:38:38 +05:30
- Replace `@scope` with the [root level group ](#naming-convention ) of the project you're installing to the package from.
- Replace `your_domain_name` with your domain name, for example, `gitlab.com` .
- Replace `your_project_id` is your project ID, found on the project's home page.
2020-04-08 14:13:33 +05:30
2023-03-04 22:38:38 +05:30
1. Install the package
2021-01-29 00:20:46 +05:30
```shell
2023-03-04 22:38:38 +05:30
npm install @scope/my -package
2021-01-29 00:20:46 +05:30
```
2023-03-04 22:38:38 +05:30
## Helpful hints
2021-01-29 00:20:46 +05:30
2023-03-04 22:38:38 +05:30
### Package forwarding to npmjs.com
2021-01-29 00:20:46 +05:30
2023-03-04 22:38:38 +05:30
When an npm package is not found in the Package Registry, the request is forwarded to [npmjs.com ](https://www.npmjs.com/ ).
2020-04-08 14:13:33 +05:30
Administrators can disable this behavior in the [Continuous Integration settings ](../../admin_area/settings/continuous_integration.md ).
2023-03-04 22:38:38 +05:30
Group owners can disable this behavior in the group Packages and Registries settings.
2021-03-11 19:13:27 +05:30
### Install npm packages from other organizations
2021-01-03 14:25:43 +05:30
You can route package requests to organizations and users outside of GitLab.
2023-03-04 22:38:38 +05:30
To do this, add lines to your `.npmrc` file. Replace `@my-other-org` with the namespace or group that owns your project's repository,
2021-01-29 00:20:46 +05:30
and use your organization's URL. The name is case-sensitive and must match the name of your group or namespace exactly.
2021-01-03 14:25:43 +05:30
```shell
2023-03-04 22:38:38 +05:30
@scope:registry =https://my_domain_name.com/api/v4/packages/npm/
@my -other-org:registry=https://my_domain_name.example.com/api/v4/packages/npm/
2021-01-03 14:25:43 +05:30
```
2021-12-11 22:18:48 +05:30
### npm metadata
The GitLab Package Registry exposes the following attributes to the npm client.
These are similar to the [abbreviated metadata format ](https://github.com/npm/registry/blob/9e368cf6aaca608da5b2c378c0d53f475298b916/docs/responses/package-metadata.md#abbreviated-metadata-format ):
- `name`
- `versions`
- `name`
- `version`
- `deprecated`
- `dependencies`
- `devDependencies`
- `bundleDependencies`
- `peerDependencies`
- `bin`
- `directories`
- `dist`
- `engines`
- `_hasShrinkwrap`
2020-03-13 15:44:24 +05:30
2023-03-04 22:38:38 +05:30
### Add npm distribution tags
2020-03-13 15:44:24 +05:30
2021-02-22 17:27:13 +05:30
You can add [distribution tags ](https://docs.npmjs.com/cli/dist-tag/ ) to newly-published packages.
2021-01-29 00:20:46 +05:30
Tags are optional and can be assigned to only one package at a time.
2020-03-13 15:44:24 +05:30
2021-01-29 00:20:46 +05:30
When you publish a package without a tag, the `latest` tag is added by default.
When you install a package without specifying the tag or version, the `latest` tag is used.
Examples of the supported `dist-tag` commands:
```shell
npm publish @scope/package --tag # Publish a package with new tag
npm dist-tag add @scope/package@version my-tag # Add a tag to an existing package
npm dist-tag ls @scope/package # List all tags under the package
npm dist-tag rm @scope/package@version my-tag # Delete a tag from the package
npm install @scope/package@my -tag # Install a specific tag
2020-03-13 15:44:24 +05:30
```
2023-05-27 22:25:52 +05:30
#### From CI/CD
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/258835) in GitLab 15.10.
You can use a [`CI_JOB_TOKEN` ](../../../ci/jobs/ci_job_token.md ) or [deploy token ](../../project/deploy_tokens/index.md )
to run `npm dist-tag` commands in a GitLab CI/CD job. For example:
```yaml
npm-deploy-job:
script:
- echo "//${CI_SERVER_HOST}/api/v4/projects/${CI_PROJECT_ID}/packages/npm/:_authToken=${CI_JOB_TOKEN}">.npmrc
- npm dist-tag add @scope/package@version my-tag
```
2021-01-29 00:20:46 +05:30
2021-03-11 19:13:27 +05:30
Due to a bug in npm 6.9.0, deleting distribution tags fails. Make sure your npm version is 6.9.1 or later.
2020-07-28 23:09:34 +05:30
2023-03-04 22:38:38 +05:30
### Supported CLI commands
2019-12-04 20:38:33 +05:30
2023-03-04 22:38:38 +05:30
The GitLab npm repository supports the following commands for the npm CLI (`npm`) and yarn CLI
(`yarn`):
2019-12-21 20:55:43 +05:30
2023-03-04 22:38:38 +05:30
- `npm install` : Install npm packages.
- `npm publish` : Publish an npm package to the registry.
- `npm dist-tag add` : Add a dist-tag to an npm package.
- `npm dist-tag ls` : List dist-tags for a package.
- `npm dist-tag rm` : Delete a dist-tag.
- `npm ci` : Install npm packages directly from your `package-lock.json` file.
- `npm view` : Show package metadata.
2021-01-03 14:25:43 +05:30
2023-03-04 22:38:38 +05:30
## Troubleshooting
2021-01-03 14:25:43 +05:30
2023-04-23 21:23:45 +05:30
### `404 Not Found` errors are happening on `npm install` or `yarn`
2023-05-27 22:25:52 +05:30
Using `CI_JOB_TOKEN` to install npm packages with dependencies in another project gives you 404 Not Found errors. You need to authenticate with a token that has access to the package and all its dependencies.
2023-04-23 21:23:45 +05:30
2023-05-27 22:25:52 +05:30
If the package and its dependencies are in separate projects but in the same group, you can use a
[group deploy token ](../../project/deploy_tokens/index.md#create-a-deploy-token ):
2023-04-23 21:23:45 +05:30
2023-05-27 22:25:52 +05:30
```ini
//gitlab.example.com/api/v4/packages/npm/:_authToken=< group-token >
@group -scope:registry=https://gitlab.example.com/api/v4/packages/npm/
```
2023-04-23 21:23:45 +05:30
2023-05-27 22:25:52 +05:30
If the package and its dependencies are spread across multiple groups, you can use a [personal access token ](../../profile/personal_access_tokens.md )
from a user that has access to all the groups or individual projects:
```ini
//gitlab.example.com/api/v4/packages/npm/:_authToken=< personal-access-token >
@group -1:registry=https://gitlab.example.com/api/v4/packages/npm/
@group -2:registry=https://gitlab.example.com/api/v4/packages/npm/
```
WARNING:
Personal access tokens must be treated carefully. Read our [token security considerations ](../../../security/token_overview.md#security-considerations )
for guidance on managing personal access tokens (for example, setting a short expiry and using minimal scopes).
2023-04-23 21:23:45 +05:30
2021-03-11 19:13:27 +05:30
### `npm publish` targets default npm registry (`registry.npmjs.org`)
2019-12-21 20:55:43 +05:30
Ensure that your package scope is set consistently in your `package.json` and `.npmrc` files.
2023-03-04 22:38:38 +05:30
For example, if your project name in GitLab is `@scope/my-package` , then your `package.json` file
2019-12-21 20:55:43 +05:30
should look like:
```json
{
2023-03-04 22:38:38 +05:30
"name": "@scope/my-package"
2019-12-21 20:55:43 +05:30
}
```
And the `.npmrc` file should look like:
2020-03-13 15:44:24 +05:30
```shell
2023-03-04 22:38:38 +05:30
@scope:registry =https://your_domain_name/api/v4/projects/your_project_id/packages/npm/
//your_domain_name/api/v4/projects/your_project_id/packages/npm/:_authToken="${NPM_TOKEN}"
2020-03-13 15:44:24 +05:30
```
2020-05-24 23:13:21 +05:30
### `npm install` returns `npm ERR! 403 Forbidden`
2021-01-29 00:20:46 +05:30
If you get this error, ensure that:
2021-01-03 14:25:43 +05:30
2023-03-04 22:38:38 +05:30
- The Package Registry is enabled in your project settings. Although the Package Registry is enabled by default, it's possible to [disable it ](../package_registry/index.md#disable-the-package-registry ).
2021-01-29 00:20:46 +05:30
- Your token is not expired and has appropriate permissions.
2021-03-11 19:13:27 +05:30
- A package with the same name or version doesn't already exist within the given scope.
2021-01-29 00:20:46 +05:30
- The scoped packages URL includes a trailing slash:
- Correct: `//gitlab.example.com/api/v4/packages/npm/`
- Incorrect: `//gitlab.example.com/api/v4/packages/npm`
2021-02-22 17:27:13 +05:30
### `npm publish` returns `npm ERR! 400 Bad Request`
2021-09-30 23:02:18 +05:30
If you get this error, one of the following problems could be causing it.
2023-03-04 22:38:38 +05:30
### Package name does not meet the naming convention
2021-09-30 23:02:18 +05:30
2023-03-04 22:38:38 +05:30
Your package name may not meet the [`@scope/package-name` package naming convention ](#naming-convention ).
2021-02-22 17:27:13 +05:30
2023-03-04 22:38:38 +05:30
Ensure the name meets the convention exactly, including the case. Then try to publish again.
2021-03-08 18:12:59 +05:30
2023-03-04 22:38:38 +05:30
### Package already exists
2021-09-30 23:02:18 +05:30
2023-03-04 22:38:38 +05:30
Your package has already been published to another project in the same root namespace and therefore cannot be published again using the same name.
2021-09-30 23:02:18 +05:30
2023-03-04 22:38:38 +05:30
This is also true even if the prior published package shares the same name, but not the version.
2021-09-30 23:02:18 +05:30
2023-03-04 22:38:38 +05:30
### Package JSON file is too large
2021-12-11 22:18:48 +05:30
2023-03-04 22:38:38 +05:30
Make sure that your `package.json` file does not exceed `20,000` characters.
2021-12-11 22:18:48 +05:30
2021-03-08 18:12:59 +05:30
### `npm publish` returns `npm ERR! 500 Internal Server Error - PUT`
2023-04-23 21:23:45 +05:30
This is a [known issue ](https://gitlab.com/gitlab-org/gitlab/-/issues/238950 ) in GitLab 13.3.x and later. The error in the logs appears as:
2021-03-08 18:12:59 +05:30
```plaintext
>NoMethodError - undefined method `preferred_language' for #< Rack::Response
```
This might be accompanied by another error:
```plaintext
>Errno::EACCES","exception.message":"Permission denied
```
This is usually a permissions issue with either:
- `'packages_storage_path'` default `/var/opt/gitlab/gitlab-rails/shared/packages/` .
2023-03-04 22:38:38 +05:30
- The remote bucket if [object storage ](../../../administration/packages/index.md#use-object-storage )
2021-03-08 18:12:59 +05:30
is used.
2021-04-29 21:17:54 +05:30
In the latter case, ensure the bucket exists and GitLab has write access to it.