Apologies @nathanwaters for the late announcement on this thread
Thank you everyone for their contributions over the past day.
We have just released 10.0.0 which includes a community contribution to allow passing a custom ngrok configuration via credentials.json. This will hopefully support many partners use cases.
To provide an NGROK token via the NGROK_AUTHTOKEN environment variable you can define the following in credentials.json: "ngrok": { "authtoken_from_env": true }
Otherwise, you can add it like this:
"ngrok": { "authtoken": "<token>" }
The README files, template and atlas-connect tool have also been updated, and any tutorials or examples will be updated soon
We are currently moving to ACE 10.xxx.
In release 9.xxx the dependency @ngrok/ngrok moved from npm devDependencies to dependencies.
I would argue that having ngrok in the production build is a potential security issue. Doesn’t it belong to devDependencies in package.json?
@marc It was an intentional move to dependencies. It’s part of the supported, out-of-the-box operation when using ACE for the first time, so we felt it belonged there. For us, that scenario is production, but for vendors like yourself it might not be, so it’s a bit tricky
By default, npm install will install all modules listed as dependencies in package.json.
With the --production flag (or when the NODE_ENV environment variable is set to production), npm will not install modules listed in devDependencies. To install all modules listed in both dependencies and devDependencies when NODE_ENV environment variable is set to production, you can use --production=false.
So I would argue in the normal development flow, ngrok will be instlled with npm install and there is no need to put it into dependencies.
devDependencies of libraries (subdependencies of your project) are never installed, not just when you use the --production flag. They are completely ignored by the package manager.
Hence, this is why we previously included ngrok as a devDependency in the default starter template for new ACE projects. The downside of this is we as the library authors don’t get any control over the version (requiring users to manually update if we drop support for an old ngrok version).
So, we have published a new version of ACE (10.0.2) with @ngrok/ngrok listed under optionalDependencies.
It will still be installed by default, but can easily be omitted by using npm’s --omit=optional flag, or yarn’s --ignore-optional flag.
I can understand that you as a library author want to control the version of ngrok for development.
However I’m concerned with security in production, and installing remote access software by default in production environments.
We’ll see if/how we can implement npm’s --omit=optional flag.