# Configuring npm

This page explains how to configure the npm package manager to pull packages from the Seal artifact server based on your existing setup.

Make sure you have the access token for the server ready.

### Pull directly from the artifact server

The npm configuration is saved in the `.npmrc` files, which can be global, per-user and per-project. We recommend using a per-project setup, which you can do by creating or editing the `.npmrc` file in the project's root.

Our goal is to replace <https://registry.npmjs.org/> as your default registry with [https://npm.sealsecurity.io/](https://seal.security/). The configuration file may still refer to other registries for privately scoped packages.

1. We want the `.npmrc` file to look like this:

   <pre class="language-bash"><code class="lang-bash"><strong>registry=https://npm.sealsecurity.io/
   </strong>//npm.sealsecurity.io/:username=$PROJECT_ID
   <strong>//npm.sealsecurity.io/:_password=$TOKEN_IN_BASE64
   </strong>//npm.sealsecurity.io/:always-auth=true
   </code></pre>
2. In the `$PROJECT_ID` put the name of your project. This value will later be used in the reporting to indicate which project pulled which vulnerable package.
3. In the `$TOKEN_IN_BASE64` we need to put the base64 value of the access token. To encode the token in base64 you can use `echo -n $TOKEN | base64` on MacOS or `echo -n $TOKEN | base64 -w0` on Ubuntu.

{% hint style="info" %}
Note that npm decodes the \_password field using base64, and while the access token *looks* like it's in base64 because it's a JWT token, it's in fact not a valid base64 string.
{% endhint %}

4. Now that the configuration is complete, you can run the following command to verify the authentication and authorization are working properly:

```bash
npm -d ping
```

The output should look like this:

{% code overflow="wrap" %}

```bash
➜ ~ npm -d ping
npm info using npm@9.6.4
npm info using node@v20.0.0
npm notice PING https://npm.sealsecurity.io/
npm http fetch GET 200 https://registry.npmjs.org/-/ping?write=true 888ms (cache updated)
npm notice PONG 889ms
npm info ok
```

{% endcode %}

### Pull using JFrog's Artifactory

1. Go to JFrog's Artifactory configuration and create a new remote npm repository.
   1. In the Basic configuration, choose whatever Repository Key you like.
   2. Set `https://npm.sealsecurity.io` as the URL.
   3. In the User Name field use `jfrog`.
   4. In the Password / Access Token field paste the token you created earlier.
2. Click the `Test` button. This will test whether the connection and authentication to the Seal artifact server is configured properly.
3. Save the new repository, and set it as the top priority remote repository in the virtual repository you're using.

### Pull using Verdaccio

1. Edit the Verdaccio configuration file (by default in `/verdaccio/conf/config.yaml`).
2. Under uplinks add the `seal` section as shown in the example below:

   <pre class="language-yaml"><code class="lang-yaml">uplinks:
     npmjs:
       url: https://registry.npmjs.org/
     seal:
       url: https://npm.sealsecurity.io/
       auth:
         type: bearer
         token_env: SEAL_TOKEN
   <strong>    cache: true
   </strong></code></pre>
3. Set the value of the access token in the `SEAL_TOKEN` environment variable.
4. Add `seal` to the proxy list in the packages section.

#### Verdaccio configuration example:

```yaml
uplinks:
  npmjs:
    url: https://registry.npmjs.org/
  seal:
    url: https://npm.sealsecurity.io/
    auth:
      type: bearer
      token_env: SEAL_TOKEN
    cache: true
packages:
  '**':
    access: $all
    publish: $authenticated
    proxy: npmjs seal
storage: ./storage
```