Publish npm package from sub group/project
Problem to solve
As a developer, when I am using the NPM Registry, I need to be able to authenticate and upload packages at the group level, so that I can effectively work within my team's project structure.
- Currently we only support project level authentication and upload for NPM.
- Larger organizations that rely on groups and subgroups are currently blocked from using the NPM Registry.
- This is inconsistent with our Maven Repository which allows for authentication and publishing at the group and instance level.
The goal of this issue is to drive adoption of the GitLab NPM Registry. Currently any user that is leveraging groups/sub-groups is blocked from using the feature. In addition, it we will start to create parity between our Maven and NPM registries.
We will create a new endpoint for the NPM Registry to allow for authentication and publishing at the group/sub-group level.
Users will use the group level endpoint for all their NPM packages stored within a given GitLab group. Only packages they have access to will be available for download.
As a result of using the group or sub-group it's possible that you can have two projects with the same package name and package version. In that case, we will serve whichever one is more recent.
Due to NPM restrictions, users will still be required to authenticate with OAuth.
Sample .npmrc file
; Set URL for your scoped packages. ; For example package with name `@foo/bar` will use this URL for download @foo:registry=https://gitlab.com/api/v4/packages/npm/ ; Add the OAuth token for the scoped packages URL. This will allow you to download ; `@foo/` packages from private projects. //gitlab.com/api/v4/packages/npm/:_authToken=<your_oauth_token> ; Add OAuth token for uploading to the registry. Replace <your_group_id> ; with the project you want your package to be uploaded to. //gitlab.com/api/v4/projects/<your_group_id>/packages/npm/:_authToken=<your_oauth_token>
Permissions and Security
- Reporters, Developers, Maintainers and Owners that have access to the group/sub-group should have access to pull from the NPM Registry.
- Developers, Maintainers, and Owners that have access to the group/sub-group should have access to publish to the NPM Registry.
- We will update NPM Registry documentation to include support for group/sub-group end-points and remove the top-level note that we do not currently support them. We will also include a warning about naming collisions, similar to how we message the issue in our Maven Repository documentation.
- We must ensure that the change does not break the existing project level endpoint for the NPM registry. Users must still be able to authenticate and publish at the project level.
- We must test the group and sub-group levels and ensure that it's working properly.
- Test with multiple permissions level and ensure there are no security violations with this enhancement.
What does success look like, and how can we measure that?
Success looks like we unlock usage of the NPM registry for users with groups and sub-groups. We have several customers asking for this functionality and we can test their use cases and ensure it's working for them. In addition, we should see an uptick in adoption and usage of the NPM Registry. We will test that by measuring the total number of NPM packages over time as well as the number of updates to the registry over time.
What is the type of buyer?
This impacts premium and ultimate customers the most as larger organizations are expected to require the usage of groups to better segment their teams and work.