Set up your client's npmrc

Azure DevOps Services | TFS 2018 | TFS 2017

All Azure Artifacts feeds require authentication, so you'll need to store credentials for the feed before you can install or publish packages. npm uses .npmrc configuration files to store feed URLs and credentials.

Where are my .npmrc files?

Azure DevOps Services recommends using two .npmrc files:

  1. One .npmrc should live at the root of your git repo adjacent to your project's package.json. It should contain a "registry" line for your feed and it should not contain credentials since it will be checked into git. You can find the registry information for your feed from the Connect to Feed button:

    1. From your Packages page, click Connect to Feed

      Connect to feed button in Azure Artifacts

      Connect to feed button in Azure Artifacts

      Connect to feed button in Azure Artifacts

    2. Copy the "registry" text:

      Connect to feed from Azure Artifacts

      Connect to feed from Azure Artifacts

      Connect to feed from Azure Artifacts

  2. On your development machine, you will also have a .npmrc in $home for Linux or Mac systems or $env.HOME for win systems. This .npmrc should contain credentials for all of the registries that you need to connect to. The NPM client will look at your project's .npmrc, discover the registry, and fetch matching credentials from $home/.npmrc or $env.HOME/.npmrc. Credential acquisition will be discussed in the next section.

This enables you to share project's .npmrc with the whole team while keeping your credentials secure.

Set up authentication on your dev box

You should have a project specific .npmrc containing only your feed's registry information that you discovered from the "Connect to Feed" dialog. There should be no credentials in this file and the file itself is usually adjacent to your project's package.json.

IMPORTANT: There can only be a single "registry=" line in your .npmrc. Multiple registries are possible with upstream sources, or by using scopes (not recommended).

Windows

If you are developing on Windows, we recommend that you use vsts-npm-auth to fetch credentials and inject them into your %USERPROFILE%\.npmrc on a periodic basis. The easiest way to set this up is to install vsts-npm-auth globally (i.e. npm install -g vsts-npm-auth) and then add a run script in your project's package.json.

"scripts": {
    "refreshVSToken" : "vsts-npm-auth -config .npmrc"
}

Linux or Mac

If you are developing on Linux or Mac, vsts-npm-auth is not supported and we recommend generating a token in the following manner for your $HOME/.npmrc

The Connect to feed dialog box generates an appropriately formatted token that you can place into your .npmrc file with a lifespan of 90 days.

If you want to create a token that lasts longer than 90 days, skip to the second of the following methods.

90-day token:

  1. From Azure Artifacts, select Connect to feed.

  2. Select npm.

  3. Select Generate npm credentials. Copy the credentials to add them to your user .npmrc file manually:

    Connect to feed from Azure Artifacts Linux/Mac credentials

  1. From the Packages page, select Connect to feed.

  2. Select npm.

  3. Select Generate npm credentials. Copy the credentials to add them to your user .npmrc file manually:

    Connect to feed from Azure Artifacts Linux/Mac credentials

Create a token that lasts longer than 90 days:

  1. Browse to security and generate a PAT with a narrow scope of "Packaging (read and write)."

  2. Base64 encode the PAT.

    [Convert]::ToBase64String([system.Text.Encoding]::UTF8.GetBytes("YOUR_PAT_GOES_HERE"))
    
  3. In your $home/.npmrc file, add the following lines. Replace yourorganization and yourfeed, and add your username (can be anything except empty), PAT, and email.

    //pkgs.dev.azure.com/<yourorganization>/_packaging/<yourfeed>/npm/registry/:username=ANYTHING-BUT-EMPTY
    //pkgs.dev.azure.com/<yourorganization>/_packaging/<yourfeed>/npm/registry/:_password=BASE64-ENCODED-PAT-GOES-HERE
    //pkgs.dev.azure.com/<yourorganization>/_packaging/<yourfeed>/npm/registry/:email=YOUREMAIL@EXAMPLE.COM
    //pkgs.dev.azure.com/<yourorganization>/_packaging/<yourfeed>/npm/registry/:always-auth=true
    

vsts-npm-auth is not supported on TFS.

Set up authentication in a build task

There are two options for setting up authentication in a build task:

Without a Task Runner

To set up npm authentication in a build task without a task runner, follow the directions below.

  1. Select Azure Pipelines, it should automatically take you to the Builds page.

    navigate to builds tab

  2. Create a new pipeline.

    builds-tab-mine-new-button

  3. Choose your source Project, Repository, and Default branch and select Continue.

  4. Start with an Empty job.

  5. On the left side, select the plus sign ( + ) to add a task to Job 1. On the right side, select the Package category, select the npm task from the list, and then choose Add.

    builds-tab-add-task-to-job

  6. Select the npm install task, then browse to and select your Working folder with package.json:

    Add task to build pipeline

  7. Expand Custom registries and authentication, here you have a few options:

    • Registries in my .npmrc

      Add task to build pipeline

      You can choose credentials to authenticate to outside of your current organization/collection by setting up service connections.

    • Registry I select here

      Add task to build pipeline

      When you choose this option, the task will create a temporary .npmrc with credentials for the registry you've selected and it will override the project's .npmrc. This is useful when you want to publish to a specific feed.

  8. Select Save & queue, and then select Save.

  1. Select Build and Release, and then choose Builds.

    navigate to builds tab

  2. Create a new pipeline.

    builds-tab-mine-new-button

  3. Choose your source Project, Repository, and Default branch and select Continue.

  4. Start with an Empty job.

  5. On the left side, select the plus sign ( + ) to add a task to Job 1. On the right side, select the Package category, select the npm task from the list, and then choose Add.

    builds-tab-add-task-to-job

  6. Select the npm install task, then browse to and select your Working folder with package.json:

    Add task to build pipeline

  7. Expand Custom registries and authentication, here you have a few options:

    • Registries in my .npmrc

      Add task to build pipeline

      You can choose credentials to authenticate to outside of your current organization/collection by setting up service connections.

    • Registry I select here

      Add task to build pipeline

      When you choose this option, the task will create a temporary .npmrc with credentials for the registry you've selected and it will override the project's .npmrc. This is useful when you want to publish to a specific feed.

  8. Select Save & queue, and then select Save.

With a Task Runner (e.g. make gulp work)

When using a task runner, you'll need to add the npm Authenticate build task at the beginning of your build pipeline. This will inject credentials into your project's .npmrc and persist them for the lifespan of the build. This allows subsequent build steps to use the credentials in the .npmrc.

  1. Select Azure Pipelines, it should automatically take you to the Builds page.

    navigate to builds tab

  2. Create a new pipeline.

    builds-tab-mine-new-button

  3. Choose your source Project, Repository, and Default branch and select Continue.

  4. Start with an Empty job.

  5. On the left side, select the plus sign ( + ) to add a task to Job 1. On the right side, select the Package category, select the npm Authenticate task from the list, and then choose Add.

    builds-tab-add-task-to-job

  6. Select the npm Authenticate task underneath Phase 1:

    Add task to build pipeline

  7. Browse to and select your .npmrc file to authenticate:

    Add task to build pipeline

    You can choose credentials to authenticate to outside of your current organization/collection by setting up service connections.

  8. After setting up your npm Authenticate task, you can add other build task(s) for your task runner like Gulp.

  1. Select Build and Release, and then choose Builds.

    navigate to builds tab

  2. Create a new pipeline.

    builds-tab-mine-new-button

  3. Choose your source Project, Repository, and Default branch and select Continue.

  4. Start with an Empty job.

  5. On the left side, select the plus sign ( + ) to add a task to Job 1. On the right side, select the Package category, select the npm Authenticate task from the list, and then choose Add.

    builds-tab-add-task-to-job

  6. Select the npm Authenticate task underneath Phase 1:

    Add task to build pipeline

  7. Browse to and select your .npmrc file to authenticate:

    Add task to build pipeline

    You can choose credentials to authenticate to outside of your current organization/collection by setting up service connections.

  8. After setting up your npm Authenticate task, you can add other build task(s) for your task runner like Gulp.

Troubleshooting vsts-npm-auth

If you receive an error like:

  • Command Prompt: 'vsts-npm-auth' is not recognized as an internal or external command, operable program or batch file.
  • PowerShell: vsts-npm-auth : The term 'vsts-npm-auth' is not recognized as the name of a cmdlet, function, script file, or operable program.

then it's likely that the npm modules folder is not in your path.

To fix this, re-run Node.js setup and ensure the Add to PATH option and its child options are selected for installation.

Add to PATH install option in Node.js setup

Alternatively, you can edit the PATH variable to add %APPDATA%\npm (Command Prompt) or $env:APPDATA\npm (PowerShell).