
I'm trying to install github private repository by npm that includes other private github repositories as dependency.

Have tried a lot of ways and posts but none is working. Here is what i'm doing :

npm install git+

in package.json is like :

"dependencies": {
    "repository1name": "git+",
    "repository2name": "git+"

What is the the right way to do it?

The following worked just fine in all scenarios i needed :

"dependencies": {
"GitRepo": "git+https://<token-from-github><user>/<GitRepo>.git"

Try this:

"dependencies" : {
  "name1" : "git://",
  "name2" : "git://"

You could also try this, where visionmedia/express is name/repo:

"dependencies" : {
   "express" : "visionmedia/express"

Or (if the npm package module exists):

"dependencies" : {
  "name": "*"

Taken from NPM docs

For those of you who came here for public directories, from the npm docs:

Git URLs as Dependencies

Git urls can be of the form:


The commit-ish can be any tag, sha, or branch which can be supplied as an argument to git checkout. The default is master.

The accepted answer works, but I don't like much the idea to paste secure tokens into the package.json

I have found it elsewhere, just run this one-time command as documented in the git-config manpage.

git config --global url."https://${GITHUB_TOKEN}".insteadOf

GITHUB_TOKEN may be setup as environmnet variable or pasted directly

and then I install private github repos like: npm install user/repo --save

works also in Heroku, just setup the above git config ... command as heroku-prebuild script in package.json and setup GITHUB_TOKEN as Heroku config variable.

There are multiple ways to do it as people point out, but the shortest versions are:

// from master
"depName": "user/repo",

// specific branch
"depName": "user/repo#branch",

// specific commit
"depName": "user/repo#commit",

// private repo
"depName": "git+https://[TOKEN]"


"dependencies" : {
  "hexo-renderer-marked": "amejiarosario/dsa.jsd#book",
  "hexo-renderer-marked": "amejiarosario/dsa.js#8ea61ce",
  "hexo-renderer-marked": "amejiarosario/dsa.js",
"dependencies": {
  "some-package": "github:github_username/some-package"

or just

"dependencies": {
  "some-package": "github_username/some-package"

Since Git uses curl under the hood, you can use ~/.netrc file with the credentials. For GitHub it would look something like this:

  login <github username>
  password <password OR github access token>

If you choose to use access tokens, it can be generated from:

Settings -> Developer settings -> Personal access tokens

This should also work if you are using Github Enterprise in your own corporation. just put your enterprise github url in the machine field.

Here is a more detailed version of how to use the Github token without publishing in the package.json file.

  1. Create personal github access token
  2. Setup url rewrite in ~/.gitconfig
git config --global url."https://<TOKEN HERE>".insteadOf
  1. Install private repository. Verbose log level for debugging access errors.
npm install --loglevel verbose --save git+<USERNAME HERE>/<REPOSITORY HERE>.git#v0.1.27

In case access to Github fails, try running the git ls-remote ... command that the npm install will print

Further, in order to make key's access secure

  1. Create .env file at the same directory level where package.json resides.
  2. Mention PERSONAL_ACCESS_TOKEN=******************************* into .env file
  3. Dont forget to add '.env' into .gitingore list which will prevent exposing key to outside world while you make git commit to your repo.
  4. Now you can add your dependency in package.json as below,


"dependencies": { ... "my-private-github-repo": "git+https://${ENV.PERSONAL_ACCESS_TOKEN}", ... }

There are other ways using 'DOTENV' npm package, but it could not do much when we are trying to resolve "Github" package dependency. Above seems to be straight forward solution.

There's also SSH Key - Still asking for password and passphrase

Using ssh-add ~/.ssh/id_rsa without a local keychain.

This avoids having to mess with tokens.

If you want to add the dependency that is not anchored to master nor to a particular commit, you can do it by using semver. Like that:

"dependencies": {
  "some-package": "github:github_username/some-package#semver:^1.0.0"

For my private repository reference I didn't want to include a secure token, and none of the other simple (i.e. specifying only in package.json) worked. Here's what did work:

  1. Went to
  2. Navigated to Private Repository
  3. Clicked "Clone or Download" and Copied URL (which didn't match the examples above)
  4. Added #commit-sha
  5. Ran npm install

Note that the github repos that you try to add as a dependency to your package.json file needs to have its own package.json file defined.

