This repository has been archived by the owner. It is now read-only.
[DEPRECATED] Use private GitHub repos as npm dependencies on Heroku.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.editorconfig
.eslintignore
.eslintrc
.gitignore
LICENSE.md
README.md
index.js
package.json

README.md

This package is deprecated

Doesn't work with private packages inside other packages, I tried to solve this using the npm hook preinstall but this npm bug/feature makes the solution inviable preinstall execution order in npm@3.x.

See next branch for the last unreleased version.

Heroku Private Modules

Use private GitHub repos as npm dependencies on Heroku.

Heroku doesn't has access to your private git repositories so every deploy of an app with private git dependencies fails.

This changes your package.json private GitHub dependencies (before Heroku installs your dependencies) with a url of the dependency with a GitHub access token.

Installation

npm i --save heroku-private-modules

Usage

  1. Create a Github OAuth token with "repo" scope.
  2. Set on Heroku the config var GITHUB_TOKEN with the token of the previous step.
  3. On your app add the npm script heroku-prebuild with npm i heroku-private-modules && heroku-private-modules.
"heroku-prebuild": "npm i heroku-private-modules && heroku-private-modules"

Background

I choose this solution to have the secrets out of the source control, keep the projects with the minimum configuration required and also because it seems to me the less risky solution.

Recommendation: create a GitHub user and only give him permissions to the required private repos, and use the token from this account. So if the token gets compromised the attacker will only access to only a part of the privates repos of your org/personal user.

Other solutions with different tradeoffs:

License

Heroku Private Modules is MIT licensed.