Ngrok agent < 3.1 no longer supported (affects out-of-box experience with ACE for non-paid ngrok plans)

Apologies @nathanwaters for the late announcement on this thread

Thank you everyone for their contributions over the past day.
We have just released 10.0.0 which includes a community contribution to allow passing a custom ngrok configuration via credentials.json. This will hopefully support many partners use cases.

To provide an NGROK token via the NGROK_AUTHTOKEN environment variable you can define the following in credentials.json:
"ngrok": { "authtoken_from_env": true }

Otherwise, you can add it like this:

"ngrok": { "authtoken": "<token>" }

The README files, template and atlas-connect tool have also been updated, and any tutorials or examples will be updated soon


Hi @dboyd ,

We are currently moving to ACE
In release the dependency @ngrok/ngrok moved from npm devDependencies to dependencies.
I would argue that having ngrok in the production build is a potential security issue. Doesn’t it belong to devDependencies in package.json?

1 Like

@marc It was an intentional move to dependencies. It’s part of the supported, out-of-the-box operation when using ACE for the first time, so we felt it belonged there. For us, that scenario is production, but for vendors like yourself it might not be, so it’s a bit tricky

Hi @dboyd ,
usually when you do

npm install

the devDependencies are also installed. Only if you do

npm install --production

the devDependencies are not installed.

Here is the quote from the manual npm-install | npm Docs

By default, npm install will install all modules listed as dependencies in package.json.

With the --production flag (or when the NODE_ENV environment variable is set to production), npm will not install modules listed in devDependencies. To install all modules listed in both dependencies and devDependencies when NODE_ENV environment variable is set to production, you can use --production=false.

So I would argue in the normal development flow, ngrok will be instlled with npm install and there is no need to put it into dependencies.

Hi @marc

devDependencies of libraries (subdependencies of your project) are never installed, not just when you use the --production flag. They are completely ignored by the package manager.

Hence, this is why we previously included ngrok as a devDependency in the default starter template for new ACE projects. The downside of this is we as the library authors don’t get any control over the version (requiring users to manually update if we drop support for an old ngrok version).

So, we have published a new version of ACE (10.0.2) with @ngrok/ngrok listed under optionalDependencies.
It will still be installed by default, but can easily be omitted by using npm’s --omit=optional flag, or yarn’s --ignore-optional flag.


Hi @SamLeatherdale ,
Thanks for the follow up.

I can understand that you as a library author want to control the version of ngrok for development.
However I’m concerned with security in production, and installing remote access software by default in production environments.
We’ll see if/how we can implement npm’s --omit=optional flag.