Using private GitHub repositories with yarn and npm in package.json

Whether you are working on a JavaScript project or a Rails one with Webpack you might come to the point where you need to reference a private GitHub repository as your dependency in package.json. Here are two options on how to do that.


First one is to use a special GitHub system user with access to the repository and generate an access token for this user that can be used directly as basic authentication in the HTTPS call. To do that go to Settings > Developer settings on GitHub. There you can switch to Personal access tokens and click Generate new token. Once you define the scopes for the token you can use this token in package.json as follows:

"fancy": "git+"

fancy is the name of our secret fancy JavaScript project, 4c7ee8df5fc91c55b2553569d39189a2c4fa6ea1 is the generated token, strzibny/fancy is the repository location and desired-branch is the branch we want.

Note that this option requires you to commit the token but as long as it’s for a private repository and you created a special system user for this it does not have to be the end of the world.


The second option is to use good old SSH. In this case the URL to reference does not need any token:

"fancy": "git+ssh://"

For SSH option to work you obviously need to be sure you have as a user access to this particular repository and you have generated SSH key for yourself in Settings > SSH and GPG keys. Here is the GitHub guide on adding this key to the ssh-agent.

Even though the SSH option look like the obvious choice, there might be a case where the token works better. For instance it would work automatically on CI server and for all your users even from virtualized environments and you are not forcing anybody to set up SSH keys.


I am writing a complete guide on web application deployment. Ruby with Puma, Python with Gunicorn, NGINX, PostgreSQL, Redis, networking, processes, systemd, backups, and all your usual suspects. 20 chapters and 2 case studies already available.

More →