Commit b8d9fecf authored by Nick Gaskill's avatar Nick Gaskill

Merge branch...

Merge branch '344860-npm-package-registry-documentation-recommends-a-practice-that-is-insecure-and-can-lead-to' into 'master'

Add security warning and env variable to npm package docs

See merge request gitlab-org/gitlab!73957
parents 113de96f 02dd448c
...@@ -17,6 +17,10 @@ Only [scoped](https://docs.npmjs.com/misc/scope/) packages are supported. ...@@ -17,6 +17,10 @@ Only [scoped](https://docs.npmjs.com/misc/scope/) packages are supported.
For documentation of the specific API endpoints that the npm package manager For documentation of the specific API endpoints that the npm package manager
client uses, see the [npm API documentation](../../../api/packages/npm.md). client uses, see the [npm API documentation](../../../api/packages/npm.md).
WARNING:
Never hardcode GitLab tokens (or any tokens) directly in `.npmrc` files or any other files that can
be committed to a repository.
## Build an npm package ## Build an npm package
This section covers how to install npm or Yarn and build a package for your This section covers how to install npm or Yarn and build a package for your
...@@ -430,14 +434,16 @@ You can route package requests to organizations and users outside of GitLab. ...@@ -430,14 +434,16 @@ You can route package requests to organizations and users outside of GitLab.
To do this, add lines to your `.npmrc` file. Replace `my-org` with the namespace or group that owns your project's repository, To do this, add lines to your `.npmrc` file. Replace `my-org` with the namespace or group that owns your project's repository,
and use your organization's URL. The name is case-sensitive and must match the name of your group or namespace exactly. and use your organization's URL. The name is case-sensitive and must match the name of your group or namespace exactly.
Use environment variables to set up your tokens: `export MY_TOKEN="<your token>"`.
```shell ```shell
@foo:registry=https://gitlab.example.com/api/v4/packages/npm/ @foo:registry=https://gitlab.example.com/api/v4/packages/npm/
//gitlab.example.com/api/v4/packages/npm/:_authToken= "<your_token>" //gitlab.example.com/api/v4/packages/npm/:_authToken=${MY_TOKEN}
//gitlab.example.com/api/v4/projects/<your_project_id>/packages/npm/:_authToken= "<your_token>" //gitlab.example.com/api/v4/projects/<your_project_id>/packages/npm/:_authToken=${MY_TOKEN}
@my-other-org:registry=https://gitlab.example.com/api/v4/packages/npm/ @my-other-org:registry=https://gitlab.example.com/api/v4/packages/npm/
//gitlab.example.com/api/v4/packages/npm/:_authToken= "<your_token>" //gitlab.example.com/api/v4/packages/npm/:_authToken=${MY_TOKEN}
//gitlab.example.com/api/v4/projects/<your_project_id>/packages/npm/:_authToken= "<your_token>" //gitlab.example.com/api/v4/projects/<your_project_id>/packages/npm/:_authToken=${MY_TOKEN}
``` ```
### npm metadata ### npm metadata
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment