When running yarn, yarn.lock file is generated with private token from bash

Question

I'm using Gem Fury for some of our private packages. I set the yarn registry to use their proxy for public and our private node modules:

yarn config set registry "https://npm-proxy.fury.io/$GEMFURY_TOKEN/username"

GEMFURY_TOKEN is set in .bash. yarn config get registry produces:

https://npm-proxy.fury.io/$(GEMFURY_TOKEN)/username

When we run yarn, the yarn.lock file will generate this:

[email protected]:
  version "0.1.0"
  resolved "https://npm.fury.io/username/private-module/-/0.1.0.tgz?auth=<GEMFURY TOKEN>"
  dependencies:
    ember-cli-babel "^5.1.6"

[email protected]:
  version "0.1.4"
  resolved "https://npm.fury.io/username/private-module-2/-/0.1.4.tgz?auth=<GEMFURY TOKEN>"
  dependencies:
    ember-cli-babel "^5.1.6"
    ember-inflector "^1.9.6"

I don't want private tokens in the git repository. Is there a way I can exclude the token from being added to the yarn.lock file on generation?

Answer 1

Try to set up npm as described in Gem Fury documentation. The crucial parts are setting always-auth to true and using npm login

If this doesn't help then you can use Git pre-commit hooks that will remove credentials from yarn.lock when changes are commited to Git repository.

Answer 2

We solved this problem recently, but the Gemfury documentation doesn't really make it obvious. If you need to pull or push in your CI build then I don't think you should use npm login as that will modify your home .npmrc, which isn't very helpful. We found that all you need to do is change your project's .npmrc to use the shared organization account. This way you can have your project's .npmrc version controlled so your developers and your CI server can read from the same registry URL while keeping your lock file token-free:

@MY_ORG:registry=https://npm-proxy.fury.io/MY_ORG/
always-auth=true
//npm-proxy.fury.io/MY_ORG/:_authToken=${GEMFURY_TOKEN}