I need help with installing a private GitHub repository using npm. The main issue is that this repo depends on other private GitHub repositories and I can’t get it to work properly.
I’ve been searching for solutions online but nothing seems to work for my case. Here’s my current approach:
The installation fails when npm tries to fetch the nested private dependencies. I’m wondering if there’s a specific syntax or authentication method I should be using. Has anyone successfully set up this kind of dependency chain with private GitHub repositories? What’s the correct approach here?
Setting up a .npmrc file in your project root saved me tons of headaches. Just add //npm.pkg.github.com/:_authToken=YOUR_TOKEN and @companyuser:registry=https://npm.pkg.github.com to configure npm for GitHub’s package registry. Way better than embedding tokens in package.json URLs - that’s a security nightmare. Here’s what clicked for me: npm uses the same auth context for everything, so configure it once at the npm level and it’ll handle all your nested private dependencies automatically. Just make sure your token has read access to every private repo in your dependency tree.
Had this exact problem at my previous job - super frustrating until I figured out it was an auth issue. npm can’t authenticate to fetch those nested private dependencies during install. Your auth token needs access to ALL the private repos in the dependency chain, not just the main one. Here’s what worked for me: set up an SSH key with read access to all relevant repositories, then use SSH syntax instead of HTTPS. Change your dependencies to git+ssh://[email protected]/companyuser/moduleA.git format. Also check your .npmrc file has the proper GitHub registry token configured. Watch out - all team members need the same repo access permissions or installs will fail for some people but not others.
Use personal access tokens in your git URLs like git+https://[email protected]/companyuser/moduleA.git - works way better than SSH for CI/CD pipelines. Just make sure your token has repo access to all dependencies or you’ll still get failures.