Custom Registries
Sandworm supports collecting package information from custom/private registries. If you've already configured the custom registry using your
.npmrc file, Sandworm audits should just work.Sandworm currently looks at the following configuration files:
- per-project config file:
/path/to/my/project/.npmrc - per-user config file:
~/.npmrc
The currently supported auth related settings are:
registry_authToken
Scopes can be associated with a separate registry. This allows you to seamlessly use a mix of packages from the primary npm registry and one or more private registries, such as GitHub Packages or the open source Verdaccio project.
In order to scope auth tokens, they must be prefixed by a URI fragment. If the credential is meant for any request to a registry on a single host, the scope may look like
//registry.npmjs.org/:. If it must be scoped to a specific path on the host that path may also be provided, such as //my-custom-registry.org/unique/path:.; bad config
_authToken=MYTOKEN
; good config
@myorg:registry=https://somewhere-else.com/myorg
@another:registry=https://somewhere-else.com/another
//registry.npmjs.org/:_authToken=MYTOKEN
; would apply to both @myorg and @another
; //somewhere-else.com/:_authToken=MYTOKEN
; would apply only to @myorg
//somewhere-else.com/myorg/:_authToken=MYTOKEN1
; would apply only to @another
//somewhere-else.com/another/:_authToken=MYTOKEN2
Environment variables can be replaced using ${VARIABLE_NAME}. For example:
//registry.npmjs.org/:_authToken=${DEFAULT_REG_TOKEN}
Sandworm also supports the
NPM_CONFIG_REGISTRY environment variable, to set the default registry URL directly.Last modified 1mo ago