Skip to content
NORA

npm

NORA provides a full npm-compatible registry. Publish private packages and transparently proxy public packages from the official npm registry.

Client Configuration

Section titled “Client Configuration”

Point npm (or yarn/pnpm) at NORA:

Terminal window
# npm
npm config set registry http://nora.example.com:4000/npm/


# yarn
yarn config set registry http://nora.example.com:4000/npm/


# pnpm
pnpm config set registry http://nora.example.com:4000/npm/

Publish a package:

Terminal window
npm publish --registry http://nora.example.com:4000/npm/

Per-project .npmrc:

registry=http://nora.example.com:4000/npm/

Upstream Proxy

Section titled “Upstream Proxy”

When a package is not found locally, NORA fetches it from the upstream registry. Tarball URLs in metadata are rewritten to point through NORA.

config.toml:

[npm]
enabled = true
proxy = "https://registry.npmjs.org"
proxy_timeout = 30
metadata_ttl = 300  # seconds

Environment variables:

VariableDescriptionDefault
NORA_NPM_ENABLEDEnable npm registrytrue
NORA_NPM_PROXYUpstream registry URLhttps://registry.npmjs.org
NORA_NPM_PROXY_AUTHUpstream auth (user:pass)
NORA_NPM_PROXY_TIMEOUTUpstream timeout in seconds30
NORA_NPM_METADATA_TTLMetadata cache TTL in seconds300

Features

Section titled “Features”
FeatureStatusNotes
Package metadata (GET)FullJSON with all versions
Scoped packages (@scope/name)FullURL-encoded path
Tarball downloadFullSHA256 verified
Tarball URL rewritingFullPoints to NORA, not upstream
Publish (npm publish)FullImmutable versions
Upstream proxyFullConfigurable TTL
UnpublishNot implemented
Dist-tags (latest, next)PartialRead from metadata, no explicit management
Search (/-/v1/search)Not implemented
Audit advisoriesNot implemented

Known Limitations

Section titled “Known Limitations”
  • No unpublish support — published versions are immutable.
  • Dist-tags are read from upstream metadata but cannot be explicitly managed via NORA.
  • Package search and security audit endpoints are not implemented.