Personal Access Tokens for install Github npm packages

Question

I managed to publish a simple test package on the Github packageregistry using this tutorial : https://docs.github.com/en/packages/quickstart

Now, if I understand correctly, to use it in a project I have to create a .npmrc file with the following lines :

@OWNER:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=PAT

1- If somebody else wants to install my public package, do I need to provide them my own PAT ? Or can you install any Github public package with your own PAT ?

2- How can I hide my PAT from the .npmrc file ? I tried to setup a TOKEN variable in my .env file (located in the same directory as the .npmrc file) and calling it with ${TOKEN}, but it doesn't seem to work (authentication fails when running npm install, while inserting the same PAT directly in the file it works).

Thanks

Answer 1

1: Any PAT with the read:packages scope can read public packages. You don't need to provide your own PAT to anyone. See docs for details.

2: npm doesn't read from local .env files. You need to export the PAT as an environment variable (export TOKEN="ABC123"). Then you can use it with ${TOKEN} when calling the registry.

Answer 2

Looks like you'll have to export your PAT from your local machine's shell since .npmrc does not read the .env file. Please see the following thread: https://stackoverflow.com/a/55578270/6026781