搭建私有npm服务器 npm

为什么需要npm私有仓库
npm私有仓库是托管在公司内部服务器，为什么需要它

保护公司代码
内部的UI组件或者工具，方便内部人员使用
内网访问更快
内部维护，可以控制发布和删除权限

解决方案调研

Sinopia
不能下载带有@符号的包，且仓库常年无人维护，已被弃用
cnpm
一直在维护，但release一直没更新
verdaccio
fork自sinopia
积极维护，star最多
Nexus
java私服用的多

	github stars	lastest realease	lastest commit	备注
Sinopia	5.4k	2015-6-7	2015-10-3	不再维护
cnpm	3.4k	2014-10-9	2021-7-6	-
verdaccio	11.9k	2021-7-15	2021-7-21	-

以上数据统计于 2021-7-23
可以看到verdaccio在3个维度上一骑绝尘，决定选择verdaccio，它是nodejs编写的，与前端最贴近。
搭建过程
申请服务器，安装环境申请下来后，使用xshell6进行ssh登录。需要测试和安装环境，包括外网，安装node，这里选择流行版本v14.17.3（LTS）

nodejs download
当前长期支持版: 14.17.3 (包含 npm 6.14.13)

tips: 尝试过使用nvm，可以安装成功，但因为网络问题安装node失败，遂放弃。
使用verdaccio

verdaccio

安装

npm install -g verdaccio

修改配置文件

cd ~/.config/verdaccio vim config.yaml # 或者直接下一行 vim ~/.config/verdaccio/config.yaml

1 # 2 # This is the default config file. It allows all users to do anything, 3 # so don't use it on production systems. 4 # 5 # Look here for more config file examples: 6 # https://github.com/verdaccio/verdaccio/tree/master/conf 7 # 8 9 # path to a directory with all packages 10 storage: ./storage # npm包存放的路径 11 # path to a directory with plugins to include 12 plugins: ./plugins 13 14 web: 15title: Verdaccio 16# comment out to disable gravatar support 17# gravatar: false 18# by default packages are ordercer ascendant (asc|desc) 19# sort_packages: asc 20# convert your UI to the dark side 21# darkMode: true 22# logo: http://somedomain/somelogo.png 23# favicon: http://somedomain/favicon.ico | /path/favicon.ico 24 25 # translate your registry, api i18n not available yet 26 # i18n: 27 # list of the available translations https://github.com/verdaccio/ui/tree/master/i18n/translations 28 #web: en-US 29 30 auth: 31htpasswd: 32file: ./htpasswd 33# Maximum amount of users allowed to register, defaults to "+inf". 34# You can set this to -1 to disable registration. 35# max_users: 1000 36 37 # a list of other known repositories we can talk to 38 uplinks: 39npmjs: 40url: http://registry.npm.taobao.org/ # 默认为npm的官网，由于国情，改用taobao的npm镜像地址 41 42 packages: 43'@*/*': 44# scoped packages 45access: $all 46publish: $authenticated 47unpublish: $authenticated 48proxy: npmjs 49 50'**': 51# allow all users (including non-authenticated users) to read and 52# publish all packages 53# 54# you can specify usernames/groupnames (depending on your auth plugin) 55# and three keywords: "$all", "$anonymous", "$authenticated" 56access: $all 57 58# allow all known users to publish/publish packages 59# (anyone can register by default, remember?) 60publish: $authenticated 61unpublish: $authenticated 62 63# if package is not available locally, proxy requests to 'npmjs' registry 64proxy: npmjs 65 66 # You can specify HTTP/1.1 server keep alive timeout in seconds for incoming connections. 67 # A value of 0 makes the http server behave similarly to Node.js versions prior to 8.0.0, which did not have a keep-alive timeout. 68 # WORKAROUND: Through given configuration you can workaround following issue https://github.com/verdaccio/verdaccio/issues/301. Set to 0 in case60 is not enough. 69 server: 70keepAliveTimeout: 60 71 72 middlewares: 73audit: 74enabled: true 75 76 # log settings 77 logs: { type: stdout, format: pretty, level: http } 78 79 # listen 设置监听后，开启外网访问 80 listen: 0.0.0.0:4873 81 82 #experiments: 83 ## support for npm token command 84 #token: false 85 ## disable writing body size to logs, read more on ticket 1912 86 #bytesin_off: false 87 ## enable tarball URL redirect for hosting tarball with a different server, the tarball_url_redirect can be a template string 88 #tarball_url_redirect: 'https://mycdn.com/verdaccio/${packageName}/${filename}' 89 ## the tarball_url_redirect can be a function, takes packageName and filename and returns the url, when working with a js configuration file 90 #tarball_url_redirect(packageName, filename) { 91 #const signedUrl = // generate a signed url 92 #return signedUrl; 93 #} 94 95 # This affect the web and api (not developed yet) 96 #i18n: 97 #web: en-US

可能修改的点是：storage、uplinks.npmjs.url、listen
另外，如果不让开发者随意删除包，可以设置unpublish为特定账号。
启动