To resolve packages by name and version, npm talks to a registry website that implements the CommonJS Package Registry specification for reading package info.
npm's package registry implementation supports several write APIs as well, to allow for publishing packages and managing user account information.
The npm public registry is powered by a CouchDB database, of which there is a public mirror at https://skimdb.npmjs.com/registry. The code for the couchapp is available at https://github.com/npm/npm-registry-couchapp.
The registry URL used is determined by the scope of the package (see
npm-scope). If no scope is specified, the default registry is used, which is
supplied by the
registry config parameter. See
npm-config for more on managing npm's configuration.
When making requests of the registry npm adds two headers with information about your environment:
Npm-Scope – If your project is scoped, this header will contain its
scope. In the future npm hopes to build registry features that use this
information to allow you to customize your experience for your
Npm-In-CI – Set to "true" if npm believes this install is running in a
continuous integration environment, "false" otherwise. This is detected by
looking for the following environment variables:
bamboo.buildKey. If you'd like to learn more you may find
the original PR
This is used to gather better metrics on how npm is used by humans, versus
The npm registry does not try to correlate the information in these headers with any authenticated accounts that may be used in the same requests.
The easiest way is to replicate the couch database, and use the same (or similar) design doc to implement the APIs.
If you set up continuous replication from the official CouchDB, and then set your internal CouchDB as the registry config, then you'll be able to read any published packages, in addition to your private ones, and by default will only publish internally.
If you then want to publish a package for the whole world to see, you can
simply override the
--registry option for that
"private": true in your package.json to prevent it from being
published at all, or
to force it to be published only to your internal registry.
package.json for more info on what goes in the package.json file.
No. If you want things to be public, then publish them into the public registry using npm. What little security there is would be for nought otherwise.
No, but it's way easier. Basically, yes, you do, or you have to effectively implement the entire CouchDB API anyway.
Yes, head over to https://www.npmjs.com/
Last modified February 13, 2023 Found a typo? Send a pull request!