npm dependencies integration with Sourcegraph
You can use Sourcegraph with npm packages from any npm registry, including open source code from npmjs.com or a private registry such as Verdaccio.
This integration makes it possible to search and navigate through the source code of published JavaScript or TypeScript packages (for example, @types/[email protected]).
| Feature | Supported? |
|---|---|
| Repository syncing | ✅ |
| Credentials | ✅ |
| Rate limiting | ✅ |
| Repository permissions | ❌ |
| Multiple npm dependencies code hosts | ❌ |
Repository syncing
There are three ways to sync npm dependency repositories.
- LSIF (recommended): run
lsif-nodeagainst your JS/TS codebase and upload the generated index to Sourcegraph using the src-cli commandsrc lsif upload. Sourcegraph automatically synchronizes npm dependency repositories based on the dependencies that are discovered bylsif-node. - Dependencies search: Sourcegraph automatically synchronizes npm dependency repositories that are in
package-lock.jsonoryarn.lockfiles during a dependencies search. - Code host configuration: manually list dependencies in the
"dependencies"section of the JSON configuration when creating the npm dependency code host. This method can be useful to verify that the credentials are picked up correctly without having to upload LSIF.
Credentials
Use the "credentials" section of the JSON configuration to provide an access token for your private npm registry. See the official npm documentation for more details about how to create, list and view npm access tokens.
Rate limiting
By default, requests to the npm registry will be rate-limited based on a default internal limit which complies with the documented acceptable use policy of registry.npmjs.org (i.e. max 5 million requests per month).
"rateLimit": { "enabled": true, "requestsPerHour": 3000.0 }
where the requestsPerHour field is set based on your requirements.
Not recommended: Rate-limiting can be turned off entirely as well. This increases the risk of overloading the code host.
"rateLimit": { "enabled": false }
Repository permissions
⚠️ npm dependency repositories are visible by all users of the Sourcegraph instance.
Multiple npm dependencies code hosts
⚠️ It's only possible to create one npm dependency code host for each Sourcegraph instance. See the issue sourcegraph#32499 for more details about this limitation. In most situations, it's possible to work around this limitation by configurating a single private npm registry to proxy multiple underlying registries.