Say you have a package in a private Bitbucket repo that you want to include as a dependency. It turns out you don't have to publish it to the npm registry and trust that it's "private", like they recommend, and you also don't have to create your own registry, which looks even more painful.

You can instead add this to your dependencies (this is in package.json):

{
  "dependencies": {
    "@my-company/my-private-package": "git+ssh://git@bitbucket.org/my-company/my-private-package.git",
    ...
  }
  ...
}

Then just call $ yarn install (because why not yarn!) and, assuming you have read permissions for your repo, it will put it in /node_modules for you to use it like so:

import MyAwesomeThing from "@my-company/my-private-package";

You can even target a specific commit by appending it to the dependency definition: .../my-private-package.git#2fbf8ae", (also supposed to work with branches and tags, somehow, didn't check).

By the way, the @ sign has to do with grouping packages, or "scopes" as they call it. In this example, we're basically grouping packages from our imaginary company.

Latest on npm