How to host private NPM packages for free on GitHub based on a legacy private repo? Is it possible to do it without manual editions to package.json?

Question

My organization has a private repo on GitHub. Basically, a paid extension of Sheetjs which works as a dependency for our web app project.

The task is to create a private NPM package for it. Hopefully, it would make the build process of the application easier.

The "most common way" to execute a task like this is via payment of US$ 7 per user, per month to host it directly at https://www.npmjs.com/

We are not following the path. Especially because we want this for just 1 repo. Instead, we intend to host a private NPM package for free on GitHub.

Hence, I am following this tutorial from early-2020.

My situation is a bit different from the author's. He assumes someone is creating a new package. I am wrapping something that already exists and works. What I did:

1 - Created a branch on our private repo

2 - Got my GitHub token locally

3 - I have a .npmrc file at /Users/pedro (using macOS) indicating:

registry=https://registry.npmjs.org/
@my-organization-name:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=my-GitHub-token-which-will-not-be-shared-here-for-security-reasons

4 - Then, I manually changed the package.json file, inserting:

"publishConfig": {
    "registry":"https://npm.pkg.github.com/"
}

5 - After this, I submitted the PR with the above-mentioned changes. The PR is waiting for a review.

If it gets merged, then I will do locally:

npm publish

My doubts are:

(i) - Did I miss something? Is this the correct approach as of mid-2022?

(ii) - Manual editions to package.json are not recommended. But, in this case, it seems mandatory. What would be the alternative?

(iii) If npm publish works, then the tutorial says:

Any client properly authenticated into the Github Packages Registry can install the package by running:

npm install @energicos/baseapp

Pragmatically speaking, what exactly does that mean? Think about my co-workers that belong to the same GitHub organization and who already have access to the private repository, can they simply execute npm install @my-organization/my-private-repo?

If no, what exactly do they need to do to become a "properly authenticated client on GitHub package registry"?

(iv) - What would be the best way to test if the manual edition on package.json has broken something?

Obs.: This NPM/node world is new for me. Sorry for the ignorance.

Answer 1

Answering:

(i) - Yes, this is the correct approach.

(ii) - To change the package name you need to do a manual edition. But, it is possible to use commands such as npm ci and npm uninstall when removing the old package and instaling the new one (obviously, after the package is already published)

(iii) - They do need a Personal Access Token and a .npmrc file including the right pointers

(iv) try a toy package and also use npm link before publishing stuff. See this tutorial on YouTube.