# Configuring yarn

This page explains how to configure the yarn package manager to pull packages from the Seal artifact server based on your existing setup.

Make sure you have the access token for the server ready.

### Configure classic yarn (v1) to pull directly from the artifact server

To configure Classic yarn it's best to use the npm configuration `.npmrc` files.

These configuration files can be global, per-user and per-project. We recommend using a per-project configuration, which you do by creating or editing the relevant file in your project's root directory.

Our goal is to replace <https://registry.npmjs.org/> as your default registry with [https://npm.sealsecurity.io/](https://seal.security/). The configuration file may still refer to other registries for privately scoped packages.

#### Using an `.npmrc` file

We want the file to look similar to this:

<pre class="language-bash"><code class="lang-bash"><strong>registry=https://npm.sealsecurity.io/
</strong>//npm.sealsecurity.io/:username=$PROJECT_ID
<strong>//npm.sealsecurity.io/:_password=$TOKEN_IN_BASE64
</strong>//npm.sealsecurity.io/:always-auth=true
</code></pre>

**The $PROJECT\_ID and $TOKEN\_IN\_BASE64 fields**

1. In the `$PROJECT_ID` put the name of your project. This value will later be used in the reporting to indicate which project pulled which vulnerable package.
2. In the `$TOKEN_IN_BASE64` we need to put the base64 value of the access token. To encode the token in base64 you can use `echo -n $TOKEN | base64` on Mac or `echo -n $TOKEN | base64 -w0` on Ubuntu.

{% hint style="info" %}
Note that npm decodes the \_password field using base64, and while the access token *looks* like it's in base64 because it's a JWT token, it's in fact not a valid base64 string.
{% endhint %}

### Configure yarn v2+ to pull directly from the artifact server

The yarn configuration is saved in the `.yarnrc` files, which can be global, per-user and per-project. We recommend using a per-project setup, which you can do by creating or editing the `.yarnrc` file in the project's root.

Our goal is to replace <https://registry.npmjs.org/> as your default registry with [https://npm.sealsecurity.io/](https://seal.security/). The configuration file may still refer to other registries for privately scoped packages. The file should end up looking like this:

```bash
npmRegistries:
  "https://npm.sealsecurity.io":
    npmAlwaysAuth: true
    npmAuthIdent: $AUTHENTICATION_STRING

npmRegistryServer: "https://npm.sealsecurity.io"

yarnPath: .yarn/releases/yarn-{yarn_version}.cjs
```

1. Make sure the `yarnPath` is pointing to the correct yarn version.
2. Let `$TOKEN` be the access token you have for the server. And let `$PROJECT_ID` be the name of your project, which will later be used in the reporting to indicate which project pulled which vulnerable package.
3. If you're using yarn v2 replace `$AUTHENTICATION_STRING` with the base64 encoding of `$PROJECT_ID:$TOKEN`.
4. If you're using yarn v3+ just replace `$AUTHENTICATION_STRING` with `"$PROJECT_ID:$TOKEN"`.

### Pull using JFrog's Artifactory

1. Go to JFrog's Artifactory configuration and create a new remote npm repository.
   1. In the Basic configuration, choose whatever Repository Key you like.
   2. Set `https://npm.sealsecurity.io` as the URL.
   3. In the User Name field use `jfrog`.
   4. In the Password / Access Token field paste the token you created earlier.
2. Click the `Test` button. This will test whether the connection and authentication to the Seal artifact server is configured properly.
3. Save the new repository, and set it as the top priority remote repository in the virtual repository you're using.