Future integration with npm private packages?

Our team at The Washington Post sometimes uses private npm packages. We also have a team account at Observable. It would be cool if we could use our private npm packages in our team’s private Observable notebooks. Is such a thing possible now? If not, will it be possible in the future?

2 Likes

Hi Harry, thanks for reaching out. We’re exploring the best solutions to recommend around the use of private npm packages and will get back to early next week.

2 Likes

Thanks Wayne!

Hi @HarryStevens apologies need a little more time. I Will follow-up next week.

Thanks for the update. And honestly, I did not ask the question with the expectation that there would be a solution now or even soon. It was just a feature I was thinking about and thought would be cool and useful. So whenever you guys get to it is great.

1 Like

could be useful to be able to point to a private npm registry like the CLI allows

Any news on this? Extremely relevant to some internal decisions at my company and I’d like to push hard for ObservableHQ instead of Jupyter across the org.

1 Like

We have some ideas! But first, a few clarifying questions for @HarryStevens and @mpj:

  • This is with npm’s private modules feature? vs. github or jfrog artifactory?
  • Does it have a URL and/or require IP-allowlisting in order to access? If so, do you have control over that list to add IPs?

@visnup thank you so much for looking into this! Really excited!

We are currently looking at using AWS CodeArtifact with all that that implies with a standard configuration as possible.

Does that tell you what you need to know? Otherwise, I can direct our engineer that is currently working with artifactory to this thread and try to get you the info that you need?

1 Like

Here are two articles on the AWS docs that gives an overview of how it works:
https://docs.aws.amazon.com/codeartifact/latest/ug/tokens-authentication.html
https://docs.aws.amazon.com/codeartifact/latest/ug/npm-auth.html <- this second link is probably the meat of what you want, it’s basically a secret token that you pass (the first link just how to generate the token, I imagine that we do that on our side and store it as a secret on ObservableHQ)

Ah interesting. And you’re planning on hosting just your own modules on it or also caching/allow-listing an audited set of public modules too? Will code from node or other places be requiring/importing them?

I need to read up on AWS artifactory but I’m wondering if you can dynamically import them from their artifactory urls (using a Secret for the token as you suggested). If some browser-packaging is necessary, I’m wondering if something like Skypack (pro) could work here.

Hi @visnup!
I work with MPJ. We are planning on just using AWS to store our own private modules. So we will be using scoped packages and setting up our repositories accordingly in our npm config. I.e. the packages with our scope will be fetched from our AWS CodeArtifact and the others from https://registry.npmjs.org/, as per usual.

I have not been able to find a way to dynamically import the packages from their repository url, I think it is limited to use some kind of package manager. It seems like Skypack could be a suitable proxy of sorts, thanks! Although, their documentation did not say that much about pro usage really. For example how they do authentication for private repositories? Also it seems to be restricted access to their PRO plan.