# Using CodeArtifact with npm
These topics describe how to use npm, the Node.js package manager, with CodeArtifact.
**Note**
CodeArtifact supports `node v4.9.1` and later and `npm v5.0.0` and later.
**Topics**
+ [Configure and use npm](npm-auth.md)
+ [Configure and use Yarn](npm-yarn.md)
+ [
# npm command support
](npm-commands.md)
+ [
# npm tag handling
](npm-tags.md)
+ [
# Support for npm-compatible package managers
](npm-other-clients.md)
# Configure and use npm with CodeArtifact
After you create a repository in CodeArtifact, you can use the npm client to install and publish packages. The recommended method for configuring npm with your repository endpoint and authorization token is by using the `aws codeartifact login` command. You can also configure npm manually.
**Contents**
+ [
## Configuring npm with the login command
](#configure-npm-login-command)
+ [
## Configuring npm without using the login command
](#configuring-npm-without-using-the-login-command)
+ [
## Running npm commands
](#running-npm-commands)
+ [
## Verifying npm authentication and authorization
](#verifying-npm-authentication-and-authorization)
+ [
## Changing back to the default npm registry
](#revert-default-npm-registry)
+ [
## Troubleshooting slow installs with npm 8.x or higher
](#troubleshooting-slow-npm-install)
## Configuring npm with the login command
Use the `aws codeartifact login` command to fetch credentials for use with npm.
**Note**
If you are accessing a repository in a domain that you own, you don't need to include `--domain-owner`. For more information, see [Cross-account domains](domain-overview.md#domain-overview-cross-account).
**Important**
If you are using npm 10.x or newer, you must use AWS CLI version 2.9.5 or newer to successfully run the `aws codeartifact login` command.
```
aws codeartifact login --tool npm --domain my_domain --domain-owner 111122223333 --repository my_repo
```
This command makes the following changes to your \$1/.npmrc file:
+ Adds an authorization token after fetching it from CodeArtifact using your AWS credentials.
+ Sets the npm registry to the repository specified by the `--repository` option.
+ **For npm 6 and lower:** Adds `"always-auth=true"` so the authorization token is sent for every npm command.
The default authorization period after calling `login` is 12 hours, and `login` must be called to periodically refresh the token. For more information about the authorization token created with the `login` command, see [Tokens created with the `login` command](tokens-authentication.md#auth-token-login).
## Configuring npm without using the login command
You can configure npm with your CodeArtifact repository without the `aws codeartifact login` command by manually updating the npm configuration.
**To configure npm without using the login command**
1. In a command line, fetch a CodeArtifact authorization token and store it in an environment variable. npm will use this token to authenticate with your CodeArtifact repository.
**Note**
The following command is for macOS or Linux machines. For information on configuring environment variables on a Windows machine, see [Pass an auth token using an environment variable](tokens-authentication.md#env-var).
```
CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain my_domain --domain-owner 111122223333 --query authorizationToken --output text`
```
1. Get your CodeArtifact repository's endpoint by running the following command. Your repository endpoint is used to point npm to your repository to install or publish packages.
+ Replace *my\$1domain* with your CodeArtifact domain name.
+ Replace *111122223333* with the AWS account ID of the owner of the domain. If you are accessing a repository in a domain that you own, you don't need to include `--domain-owner`. For more information, see [Cross-account domains](domain-overview.md#domain-overview-cross-account).
+ Replace *my\$1repo* with your CodeArtifact repository name.
```
aws codeartifact get-repository-endpoint --domain my_domain --domain-owner 111122223333 --repository my_repo --format npm
```
The following URL is an example repository endpoint.
```
https://my_domain-111122223333.d.codeartifact.us-west-2.amazonaws.com/npm/my_repo/
```
**Important**
The registry URL must end with a forward slash (/). Otherwise, you cannot connect to the repository.
1. Use the `npm config set` command to set the registry to your CodeArtifact repository. Replace the URL with the repository endpoint URL from the previous step.
```
npm config set registry=https://my_domain-111122223333.d.codeartifact.region.amazonaws.com/npm/my_repo/
```
**Note**
To use a dualstack endpoint, use the `codeartifact.region.on.aws` endpoint.
1. Use the `npm config set` command to add your authorization token to your npm configuration.
```
npm config set //my_domain-111122223333.d.codeartifact.region.amazonaws.com/npm/my_repo/:_authToken=$CODEARTIFACT_AUTH_TOKEN
```
**For npm 6 or lower:** To make npm always pass the auth token to CodeArtifact, even for `GET` requests, set the `always-auth` configuration variable with `npm config set`.
```
npm config set //my_domain-111122223333.d.codeartifact.region.amazonaws.com/npm/my_repo/:always-auth=true
```
**Example npm configuration file (`.npmrc`)**
The following is an example `.npmrc` file after following the preceding instructions to set the CodeArtifact registry endpoint, add an authentication token, and configure `always-auth`.
```
registry=https://my_domain-111122223333.d.codeartifact.us-west-2.amazonaws.com/npm/my-cli-repo/
//my_domain-111122223333.d.codeartifact.us-west-2.amazonaws.com/npm/my_repo/:_authToken=eyJ2ZX...
//my_domain-111122223333.d.codeartifact.us-west-2.amazonaws.com/npm/my_repo/:always-auth=true
```
## Running npm commands
After you configure the npm client, you can run npm commands. Assuming that a package is present in your repository or one of its upstream repositories, you can install it with `npm install`. For example, use the following to install the `lodash` package.
```
npm install lodash
```
Use the following command to publish a new npm package to a CodeArtifact repository.
```
npm publish
```
For information about how to create npm packages, see [Creating Node.js Modules](https://docs.npmjs.com/getting-started/creating-node-modules) on the npm documentation website. For a list of npm commands supported by CodeArtifact, see [npm Command Support](npm-commands.md).
## Verifying npm authentication and authorization
Invoking the `npm ping` command is a way to verify the following:
+ You have correctly configured your credentials so that you can authenticate to an CodeArtifact repository.
+ The authorization configuration grants you the `ReadFromRepository` permission.
The output from a successful invocation of `npm ping` looks like the following.
```
$ npm -d ping
npm info it worked if it ends with ok
npm info using npm@6.4.1
npm info using node@v9.5.0
npm info attempt registry request try #1 at 4:30:59 PM
npm http request GET https://.d.codeartifact.us-west-2.amazonaws.com/npm/shared/-/ping?write=true
npm http 200 https:///npm/shared/-/ping?write=true
Ping success: {}
npm timing npm Completed in 716ms
npm info ok
```
The `-d` option causes npm to print additional debug information, including the repository URL. This information makes it easy to confirm that npm is configured to use the repository you expect.
## Changing back to the default npm registry
Configuring npm with CodeArtifact sets the npm registry to the specified CodeArtifact repository. You can run the following command to set the npm registry back to its default registry when you're done connecting to CodeArtifact.
```
npm config set registry https://registry.npmjs.com/
```
## Troubleshooting slow installs with npm 8.x or higher
There is a known issue in npm versions 8.x and greater where if a request is made to a package repository, and the repository redirects the client to Amazon S3 instead of streaming the assets directly, the npm client can hang for several minutes per dependency.
Because CodeArtifact repositories are designed to always redirect the request to Amazon S3, sometimes this issue occurs, which causes long build times due to long npm install times. Instances of this behavior will present themselves as a progress bar showing for several minutes.
To avoid this issue, use either the `--no-progress` or `progress=false` flags with `npm` cli commands, as shown in the following example.
```
npm install lodash --no-progress
```
# Configure and use Yarn with CodeArtifact
After you create a repository, you can use the Yarn client to manage npm packages.
**Note**
`Yarn 1.X` reads and uses information from your npm configuration file (.npmrc), while `Yarn 2.X` does not. The configuration for `Yarn 2.X` must be defined in the .yarnrc.yml file.
**Contents**
+ [
## Configure Yarn 1.X with the `aws codeartifact login` command
](#npm-yarn-configure-login)
+ [
## Configure Yarn 2.X with the `yarn config set` command
](#npm-yarn-configure-yarn-command)
## Configure Yarn 1.X with the `aws codeartifact login` command
For `Yarn 1.X`, you can configure Yarn with CodeArtifact using the `aws codeartifact login` command. The `login` command will configure your \$1/.npmrc file with your CodeArtifact repository endpoint information and credentials. With `Yarn 1.X`, `yarn` commands use the configuration information from the \$1/.npmrc file.
**To configure `Yarn 1.X` with the login command**
1. If you haven't done so already, configure your AWS credentials for use with the AWS CLI, as described in [Getting started with CodeArtifact](getting-started.md).
1. To run the `aws codeartifact login` command successfully, npm must be installed. See [Downloading and installing Node.js and npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm/) in the *npm documentation* for installation instructions.
1. Use the `aws codeartifact login` command to fetch CodeArtifact credentials and configure your \$1/.npmrc file.
+ Replace *my\$1domain* with your CodeArtifact domain name.
+ Replace *111122223333* with the AWS account ID of the owner of the domain. If you are accessing a repository in a domain that you own, you don't need to include `--domain-owner`. For more information, see [Cross-account domains](domain-overview.md#domain-overview-cross-account).
+ Replace *my\$1repo* with your CodeArtifact repository name.
```
aws codeartifact login --tool npm --domain my_domain --domain-owner 111122223333 --repository my_repo
```
The `login` command makes the following changes to your \$1/.npmrc file:
+ Adds an authorization token after fetching it from CodeArtifact using your AWS credentials.
+ Sets the npm registry to the repository specified by the `--repository` option.
+ **For npm 6 and lower:** Adds `"always-auth=true"` so the authorization token is sent for every npm command.
The default authorization period after calling `login` is 12 hours, and `login` must be called to refresh the token periodically. For more information about the authorization token created with the `login` command, see [Tokens created with the `login` command](tokens-authentication.md#auth-token-login).
1. **For npm 7.X and 8.X**, you must add `always-auth=true` to your \$1/.npmrc file to use Yarn.
1. Open your \$1/.npmrc file in a text editor and add `always-auth=true` on a new line.
You can use the `yarn config list` command to check that Yarn is using the correct configuration. After running the command, check the values in the `info npm config` section. The contents should look similar to the following snippet.
```
info npm config
{
registry: 'https://my_domain-111122223333.d.codeartifact.us-west-2.amazonaws.com/npm/my_repo/',
'//my_domain-111122223333.d.codeartifact.us-west-2.amazonaws.com/npm/my_repo/:_authToken': 'eyJ2ZXI...',
'always-auth': true
}
```
## Configure Yarn 2.X with the `yarn config set` command
The following procedure details how to configure `Yarn 2.X` by updating your `.yarnrc.yml` configuration from the command line with the `yarn config set` command.
**To update the `yarnrc.yml` configuration from the command line**
1. If you haven't done so already, configure your AWS credentials for use with the AWS CLI, as described in [Getting started with CodeArtifact](getting-started.md).
1. Use the `aws codeartifact get-repository-endpoint` command to get your CodeArtifact repository's endpoint.
+ Replace *my\$1domain* with your CodeArtifact domain name.
+ Replace *111122223333* with the AWS account ID of the owner of the domain. If you are accessing a repository in a domain that you own, you don't need to include `--domain-owner`. For more information, see [Cross-account domains](domain-overview.md#domain-overview-cross-account).
+ Replace *my\$1repo* with your CodeArtifact repository name.
```
aws codeartifact get-repository-endpoint --domain my_domain --domain-owner 111122223333 --repository my_repo --format npm
```
1. Update the `npmRegistryServer` value in your .yarnrc.yml file with your repository endpoint.
```
yarn config set npmRegistryServer "https://my_domain-111122223333.d.codeartifact.region.amazonaws.com/npm/my_repo/"
```
1. Fetch a CodeArtifact authorization token and store it in an environment variable.
**Note**
The following command is for macOS or Linux machines. For information on configuring environment variables on a Windows machine, see [Pass an auth token using an environment variable](tokens-authentication.md#env-var).
+ Replace *my\$1domain* with your CodeArtifact domain name.
+ Replace *111122223333* with the AWS account ID of the owner of the domain. If you are accessing a repository in a domain that you own, you don't need to include `--domain-owner`. For more information, see [Cross-account domains](domain-overview.md#domain-overview-cross-account).
+ Replace *my\$1repo* with your CodeArtifact repository name.
```
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain my_domain --domain-owner 111122223333 --query authorizationToken --output text`
```
1. Use the `yarn config set` command to add your CodeArtifact authentication token to your .yarnrc.yml file. Replace the URL in the following command with your repository endpoint URL from Step 2.
```
yarn config set 'npmRegistries["https://my_domain-111122223333.d.codeartifact.region.amazonaws.com/npm/my_repo/"].npmAuthToken' "${CODEARTIFACT_AUTH_TOKEN}"
```
1. Use the `yarn config set` command to set the value of `npmAlwaysAuth` to `true`. Replace the URL in the following command with your repository endpoint URL from Step 2.
```
yarn config set 'npmRegistries["https://my_domain-111122223333.d.codeartifact.region.amazonaws.com/npm/my_repo/"].npmAlwaysAuth' "true"
```
After configuring, your .yarnrc.yml configuration file should have contents similar to the following snippet.
```
npmRegistries:
"https://my_domain-111122223333.d.codeartifact.us-west-2.amazonaws.com/npm/my_repo/":
npmAlwaysAuth: true
npmAuthToken: eyJ2ZXI...
npmRegistryServer: "https://my_domain-111122223333.d.codeartifact.us-west-2.amazonaws.com/npm/my_repo/"
```
You can also use the `yarn config` command to check the values of `npmRegistries` and `npmRegistryServer`.
# npm command support
The following sections summarize the npm commands that are supported, by CodeArtifact repositories, in addition to specific commands that are not supported.
**Contents**
+ [
## Supported commands that interact with a repository
](#supported-commands-that-interact-with-a-repository)
+ [
## Supported client-side commands
](#supported-client-side-commands)
+ [
## Unsupported commands
](#unsupported-commands)
## Supported commands that interact with a repository
This section lists npm commands where the npm client makes one or more requests to the registry it's been configured with (for example, with `npm config set registry` ). These commands have been verified to function correctly when invoked against a CodeArtifact repository.
****
| Command | Description |
| --- | --- |
| [bugs](https://docs.npmjs.com/cli/bugs) | Tries to guess the location of a package’s bug tracker URL, and then tries to open it. |
| [ci](https://docs.npmjs.com/cli/ci) | Installs a project with a clean slate. |
| [deprecate](https://docs.npmjs.com/cli/deprecate) | Deprecates a version of a package. |
| [dist-tag](https://docs.npmjs.com/cli/dist-tag) | Modifies package distribution tags. |
| [docs](https://docs.npmjs.com/cli/docs) | Tries to guess the location of a package’s documentation URL, and then tries to open it using the `--browser` config parameter. |
| [doctor](https://docs.npmjs.com/cli/doctor) | Runs a set of checks to ensure that your npm installation has what it needs to manage your JavaScript packages. |
| [install](https://docs.npmjs.com/cli/install) | Installs a package. |
| [install-ci-test](https://docs.npmjs.com/cli/install-ci-test) | Installs a project with a clean slate and runs tests. Alias: `npm cit`. This command runs an `npm ci` followed immediately by an `npm test`. |
| [install-test](https://docs.npmjs.com/cli/install-test) | Installs package and runs tests. Runs an `npm install` followed immediately by an `npm test`. |
| [outdated](https://docs.npmjs.com/cli/outdated) | Checks the configured registry to see if any installed packages are currently outdated. |
| [ping](https://docs.npmjs.com/cli/ping) | Pings the configured or given npm registry and verifies authentication. |
| [publish](https://docs.npmjs.com/cli/publish) | Publishes a package version to the registry. |
| [update](https://docs.npmjs.com/cli/update) | Guesses the location of a package’s repository URL, and then tries to open it using the `--browser` config parameter. |
| [view](https://docs.npmjs.com/cli/view) | Displays package metadata. Can be used to print metadata properties. |
## Supported client-side commands
These commands don't require any direct interaction with a repository, so CodeArtifact does not need to do anything to support them.
****
| Command | Description |
| --- | --- |
| [build](https://docs.npmjs.com/cli/v6/commands/npm-build) | Builds a package. |
| [cache](https://docs.npmjs.com/cli/cache) | Manipulates the packages cache. |
| [completion](https://docs.npmjs.com/cli/completion) | Enables tab completion in all npm commands. |
| [config](https://docs.npmjs.com/cli/config) | Updates the contents of the user and global `npmrc` files. |
| [dedupe](https://docs.npmjs.com/cli/dedupe) | Searches the local package tree and attempts to simplify the structure by moving dependencies further up the tree, where they can be more effectively shared by multiple dependent packages. |
| [edit](https://docs.npmjs.com/cli/edit) | Edits an installed package. Selects a dependency in the current working directory and opens the package folder in the default editor. |
| [explore](https://docs.npmjs.com/cli/explore) | Browses an installed package. Spawns a subshell in the directory of the installed package specified. If a command is specified, then it is run in the subshell, which then immediately terminates. |
| [help](https://docs.npmjs.com/cli/help) | Gets help on npm. |
| [help-search](https://docs.npmjs.com/cli/help-search) | Searches npm help documentation. |
| [init](https://docs.npmjs.com/cli/init) | Creates a `package.json` file. |
| [link](https://docs.npmjs.com/cli/link) | Symlinks a package folder. |
| [ls](https://docs.npmjs.com/cli/ls) | Lists installed packages. |
| [pack](https://docs.npmjs.com/cli/pack) | Creates a tarball from a package. |
| [prefix](https://docs.npmjs.com/cli/prefix) | Displays prefix. This is the closest parent directory to contain a `package.json` file unless `-g` is also specified. |
| [prune](https://docs.npmjs.com/cli/prune) | Removes packages that are not listed on the parent package's dependencies list. |
| [rebuild](https://docs.npmjs.com/cli/rebuild) | Runs the `npm build` command on the matched folders. |
| [restart](https://docs.npmjs.com/cli/restart) | Runs a package's stop, restart, and start scripts and associated pre- and post- scripts. |
| [root](https://docs.npmjs.com/cli/root) | Prints the effective `node_modules` folder to standard out. |
| [run-script](https://docs.npmjs.com/cli/run-script) | Runs arbitrary package scripts. |
| [shrinkwrap](https://docs.npmjs.com/cli/shrinkwrap) | Locks down dependency versions for publication. |
| [uninstall](https://docs.npmjs.com/cli/uninstall) | Uninstalls a package. |
## Unsupported commands
These npm commands are not supported by CodeArtifact repositories.
****
| Command | Description | Notes |
| --- | --- | --- |
| [access](https://docs.npmjs.com/cli/access) | Sets the access level on published packages. | CodeArtifact uses a permission model that is different from the public npmjs repository. |
| [adduser](https://docs.npmjs.com/cli/adduser) | Adds a registry user account | CodeArtifact uses a user model that is different from the public npmjs repository. |
| [audit](https://docs.npmjs.com/cli/audit) | Runs a security audit. | CodeArtifact does not currently vend security vulnerability data. |
| [hook](https://docs.npmjs.com/cli/hook) | Manages npm hooks, including adding, removing, listing, and updating. | CodeArtifact does not currently support any kind of change notification mechanism. |
| [login](https://docs.npmjs.com/cli-commands/adduser.html) | Authenticates a user. This is an alias for `npm adduser`. | CodeArtifact uses an authentication model that is different from the public npmjs repository. For information, see [Authentication with npm](npm-auth.md). |
| [logout](https://docs.npmjs.com/cli/logout) | Signs out of the registry. | CodeArtifact uses an authentication model that is different from the public npmjs repository. There is no way to sign out from a CodeArtifact repository, but authentication tokens expire after their configurable expiration time. The default token duration is 12 hours. |
| [owner](https://docs.npmjs.com/cli/owner) | Manages package owners. | CodeArtifact uses a permissions model that is different from the public npmjs repository. |
| [profile](https://docs.npmjs.com/cli/profile) | Changes settings on your registry profile. | CodeArtifact uses a user model that is different from the public npmjs repository. |
| [search](https://docs.npmjs.com/cli/search) | Searches the registry for packages matching the search terms. | CodeArtifact supports limited search functionality with the [list-packages](list-packages.md) command. |
| [star](https://docs.npmjs.com/cli/star) | Marks your favorite packages. | CodeArtifact currently does not support any kind of favorites mechanism. |
| [stars](https://docs.npmjs.com/cli/stars) | Views packages marked as favorites. | CodeArtifact currently does not support any kind of favorites mechanism. |
| [team](https://docs.npmjs.com/cli/team) | Manages organization teams and team memberships. | CodeArtifact uses a user and group membership model that is different from the public npmjs repository. For information, see [Identities (Users, Groups, and Roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*. |
| [token](https://docs.npmjs.com/cli/token) | Manages your authentication tokens. | CodeArtifact uses a different model for getting authentication tokens. For information, see [Authentication with npm](npm-auth.md). |
| [unpublish](https://docs.npmjs.com/cli/unpublish) | Removes a package from the registry. | CodeArtifact does not support removing a package version from a repository using the npm client. You can use the [delete-package-version](delete-package.md) command. |
| [whoami](https://docs.npmjs.com/cli/whoami) | Displays the npm user name. | CodeArtifact uses a user model that is different from the public npmjs repository. |
# npm tag handling
npm registries support *tags*, which are string aliases for package versions. You can use tags to provide an alias instead of version numbers. For example, you might have a project with multiple streams of development and use a different tag (for example, `stable`, `beta`, `dev`, `canary`) for each stream. For more information, see [dist-tag](https://docs.npmjs.com/cli/dist-tag) on the npm website.
By default, npm uses the `latest` tag to identify the current version of a package. `npm install pkg` (without `@version` or `@tag` specifier) installs the latest tag. Typically, projects use the latest tag for stable release versions only. Other tags are used for unstable or prerelease versions.
## Edit tags with the npm client
The three `npm dist-tag` commands (`add`, `rm`, and `ls`) function identically in CodeArtifact repositories as they do in the [default npm registry](https://registry.npmjs.com/).
## npm tags and the CopyPackageVersions API
When you use the `CopyPackageVersions` API to copy an npm package version, all tags aliasing that version are copied to the destination repository. When a version that is being copied has a tag that is also present in the destination, the copy operation sets the tag value in the destination repository to match the value in the source repository.
For example, say both repository S and repository D contain a single version of the `web-helper` package with the latest tag set as shown in this table.
****
| Repository | Package name | Package tags |
| --- | --- | --- |
| S | `web-helper` | *latest* (alias for version 1.0.1) |
| D | `web-helper` | *latest* (alias for version 1.0.0) |
`CopyPackageVersions` is invoked to copy `web-helper` 1.0.1 from S to D. After the operation is complete, the `latest` tag on `web-helper` in repository D aliases 1.0.1, not 1.0.0.
If you need to change tags after copying, use the `npm dist-tag` command to modify tags directly in the destination repository. For more information about the `CopyPackageVersions` API, see [Copying Packages Between Repositories](copy-package.md).
## npm tags and upstream repositories
When npm requests the tags for a package and versions of that package are also present in an upstream repository, CodeArtifact merges the tags before returning them to the client. For example, a repository named R has an upstream repository named U. The following table shows the tags for a package named `web-helper` that's present in both repositories.
****
| Repository | Package name | Package tags |
| --- | --- | --- |
| R | `web-helper` | *latest* (alias for version 1.0.0) |
| U | `web-helper` | *alpha* (alias for version 1.0.1) |
In this case, when the npm client fetches the tags for the `web-helper` package from repository R, it receives both the *latest* and *alpha* tags. The versions the tags point to won't change.
When the same tag is present on the same package in both the upstream and downstream repository, CodeArtifact uses the tag that is present in the *upstream* repository. For example, suppose that the tags on *webhelper* have been modified to look like the following.
****
| Repository | Package name | Package tags |
| --- | --- | --- |
| R | `web-helper` | *latest* (alias for version 1.0.0) |
| U | `web-helper` | *latest* (alias for version 1.0.1) |
In this case, when the npm client fetches the tags for package *web-helper* from repository R, the *latest* tag will alias the version *1.0.1* because that's what's in the upstream repository. This makes it easy to consume new package versions in an upstream repository that are not yet present in a downstream repository by running `npm update`.
Using the tag in the upstream repository can be problematic when publishing new versions of a package in a downstream repository. For example, say that the latest tag on the package *web-helper* is the same in both R and U.
****
| Repository | Package name | Package tags |
| --- | --- | --- |
| R | `web-helper` | *latest* (alias for version 1.0.1) |
| U | `web-helper` | *latest* (alias for version 1.0.1) |
When version 1.0.2 is published to R, npm updates the *latest* tag to 1.0.2.
****
| Repository | Package name | Package tags |
| --- | --- | --- |
| R | `web-helper` | *latest* (alias for version 1.0.2) |
| U | `web-helper` | *latest* (alias for version 1.0.1) |
However, the npm client never sees this tag value because the value of *latest* in U is 1.0.1. Running `npm install` against repository R immediately after publishing 1.0.2 installs 1.0.1 instead of the version that was just published. To install the most recently published version, you must specify the exact package version, as follows.
```
npm install web-helper@1.0.2
```
# Support for npm-compatible package managers
These other package managers are compatible with CodeArtifact and work with the npm package format and npm wire protocol:
+ [pnpm package manager](https://pnpm.js.org). The latest version confirmed to work with CodeArtifact is 3.3.4, which was released on May 18, 2019.
+ [Yarn package manager](https://yarnpkg.com/). The latest version confirmed to work with CodeArtifact is 1.21.1, which was released on December 11, 2019.
**Note**
We recommend using Yarn 2.x with CodeArtifact. Yarn 1.x does not have HTTP retries, which means it is more susceptible to intermittent service faults which result in 500-level status codes or errors. There is no way to configure a different retry strategy for Yarn 1.x, but this has been added in Yarn 2.x. You can use Yarn 1.x, but you may need to add higher-level retries in build scripts. For example, running your yarn command in a loop so that it will retry if downloading packages fails.