User Guide
  • Fundamentals
    • Quick Start Guide
      • Signing Up
      • Package Discovery
        • Connecting to GitHub
        • Connecting to GitLab
        • Connecting to Azure DevOps
        • Connecting to the CI Pipeline
        • Connecting to the Artifact Server
      • Package Sealing
        • Integrating the CLI in the CI
        • Editing Dependencies
    • Deployments
      • Choosing Your Deployment
      • Automatic Remediation
      • Remote Configuration
      • Local Configuration
      • Artifact Server
    • CLI
      • Download and Installation
      • Scanning
      • Fixing All Dependencies
      • Fixing Specific Dependencies
      • Fixing OS Vulnerabilities
      • Integrating with the CI
      • Uploading Scan Results
      • Commands
      • SCA Integrations
      • JFrog Integration
      • Usage Examples
        • Sealing Application Dependencies
        • Sealing Linux Environments
    • Artifact Server
      • Generating a Token
      • Artifact Server Ordering
      • Configuring the Package Manager
        • Configuring apk
        • Configuring Composer
        • Configuring Go
        • Configuring Gradle
        • Configuring Maven
        • Configuring npm
        • Configuring pip
        • Configuring Poetry
        • Configuring yarn
        • Configuring yum
      • Clearing the Cache
      • Editing Your Dependencies
    • Web Interface
      • Rules Screen
  • FAQ
  • Vulnerability Disclosure
Powered by GitBook
On this page
  • Pull directly from the artifact server
  • Pull through JFrog's Artifactory
  1. Fundamentals
  2. Artifact Server
  3. Configuring the Package Manager

Configuring npm

How to configure the npm package manager

This page explains how to configure the npm package manager to pull packages from the Seal artifact server based on your existing setup.

Make sure you have the access token for the server ready.

Pull directly from the artifact server

The npm configuration is saved in the .npmrc files, which can be global, per-user and per-project. We recommend using a per-project setup, which you can do by creating or editing the .npmrc file in the project's root.

Our goal is to replace https://registry.npmjs.org/ as your default registry with https://npm.sealsecurity.io/. The configuration file may still refer to other registries for privately scoped packages.

  1. We want the .npmrc file to look like this:

    registry=https://npm.sealsecurity.io/
//npm.sealsecurity.io/:username=$PROJECT_ID
//npm.sealsecurity.io/:_password=$TOKEN_IN_BASE64
//npm.sealsecurity.io/:always-auth=true

  2. In the $PROJECT_ID put the name of your project. This value will later be used in the reporting to indicate which project pulled which vulnerable package.

  3. In the $TOKEN_IN_BASE64 we need to put the base64 value of the access token. To encode the token in base64 you can use echo -n $TOKEN | base64 on MacOS or echo -n $TOKEN | base64 -w0 on Ubuntu.

Note that npm decodes the _password field using base64, and while the access token looks like it's in base64 because it's a JWT token, it's in fact not a valid base64 string.

  1. Now that the configuration is complete, you can run the following command to verify the authentication and authorization are working properly:

npm -d ping

The output should look like this:

➜ ~ npm -d ping
npm info using npm@9.6.4
npm info using node@v20.0.0
npm notice PING https://npm.sealsecurity.io/
npm http fetch GET 200 https://registry.npmjs.org/-/ping?write=true 888ms (cache updated)
npm notice PONG 889ms
npm info ok

Pull through JFrog's Artifactory

  1. Go to JFrog's Artifactory configuration and create a new remote npm repository.

    1. In the Basic configuration, choose whatever Repository Key you like.

    2. Set https://npm.sealsecurity.io as the URL.

    3. In the User Name field use jfrog.

    4. In the Password / Access Token field paste the token you created earlier.

  2. Click the Test button. This will test whether the connection and authentication to the Seal artifact server is configured properly.

  3. Save the new repository, and set it as the top priority remote repository in the virtual repository you're using.

PreviousConfiguring MavenNextConfiguring pip

Last updated 1 month ago