How to access private NPM repository in Docker

Reading Time: 2 minutes

For privacy needs, you may store private package and access them on private NPM repository to pull them instead of public repository while building your node application. We will use Nexus repository in this illustration.

Dockerfile is usually be the place where we configure the step to access private repository packages to perform operation such as `npm install <package_name>`.

Method to config

  1. Update NPM config setting on Dockerfile
  2. Using .npmrc File

Form NPM token for accessing repository

First before we go into the details, we will first create the token to access nexus private NPM registry.

We can create it by injecting your NPM repository username and password encoding it with base64 via the below command.

echo -n '<your_username>:<your_password>' | openssl base64

Update NPM config setting on Dockerfile

Here we will be using the latest LTS version of node as the initial docker image (16.14.2 at the point of writing).

With the token created from the previous step, we will inject it into the Dockerfile with build argument

FROM node:16.14.2-alpine3.14 as webapp

RUN npm config set registry https://nexus-url.com/repo/private_npm
RUN npm config set strict-ssl false
RUN npm config set _auth ${NPM_TOKEN}

npm install <package_name>

In order to only have NPM_TOKEN use during the build time and not to be stored as an environment variable into the build image, we will use `–build-arg` to pass in the token

docker build --build-arg NPM_TOKEN="generated-token" .

Using .npmrc File

Create the .npmrc file with the below text inside root project directory.


In the Dockerfile, we will copy in .npmrc file created so that NPM will use the setting in the file.

FROM node:16.14.2-alpine3.14 as webapp

COPY .npmrc .npmrc  
COPY package.json package.json  

npm install <package_name>
RUN rm -f .npmrc

We will use the same command

docker build --build-arg NPM_TOKEN="generated-token" .


Do note that with the above method, it will not be secure as the token may be leaked if the image is published. Thus, you can squash the commits as stated in the official documentation.

Show Comments

No Responses Yet

Leave a Reply