I’m experiencing issues while trying to use npm to install a private GitHub repository that includes other private repositories as dependencies. I’ve explored various methods and articles, but none have proven effective for me.
Here’s the command I’m currently executing:
npm install git+https://github.com/companyname/mainproject.git
In my package.json file, the dependencies section appears as follows:
"dependencies": {
"project-utils": "git+https://github.com/companyname/utils-library.git",
"auth-module": "git+https://github.com/companyname/authentication-service.git"
}
What is the proper way to manage this situation? I need to ensure that npm can access and successfully install all the private repositories that are part of the dependencies.
you can also use an .npmrc file with a personal access token. just create .npmrc in your project root and add @companyname:registry=https://npm.pkg.github.com/ then //npm.pkg.github.com/:_authToken=YOUR_TOKEN. this worked for me when ssh wasn’t available because of company restrictions.
I’ve had luck using git+https format with tokens embedded right in the URLs. In your package.json, you can do: git+https://token:[email protected]/companyname/utils-library.git. Not great for security, but it skips all the SSH headaches. Just don’t commit that package.json with the token exposed. I usually use environment variables instead - something like git+https://token:${GITHUB_TOKEN}@github.com/companyname/utils-library.git and set GITHUB_TOKEN during builds. Works consistently across different CI/CD setups where SSH is a pain to configure.
Had the same headache with private repos at my company last year. npm needs authentication for each private repository, not just the main one. SSH keys fixed this for me. Generate an SSH key if you haven’t already and add it to your GitHub account. Then change your package.json dependencies to SSH format instead of HTTPS. Use git+ssh://[email protected]/companyname/utils-library.git format. Make sure your SSH agent is running and has the key loaded. Test it with ssh -T [email protected] to verify authentication works. This way you don’t embed tokens in your package.json, which is a security risk. SSH has been way more reliable for me, especially with multiple nested private dependencies.