Currently I have my pipeline set up to build and deploy to Gitlab’s NPM package registry as described in the guide (npm packages in the Package Registry | GitLab) which works great so far.
As I’m onboarding my first customers I’m a bit uncertain on whether to allow these customers read-only access to the private package registry via an auth token (npm packages in the Package Registry | GitLab) that the customer has to add to the
.npmrc file, or if I should publish to npmjs.com as this is what every dev is familiar with.
Publishing it only to the Gitlab package registry has a certain appeal to me as it avoids duplication, and has a more “private” feel to it, which for the moment is preferable for my product. On the other hand, I’m not 100% sure if this will scale well (i.e. is it possible to easily/programmatically generate a new r/o auth token for every customer), and I’m afraid that I’d accidentally open up private infrastructure to the outside world.
Does anyone have advice on how to best proceed?