
Ask HN: Methods to lock down an NPM environment for on-premise distribution - yingw787
I have this project I&#x27;m working on (tinydevcrm.com) and I want to lock down dependencies from JavaScript for a React.js frontend. Ideally, I want to audit all my dependencies (and their dependencies), check them out at the commit level, and build it all with Bazel or something, in order to lock down the project for long term support. Is this done in industry or are there other ways in order to lock down JavaScript projects?<p>I understand this question might not be entirely appropriate for this forum and that I should try Stack Overflow instead, but I think it may be a concern others have faced and solved before (tiny SaaS grows into a large company, large enterprise customer wants an on-premise distribution of application on air-gapped network, SaaS updates build pipeline to support offline distributions).
======
acemarke
I'd suggest using Yarn's "offline mirror" functionality, which lets you commit
the exact set of packages into the repo, then install them when the repo is
checked out without needing additional network requests.

[https://classic.yarnpkg.com/blog/2016/11/24/offline-
mirror/](https://classic.yarnpkg.com/blog/2016/11/24/offline-mirror/)

[https://blog.isquaredsoftware.com/2017/07/practical-redux-
pa...](https://blog.isquaredsoftware.com/2017/07/practical-redux-
part-9-managing-dependencies/#managing-dependency-packages-for-offline-
installation)

~~~
yingw787
This is really cool, thanks for sharing! I'll see if this fits my needs, and
maybe reach out to Yarn core devs to learn more about front-end build
pipelines :)

