search

npm Integration

npm resolves packages using the registry configured in .npmrc. Routing npm through the Lineaje Proxy requires pointing .npmrc at the Proxy's npm endpoint and supplying a Base64-encoded authentication token.

Proxy npm URL

// Enforce Mode: block all non-compliant builds  
https://enforce.fortknox.v2.prod.veedna.com/artifactory/api/npm/gos-all-proxy-npm   

// Observe Mode: Report all non-compliant dependency downloads  
https://observe.fortknox.v2.prod.veedna.com/artifactory/api/npm/gos-all-proxy-npm
chevron-right.npmrc Configurationhashtag

Commit a .npmrc file to the repository root with the Proxy registry and a placeholder for the auth token that is injected at build time:

# .npmrc 
registry=https://enforce.fortknox.v2.prod.veedna.com/artifactory/api/npm/gos-all-proxy-npm/ 

# Auth token injected at build time — do NOT hard-code credentials in this file 
//enforce.fortknox.v2.prod.veedna.com/artifactory/api/npm/gos-all-proxy-npm/: 
    _auth=${NPM_AUTH_TOKEN} 
always-auth=true
circle-info

File: .npmrc. Commit to repository root.

Never commit a .npmrc file that contains a real token or password. The ${NPM_AUTH_TOKEN} placeholder is expanded at build time using the value set in the Jenkinsfile.

chevron-rightJenkinsfile Configurationhashtag

The Jenkinsfile generates the Base64-encoded _auth token from the Jenkins credential and injects it into the npm environment:

pipeline { 
    agent any 
  
    tools { 
        // Ensure this NodeJS tool is configured in your Jenkins "Global Tool Configuration" 
        nodejs 'NodeJS'  
    } 
  
    environment { 
        // Using the same credentials ID as the Maven project 
        ARTIFACTORY_CREDS = credentials('<ID>') 
    } 
  
    stages { 
        stage('Build') { 
            steps { 
                script { 
                    // Generate Base64 auth token from username and password 
                    // This is required for .npmrc _auth 
                    def auth = java.util.Base64.getEncoder().encodeToString("${ARTIFACTORY_CREDS_USR}:${ARTIFACTORY_CREDS_PSW}".toString().getBytes('UTF-8')) 
                     
                    // Inject the auth token into the environment for .npmrc to use 
                    withEnv(["NPM_AUTH_TOKEN=${auth}"]) { 
                        sh 'npm cache clean --force' 
                        sh 'npm install --verbose' 
                        // Verify that packages were resolved from JFrog 
                        sh 'grep "resolved" package-lock.json || true' 
                        sh 'npm start' 
                    } 
                } 
            } 
        } 
    } 
}

File: Jenkinsfile (Declarative Pipeline)

chevron-rightVerifying Proxy Routinghashtag

The --verbose flag causes npm to log the full tarball URL. Confirm the Proxy URL appears:

# Expected in build log: 
npm http fetch GET 200 
  https://enforce.fortknox.v2.prod.veedna.com/artifactory/api/npm/ 
  gos-all-proxy-npm/lodash/-/lodash-4.17.21.tgz

To detect policy violations, search build logs for the string. To learn more, see Detecting Policy Violations in Build Logs.

PreviousPyPI IntegrationNextDetecting Policy Violations in Build Logs

Last updated