Purpose
Enable developers to discover, authenticate, install, and safely use internal packages (shared libraries, SDKs, UI kits) across projects—without security or versioning issues.
Scope
- Applies to all projects using private registries or internal repos.
- Covers discovery → access/auth → install → update → troubleshooting → deprecation/migration.
- Tech-agnostic with examples for Node (npm/yarn/pnpm), Python (pip/Poetry), Java (Maven/Gradle), iOS (CocoaPods/SPM), Flutter (pub).
Objectives
- Standardize how internal packages are consumed.
- Ensure secure access (tokens, least-privilege).
- Reduce breakage via semantic versioning & pinning.
- Create a clear path for updates and deprecations.
Step-by-Step Usage
Step 1 — Discover the right package
- Open the Internal Package Catalog (Notion/Confluence page or Nexus/Artifactory index).
- Filter by language → capability → status (stable/experimental/deprecated).
- Read the README & CHANGELOG for install instructions and breaking changes.
- Confirm compatibility matrix (runtime versions, platform, frameworks).
If the package is missing, submit a New Package Request (template at the end).
Step 2 — Get access (one-time)
A. Obtain credentials
- Request scoped access via “Access Request & Tool Provisioning Workflow” (EPIC 1 – Doc 7).
- Receive token via the secrets manager (never via chat/email).
B. Configure your client
Node (npm/yarn/pnpm)
Create/update ~/.npmrc (user-level) or use project-level .npmrc:
# Example for GitHub Packages
@our-scope:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${NPM_TOKEN}always-auth=true
Python (pip/Poetry)
Create/update ~/.pip/pip.conf (Windows: %APPDATA%\pip\pip.ini) or project pip.conf:
[global]index-url = https://<user>:${PIP_TOKEN}@pypi.our-internal.com/simple
Poetry:
# pyproject.toml[[tool.poetry.source]]name = "internal"url = "https://pypi.our-internal.com/simple"priority = "primary"
Java (Maven/Gradle)
Maven ~/.m2/settings.xml:
<servers>
<server>
<id>internal</id>
<username>${env.ART_USER}</username>
<password>${env.ART_TOKEN}</password>
</server>
</servers>
pom.xml:
<repositories>
<repository>
<id>internal</id>
<url>https://maven.our-internal.com/repository/releases</url>
</repository>
</repositories>
iOS (CocoaPods / SPM)
CocoaPods ~/.netrc or keychain credentials; Podfile:
source 'https://github.com/CocoaPods/Specs.git' source 'https://git.our-internal.com/ios-specs.git'
SPM: Add internal Git URL in Xcode → Package Dependencies (use SSH).
Flutter (pub)
pubspec.yaml with Git source or internal pub server:
dependencies:our_sdk:hosted:name: our_sdkurl: Our-internalpub.our-internal.com
version: ^1.2.0
Security: Store tokens in env vars (e.g.,
NPM_TOKEN,ART_TOKEN) injected by your shell/profile or direnv—never commit to VCS.
Step 3 — Install & pin versions
Node
npm i @our-scope/feature-lib@^2.3.0 # or yarn add @our-scope/feature-lib@~2.3.4
- Use ^ to accept minor & patch updates, ~ for patch-only, or exact for strict pinning (critical paths).
Python
pip install our-sdk==1.4.2 # Poetry poetry add our-sdk@^1.4
Java
<dependency> <groupId>com.our</groupId> <artifactId>core-sdk</artifactId> <version>1.5.3</version> </dependency>
iOS
pod 'OurSDK', '~> 1.4'# or SPM exact/range in Xcode UI
Flutter
our_sdk: ^1.4.0
Rule of Thumb
App code: Prefer ~ (patch) or exact for critical modules.
Libraries/SDK consumers: Prefer ^ (minor & patch) with a lockfile.
Step 4 — Verify usage
- Import the package in a small spike file/module and compile.
- Run unit tests (or quick scaffold tests) to ensure types & APIs are correct.
- Check runtime by starting your app and hitting a simple code path.
- If the package includes post-install scripts (e.g., linking native deps), verify they ran.
Step 5 — Update safely
- Read the CHANGELOG (look for BREAKING).
- Update one minor version at a time; never jump across majors blindly.
- Run local tests, then CI on your feature branch.
- If migration notes exist, follow them; otherwise log gaps for maintainers.
- Tag the PR with
deps:internalfor visibility.
Step 6 — Report issues & contribute fixes
Open an issue in the package repo using the Bug/Feature template.
- Attach repro steps, versions, logs, and environment.
- For urgent fixes, coordinate with maintainers (Dev Lead) and open a PR against
developwith tests.
Governance & Standards
Versioning & Stability
- All internal packages must use SemVer:
MAJOR.MINOR.PATCH. - Breaking changes → bump MAJOR and provide migration notes.
- Consumers should pin (
~) or lock (lockfile) for deterministic builds.
Security & Access
- Tokens are scoped (read-only for consumers).
- Tokens live in vault and are injected via CI or local secrets; no plaintext in repos.
- Remove access when a developer rolls off the project (EPIC 7 – Security).
Quality Signals (before adoption)
- Package must have: README, CHANGELOG, LICENSE (internal), tests ≥ 70% cov, CI status badge, semantic-release or documented release process.
Deprecation Policy
- Mark as Deprecated in Catalog with EOL date and migration path.
- Provide a compat layer or codemod where feasible.
- Communicate via release notes + #dev-announcements.
Troubleshooting (Quick Reference)
| Symptom | Likely Cause | Fix |
| 401/403 when installing | Token missing/wrong scope | Re-auth; check .npmrc/pip.conf scopes; refresh token |
| Package not found | Wrong registry or scope | Verify registry URL & package scope; check Catalog |
| Build fails on native step | Missing toolchain (Pods/NDK) | Run platform setup (Doc 3/4); re-run pod install/NDK |
| Runtime import error | Version mismatch or tree shaking | Match peer deps; check bundler config; restart dev server |
| API break after update | Major change without migration | Rollback via lockfile; read CHANGELOG; follow migration guide |
Templates & Snippets
1) .npmrc (project–level)
@our-scope:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${NPM_TOKEN}always-auth=true
2) pip.conf (project-level)
[global]index-url = https://<user>:${PIP_TOKEN}@pypi.our-internal.com/simple
timeout = 60
3) CHANGELOG format (keepachangelog style)
## [2.3.0] - 2025-08-01### Added- New AuthClient.refreshToken() ### Fixed- Retry logic for 429 ### Breaking- Removed deprecated `AuthClient.legacyLogin()` - Migrate to `AuthClient.login(email, otp)`
4) Deprecation Notice (maintainer → consumers)
**Package**: @our-scope/logger **Status**: DEPRECATED **EOL**: 2025-12-31 **Replacement**: @our-scope/telemetry **Migration**: 1) Replace imports 2) Update config key `logger.level` → `telemetry.logLevel` 3) Remove manual batching; built-in exporter enabled by default
5) New Package Request (submit in portal)
| Field | Entry |
| Problem to solve | |
| Proposed name/scope | |
| Language/Runtime | |
| Expected consumers | |
| Security/PII considerations | |
| Owner/Maintainer | |
| ETA & release plan |
Do’s & Don’ts
Do’s
- Use scoped tokens and project-level config where possible.
- Pin or lock versions for deterministic builds.
- Read CHANGELOG before updates; test migrations on a branch.
- Log issues with repro, logs, and env.
Don’ts
- Don’t commit tokens or
.envto VCS. - Don’t auto-upgrade majors in CI.
- Don’t publish internal code to public registries.
- Don’t fork & drift—contribute upstream to the internal package.