Using private npm packages

Edit this page

Learn how to configure EAS Build to use private npm packages.


EAS Build has full support for using private npm packages in your project. These can either be published to npm (if you have the Pro/Teams plan) or to a private registry (for example, using self-hosted Verdaccio).

Before starting the build, you will need to configure your project to provide EAS Build with your npm token.

Default npm configuration

By default, EAS Build uses a self-hosted npm cache that speeds up installing dependencies for all builds. Every EAS Build builder is configured with a .npmrc file for each platform:

Android

registry=http://npm-cache-service.worker-infra-production.svc.cluster.local:4873

iOS

registry=http://10.254.24.8:4873

Private packages published to npm

If your project is using private packages published to npm, you need to provide EAS Build with a read-only npm token so that it can install your dependencies successfully.

The recommended way is to add the NPM_TOKEN secret to your account or project's secrets:

For more information on how to do that, see secret environment variables.

When EAS detects that the NPM_TOKEN environment variable is available during a build, it automatically creates the following .npmrc:

.npmrc
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
registry=https://registry.npmjs.org/

However, this only happens when .npmrc is not in your project's root directory. If you already have this file, you need to update it manually.

You can verify if it worked by viewing build logs and looking for the Prepare project build phase:

Packages published to a private registry

If you're using a private npm registry such as self-hosted Verdaccio, you will need to configure the .npmrc manually.

Create a .npmrc file in your project's root directory with the following contents:

.npmrc
registry=__REPLACE_WITH_REGISTRY_URL__

If your registry requires authentication, you will need to provide the token. For example, if your registry URL is https://registry.johndoe.com/, then update the file with:

.npmrc
//registry.johndoe.com/:_authToken=${NPM_TOKEN}
registry=https://registry.johndoe.com/

Both private npm packages and private registry

This is an advanced example.

Private npm packages are always scoped. For example, if your npm username is johndoe, the private self-hosted registry URL is https://registry.johndoe.com/. If you want to install dependencies from both sources, create a .npmrc in your project's root directory with the following:

.npmrc
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
@johndoe:registry=https://registry.npmjs.org/
registry=https://registry.johndoe.com/

Submodules in private repositories

If you have a submodule in a private repository, you will need to initialize it by setting up an SSH key. For more information, see submodules initialization.