Chris Snow Chris Snow - 1 month ago 26
Node.js Question

how to determine where npm packages are hosted?

I'm trying to install some npm packages on a machine that has controlled access to the Internet. I can request that the network team grant me access to a remote host/port but I'm not clear which hosts/ports I need to access.

Are all the packages that are installed via npm available via a single host/port? If not, how can I determine the list of hosts/ports that I need access to?

I appreciate that opening access to npm hosts/ports may not be the best approach from a security perspective and that it may be better to download the npm modules on a separate machine that I then upload to my secure host.

Answer Source

There are two standard places for storing npm packages: https://registry.npmjs.org and https://github.com. You must have access only to them.

Install some packages and create npm-shrinkwrap.json file (using command npm shrinkwrap for npm<5, in npm>5 this file is called package-lock.json and it's automatically generated). Open the created lock file, take a look at resolved field of each package.

the part of npm.shrinkwrap file:

"lodash": {
  "version": "4.17.4",
  "from": "lodash@4.17.4",
  "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz"
},

"ng-bootstrap-lightbox": {
  "version": "1.0.1",
  "from": "git+https://github.com/themyth92/ng-bootstrap-lightbox.git",
  "resolved": "git+https://github.com/themyth92/ng-bootstrap-lightbox.git#b44c086723ccf066834b3edb654273c4661a4ad1"
}