Setup for scoped registries (private registries)

Undestood!

Is there any template for unity packages? What I mean is, I want to create a package, where should be the package.json? Can I include the manifest.json of this package to merge it with the container app?

 

Great, it worked.

I've a question about how packages can collide each other, for example:

- com.companyA.Product downloads a library and has an AndroidManifest.xml
- com.companyB.Product also downloads a library with an AndroidManifest.xml

Are those AndroidManifest considered when compiling? I ask this because there are a lot of Plugins that modifies things and when you want to use two plugins you have to start doing nasty things to make it work.

 

And another question, If my com.company.PackageA has as dependency of com.company.PackageB, should I put that dependency in the package.json?

 

Hi, in this forum thread it's said that at the moment it's not possible to aim Package Manager to a private npm registry. What I need is the npm registry with restricted access (so only our company employees have access to load packages), but still available for Unity Package Manager. Is this the same as "private registry" or it is a different thing and possible to reach?

In this manual https://medium.com/@markushofer/run-your-own-unity-package-server-b4fe9995704e it's said that we can register users on our npm server, then login locally and that's it - Unity will be able to grab our packages + we've restricted the access to the registry.

What am I missing? Will this work? Is this enough for my needs?
Thanks!

 

How far is it? It's really critical for organizations because we can't expose all our codebase over the internet.

I would also want to know how are you going to implement it.

In my case I'm using verdaccio and it has multiple authentication types.

https://verdaccio.org/docs/en/authentification

https://verdaccio.org/docs/en/plugins#authorization-plugins

In my ideal situation I would want to configure in Verdaccio two modes:
- LDAP: organization internal.
- htpasswd (or similar): for external users.

I would want to know where this settings would be configured and stored on Unity side.

 

It doesn't seems like it's coming out soon enough for your needs (I suppose it would be somewhere in 2020 Q3).
In the meanwhile if you really want to protect your codebase, you have the option of putting it on a local network in your organization or on a Google Cloud and then whitelist ip address you want.
That's the closest option you have at the moment for package authentication.

 

Hi, thanks for the answer, sad to hear, but at least now it's clear. So I guess we'll go with the git-repo approach for now, as it supports ssh-keys we already have configured on our machines. The only disadvantage is the need to set each package manually in the manifest.json, but it's minor in comparison with the security issues with the npm-way.

 

You were at today's package manager talk, weren't you? Me too! I see from the questions you asked that we suffered the same problems.

 

Hi Pascal, Just wondering if there is any update on when we might expect support for authentication? Really excited to start leveraging the UPM for our internal packages, but blocked by the lack of authentication.

Thanks!

 

Hi,

Pleas prioritize adding the support for authentication. Will it be available in the beta release? Thanks!

 

We are very excited at the prospect of having authenticated npm registries be supported. We have explored several options from LAN hosted npm to doing perforce imports for packages to large composite package drops. We're not equipped due to the rather unique situation we're in to reasonably do a VPN solution for everyone and imports come with their own complications.

We're very much hoping that this will be included in the 2020.1 release and will be anxious to begin testing with it as soon as possible!

 

I just wanted to second the request for auth on the package manager. We would also love this feature to be back-ported to 2018 and 2019 LTS versions if possible. We want to switch to sharing our internal code and tools through package manager as well as allow some of them to be accessible to third parties but in order to do so we need to have authentication support in package manager.

Is there any way for us to have visibility on the progress of the auth implementation feature ?
We would love to jump on it as soon as it's available for testing.

 

Same here,
I am working for a big company with a lot of security issues.
Definetely, using authentication for the package manager is mandatory for us.
It will be much apreciated if it is compatible with 2018.LTS and 2019.LTS because all our developpement in terme of application are based on LTS version. Right now we are still using the 2017.4 because of some trouble with HoloLens even if we are targeting 2018.4 for our next releases.
We definetely need it for 2018.4 LTS.

If you have any beta or demo version, i would be interested.

 

Great news!

 

By the way, I forgot to mention that our Devops pipeline is using Artifactory.
So we set an npm repository public on it to make packages available.
After discussing with the Artifactory team, we noticed that the /-/all command was remove from artifactory because it's deprecated by NPM.

Any chance to change the listing of the packages on UPM using the search function of NPM instead of the /-/all ?

More personnaly, I did not succeed to retrieve my package internally as it appears that unity does not take into account my custom cacert.pem file.
I followed the instruction based on Network Issues on the documentation but at the end, it did not work.
Any chance to have help with this ?

 

I successfully installed verdaccio and the /-/all command works in my browser. Though my test package "com.mypackages.testpackage" is not shown in the package manager ui. Manual installation via manifest.json works fine. Any hints what could be wrong?

Scoped registry entry:

Code (CSharp):

1. "scopedRegistries": [
2.     {
3.       "name": "mypackages",
4.       "url": "http://192.168.1.50:4873/",
5.       "scopes": [
6.         "com.mypackages"
7.       ]
8.     }
9.   ],

 

Any hint when this gets fixed?

 

is there any version of unity support this feature?

 

@samuelb_unity

Currently i'm building several packages and publish them to verdaccio which is registered as private registry in my unity projects. This works fine except for big packages. There seems to be a node.js limit of 2GB when using npm publish. Npm build works fine. Do you know a solution for that? How do you handle this internally?

 

Any updates on the authentication issue?

 

Excellent! Thanks for the update!

 

Can you explain how it works? We would be interested to know how we can integrate it with Azure Artifacts.

 

No problem, thanks.

 

Posting here to receive updates on this thread.
We're very interested how to authenticate now with a foreign registry so we can setup our devops accordingly.
If you can share some insights how packages/system configuration have to look like to successfully authenticate, that would be pretty helpful.
Also is this feature scheduled to be backported to 2019.3/2019.4?

Thanks!

 

Following thread as well

 

Hello Pascal,

I've been going through the thread and just managed to get Verdaccio working. I'm figuring things out as I learn about them and just reached the auth step, as I'd like to make this exclusive to people in the company (I assume we can limit access following something similar as @dzamani suggested above regarding Google Cloud, but I'd like to try a proper authentication flow, if it's available in the current Alpha version).

Any updates regarding how the auth works? (I'm experimenting around with 2020.1.0a21)

 

Ping

 

@okcompute_unity Small ping for update on this

 

Thanks for your response!

I tried "--max-old-space-size=6192" with npm publish and it doesn't help:

Code (CSharp):

1. npm ERR! code ERR_FS_FILE_TOO_LARGE
2. npm ERR! File size (3697219788) is greater than possible Buffer: 2147483647 bytes

Any idea?

 

@okcompute_unity Another small ping, is it possible to get some infos on the basic auth for scoped registries

 

@okcompute_unity I'm trying one more time to get a small update on this, as my recent search through the interwebs didn't really get me any of the answers I was looking for.
Is it possible to have an ETA for the backport to 2019.3 ? It is a really interesting feature and I can't wait to setup the devops to integrate all our internal libraries seamlessly

 

will land any day now:

https://forum.unity.com/threads/npm-registry-authentication.836308/

 

Yes ! Thank you for the link

 

Hi,

I'm trying to use Github Packages to host my Unity packages. One of the requirements to use npm on Github packages
is using scoped package names, which has meant that I have had to change name field in package.json from 'com.organisationname.package-name' to '@organisation/com.organisation.package-name'

However, after a lot of experimenting it seems that this naming is incompatible with UPM, as it throws an error when importing packages with a '@' or a '/' in the package name (the error is : "package name '....' is invalid").

I believe UPM also uses the /-/all npm endpoint to search a scoped registry - is this true? If so, this will be another nail in the coffin for using Github packages, as I believe Github doesn't support that end point and responds with a "method not allowed error"

Any pointers on this? Or is anyone else successfully using Github packages for Unity packages?

Cheers!

 

Perfect, that must have been the one combination of 'where to put the bloody scope if I can't put it in the name' that I didn't try! Thanks for the speedy reply!

 

Hi, how do I set the default manifest.json, now I have to set this code for each project’s manifest.json

"scopedRegistries": [
{
"name": "Tools",
"url": "http://xx.xx.xx.xx:4873/",
"scopes": [
"com.xxx",
"com.xx"
]
}
],

 

Any news on that? Does the Package Manager support authenticated requests now? Where the doc about that?