npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Force installation of a specific package's specific version from npm-cache instead of trying to fetch from the npm registry


I’ve came across an interesting issue. Here’s the situation:

I’m trying to install a package of which’s one or more of dependencies or devDependencies use rimraf package’s 2.2.6 and 2.2.8 versions, which are quire outdated AND they can’t be downloaded from the default NPM registry because they’re rimraf@2.2.6 and rimraf@2.2.8 are blocked by a corporate firewall (while, for example, rimraf latest version can be easily installed).

Thus, the only [theoretical] solution I’ve found so far is:

  1. Download rimraf@2.2.6 or rimraf@2.2.8 tar.gz from the package’s Github releases page
  2. Use npm cache add $rimraf_pkg_name.tar.gz to add it to npm-cache
  3. Verify NPM cache with npm cache verify

However, this doesn’t work. If I attempt to install the package X (which has dependencies which use rimraf’s 2.2.6 and 2.2.8 versions), NPM still attemps to download rimraf versions 2.2.6 & 2.2.8 from and, since there’s a corpo firewall, it can’t.

My primary question — is there any way to tell NPM (via config or whatever) to cache or use a locally downloaded tar.gz for any package and its selected versions, so whenever any package (or any package’s dependency) tries to install rimraf@2.2.6, it’d use a tar.gz referenced on my local machine or use rimraf@2.2.6 from npm-cache (and would never try to download it from registry) ?

P.S. yes, I’ve tried to install rimraf@2.2.6 package globally referencing a tar.gz on my machine, but of course it didn’t work. Also, I’ve tried running something like npm i -g rimraf@2.2.6 --no-registry. It didn’t help much.

P.S.S. npm config get registry is the default NPM registry, there’s no custom registry being in play here.

You could install rimraf directly from GitHub. Just write into your package.json:

"rimraf": "git://"

This would be version 2.2.6. Just use another commit hash for any other version.

Thanks for a possible solution, but it won’t since, as I mentioned in the first post, there’s a firewall blocking access to for some file types like .tgz.