Jump to content
Search Community

Question about NPM authentication and package-lock.json

Sam Tremblay test
Moderator Tag

Recommended Posts

Sup GSAP Team!

First of all, sorry for my bad english.

 

I have a public repo on Github that include GSAP Premium and I question myself about the authentication with NPM and the package-lock.json file.

 

In fact, if I don't have the package-lock.json, the npm authentication will be requiered for install GSAP Premium, but not if I have the package-lock.json. Why?

Just know, other then GSAP, I never test authentication with NPM, maybe it's normal?

 

....

 

In any case, I would like to achieve the result of providing my package-lock.json file without giving access to the GSAP premium, is it possible?


Thank you!
Sam

Link to comment
Share on other sites

Hey Sam!

 

Actually if you look at your package-lock.json file you'll find something like this in it:

"node_modules/gsap": {
  "name": "@gsap/shockingly",
  "version": "3.12.5",
  "resolved": "https://npm.greensock.com/@gsap%2fshockingly/-/shockingly-3.12.5.tgz",
  "integrity": "sha512-JoZp6iYvOC+wkwl8zfXSqSrYCcuzTntaULCL08YMa1vonrYcr9D0K3EUe9PNpw7FYK1chjSwjjgcw3zS/O2SWg==",
  "license": "This package should only be used by individuals/companies with an active Club GSAP membership (Premium or higher). See https://gsap.com/pricing/. Licensing: https://gsap.com/licensing/"
},

As you can see there is only a integrity hash that basically every package has for security reason, but nothing more, the token check most likely is done when the package is requested and on the particular server, so as far as I can tell there is no security concerns about yours or anyone else's private token, so feel free to push your lock file, just remember to use an environmental variable or add to the .gitignore file your .npmrc file with the token in it.

 

Hopefully this clear things up. Let us know if you have any other question.

Happy Tweening!

Link to comment
Share on other sites

Hello @Rodrigo 💪

Thanks for your feed back!

 

Beyond security, I was also wondering about the premium license. In fact, what I offer to the public includes ready-to-use Club elements like the "SmoothScroll". However, before, I did not put the package-lock.json file in my repo, which forced anyone who wanted to use my base, to have the license or to make some modification in order to use the free version.

 

 

Now, I have the impression that I give access to the premium, but not to the next update, am I right? And if so, do I really have the right to do that?


Thanks again!

Link to comment
Share on other sites

Hey Sam,

 

A few questions, if you don't mind:

  1. People that use your package will be able to install and use ScrollSmoother or other bonus Plugins in as many projects as they want for free?
  2. Are you charging a fee for installing your package to your users?

If you are distributing the bonus tools, I think you might need a business license, otherwise the users that install the package you're offering should get their own Plus/Premium license based on the files/plugins they'll use.

 

It would be great to know exactly what are you offering with your package and which GSAP files are being contained in it.

 

Happy Tweening!

Link to comment
Share on other sites

Yo @Rodrigo!

 

#1, yes, but only if I give the package-lock.json. Whitout this file, npmrc is required.

#2, nope

 

 

Github is down right now, but here a link.

 

 

Finally, I would like to know if I can give the package-lock.json file without giving access to the GSAP premium module if you have not provided the .npmrc file?

 

 

Good evening or day and thank you very much 💪

Link to comment
Share on other sites

Howdy @Sam Tremblay

 

Thanks for being a Club GSAP member! 💚

 

Yeah, you definitely shouldn't be granting access to bonus members-only plugins in your public repository. That'd make it super easy for anyone to just steal those without getting the proper Club GSAP membership. I'm sure that wasn't your intention of course. We appreciate you being careful about that. 

 

I'm not an expert at that stuff, but my understanding is that users shouldn't be able to use any of the GSAP files if you don't provide them directly, and you're simply referring to "gsap" in the package.json. 

 

Please make sure you don't include your .npmrc file either (the one with the unique token in it), like Rodrigo said. And in your license file, it'd be good if you explicitly mention that the GSAP files are subject to the license at https://gsap.com/standard-license (otherwise, people might think they're covered by your MIT license). 

Link to comment
Share on other sites

Hi @GreenSock!

 

Thanks for the recommendations, I'll process for update the license soon 💪

In fact, I want to restrict the access of this members-only plugins... but, is it possible if I give the package-lock.json file?

For explain, today I stop ignoring the package-lock.json file with .gitignore and since, the .npmrc file is no more required, I can install gsap module without authentication.

Thanks  !

Link to comment
Share on other sites

6 minutes ago, Sam Tremblay said:

In fact, I want to restrict the access of this members-only plugins... but, is it possible if I give the package-lock.json file?

It sounds like that might be problematic. I'm curious why you want to include your package-lock.json file. I wouldn't think that's a good idea. We're experts at GSAP around here, but not so much the inner workings of build tools and NPM. 

  • Like 1
Link to comment
Share on other sites

Yooo thanks for your curiosity!

In fact, I just flash and you have right, why I'm doing that?... I have not catch before, but I can simply remove the "^" sign with the version in my package.json instead of conserve the package-lock.json for force version for each packages I have.


I don't know if you understand me haha, but all is good now. Package-lock.json has been removed, I changed my token and no one can download members-only plugin without authentication now!


Thanks guys!

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...