Configuration

Copy Markdown View Source

npm_ex reads configuration from environment variables, Elixir application config, and .npmrc files where applicable.

Environment variables take precedence over application config.

Registry and auth

config :npm,
  registry: "https://registry.npmjs.org",
  token: System.get_env("NPM_TOKEN"),
  mirror: "https://registry.npmmirror.com"

Environment variables:

NPM_REGISTRY=https://registry.npmjs.org
NPM_TOKEN=npm_...
NPM_MIRROR=https://registry.npmmirror.com

NPM_REGISTRY, NPM_TOKEN, and NPM_MIRROR intentionally use npm-compatible names.

Cache and install paths

config :npm,
  cache_dir: Path.expand("~/.npm_ex"),
  install_dir: "/tmp/npm-installs"

Environment variables:

NPM_EX_CACHE_DIR=~/.npm_ex
NPM_INSTALL_DIR=/tmp/npm-installs

cache_dir stores registry/cache state shared across projects. install_dir controls runtime installs through NPM.install/2.

Exotic dependency policy

config :npm,
  block_exotic_subdeps: true,
  exotic_deps: []

Environment variables:

NPM_EX_BLOCK_EXOTIC_SUBDEPS=true
NPM_EX_EXOTIC_DEPS=github:org/repo#sha,file:../local-package

exotic_deps is an exact-spec allowlist for direct dependencies. Transitive exotic dependencies are blocked by default.

Registry policy

config :npm,
  allowed_registries: ["https://registry.npmjs.org"],
  allow_registry_redirects: false

Environment variables:

NPM_EX_ALLOWED_REGISTRIES=https://registry.npmjs.org,https://registry.npmmirror.com
NPM_EX_ALLOW_REGISTRY_REDIRECTS=false

Allowed registries are compared by origin.

Age warnings

config :npm,
  package_age_warning_days: 7,
  version_age_warning_days: 3

Environment variables:

NPM_EX_PACKAGE_AGE_WARNING_DAYS=7
NPM_EX_VERSION_AGE_WARNING_DAYS=3

Set either value to 0 to disable that warning.

Compromised-package audits

config :npm,
  compromised_db_path: Path.expand("~/.npm_ex/security/compromised_packages.json"),
  compromised_sources: [:local],
  compromised_policy: :error

Environment variables:

NPM_EX_COMPROMISED_DB_PATH=~/.npm_ex/security/compromised_packages.json
NPM_EX_COMPROMISED_SOURCES=local
NPM_EX_COMPROMISED_POLICY=error

compromised_policy can be :error, :warn, or :off.

Inspect effective config

mix npm.config

This prints the active registry, cache path, auth status, link strategy, compromised-package database path, compromised-package sources, and compromised-package policy.