Using Private Packages with Yarn v3

The problem

We publish private packages to the github registry. The standard way to access the registry on your machine is to use a .npmrc file. However, once you try to deploy to vercel (or other providers), this will not work since the switch to Yarn v3 no longer uses .npmrc. In my case, the Vercel documentation, nor the discussion solutions provided correct solutions.

The problem is that the deployment provider (eg. Vercel) must authenticate with the Github package registry properly, before it can install your private packages.

The Solution

Create a new Classic Personal Access Token with scope read:packages in your Github settings.

Then update your .yarnrc.yml file:

npmScopes:
  your-organization:
    npmRegistryServer: https://npm.pkg.github.com
    npmAlwaysAuth: true
    npmAuthToken: '<YOUR_PAT>'

:warning: WARNING: Ensure scope is limited to read-only access. Also, never use this for public repos, since your PAT is checked into git. Until Yarn v3 enables environment variables, there unfortunately isn’t a more secure solution that works for local & deployment environments.

Happy hacking!

1 Like