Skip to main content

Using a private registry

Setting up a private registry can be achieved in a few ways, let's review all of them. The following commands might be different based on the package manager you are using.

npm (5.x, 6.x)#

To set the registry in the .npmrc file use the following:

npm set registry http://localhost:4873/

If you want one single use --registry after the required command.

npm install --registry http://localhost:4873

Write it yourself by defining in your .npmrc a registry field.


Since npm@5.x ignores the resolve field in defined in the lock files, while pnpm@4.x and yarn@1.x does the opposite.

Or a publishConfig in your package.json

{  "publishConfig": {    "registry": "http://localhost:4873"  }}

By using the publishConfig the previous two options would be ignored, only use this option if you want to ensure the package is not being published anywhere else.

If you are using either npm@5.4.x or npm@5.5.x, there are known issues with tokens, please upgrade to either 6.x or downgrade to npm@5.3.0.

SSL and certificates#

When using Verdaccio under SSL without a valid certificate, defining strict-ssl in your config file is required otherwise you will get SSL Error: SELF_SIGNED_CERT_IN_CHAIN errors.

npm does not support invalid certificates anymore since 2014.

npm config set ca ""npm config set strict-ssl false

npm (7.x)#

npm v7.0.0 is more strict with the new v2 lockfile. If you have mixed resolved fields in your lockfile, for instance, having this in your lockfile:

{  "name": "npm7",  "version": "1.0.0",  "lockfileVersion": 2,  "requires": true,  "packages": {    "": {      "version": "1.0.0",      "license": "ISC",      "dependencies": {        "lodash": "4.17.20",        "underscore": "^1.11.0"      }    },    ..... // removed for simplicity  },  "dependencies": {    "lodash": {      "version": "4.17.20",      "resolved": "",      "integrity": "sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA=="    },    "underscore": {      "version": "1.11.0",      "resolved": "http://localhost:4873/underscore/-/underscore-1.11.0.tgz",      "integrity": "sha512-xY96SsN3NA461qIRKZ/+qox37YXPtSBswMGfiNptr+wrt6ds4HaMw23TP612fEyGekRE6LNRiLYr/aqbHXNedw=="    }  }}

Either running npm i --registry or using .npmrc will fail your installation.


Yarn (1.x)#

Be aware npm configurations are valid on the classic version

The classic version is able to regonize the .npmrc file, but also provides their own configuration file named .yarnrc.

To set up a registry, create a file and define a registry.

// .yarnrcregistry "http://localhost:4873"

By using this version you should enable always-auth in your configuration running:

npm config set always-auth true

yarn@1.x does not send the authorization header on yarn install if your packages requires authentication, by enabling always-auth will force yarn do it on each request.

Yarn Berry (>=2.x)#

Yarn berry does not recognize --registry or .npmrc file anymore.

For defining a registry you must use the .yarnrc.yml located in the root of your project or global configuration.

When you publish a package the `must be used, keep on mind thepublishConfig.registryin thepackage.json` will override this configuration.

// .yarnrc.ymlnpmRegistryServer: "http://localhost:4873"
unsafeHttpWhitelist:  - localhost

unsafeHttpWhitelist is only need it if you don't use https with a valid certificate.

Using scopes is also possible and more segmented, you can define a token peer scope if is required.

npmRegistries:  "":    npmAlwaysAuth: true    npmAuthToken: <TOKEN>npmScopes:  my-company:    npmRegistryServer:    npmPublishRegistry:

for logging via CLi use:

yarn npm login --scope my-company


This includes 4.x and 5.x series.

pnpm recognize by default the configuration at .npmrc and also the --registry value, there is no difference in the implementation.