Catch up on highlights from Firebase at Google I/O 2023. Learn more

Handling dependencies

A function is allowed to use external Node.js modules as well as local data. Dependencies in Node.js are managed with npm and expressed in a metadata file called package.json. The Cloud Functions Node.js runtimes generally support installing using npm or yarn.

To specify a dependency for your function, add it to your package.json file.

In this example, a dependency is listed in the package.json file:

  "dependencies": {
    "escape-html": "^1.0.3"

The dependency is then imported in the function:


const escapeHtml = require('escape-html');

// Return a greeting with the input HTML-escaped.
exports.hello = functions.https.onRequest((req, res) => {
  res.send(`Hello ${escapeHtml( || || 'World')}!`);


import * as escapeHtml from 'escape-html';

// Return a greeting with the input HTML-escaped.
export let hello = functions.https.onRequest((req, res) => {
  res.send(`Hello ${escapeHtml( || || 'World')}!`);

Including local Node.js modules

You can also include local Node.js modules as part of your function. You can achieve this by declaring your module in package.json using the file: prefix. In the following example, mymodule refers to your module name and mymoduledir is the directory containing your module:

  "dependencies": {
    "mymodule": "file:mymoduledir"

The code for this local module should be stored somewhere other than the node_modules folder within your function's root directory.

Additional steps for TypeScript

TypeScript helps you most when you use libraries that have type information. This lets TypeScript catch syntax errors and lets editors give you better autocomplete suggestions. Some libraries, like firebase-admin and firebase-functions, ship with TypeScript definitions included.

Many libraries do not provide their own TypeScript definition. The DefinitelyTyped project provides community-maintained definitions for the most popular node libraries. DefinitelyTyped publishes these definitions under the same NPM package name, but inside the "@types" organization. For example, you can install the type information for the uuid library with the following:

npm install @types/uuid

As you become more familiar with TypeScript, you might find yourself combining both installs:

npm install uuid @types/uuid

Type dependencies should be the same kind as the library dependency. For example, you should not save uuid as a normal dependency and @types/uuid as a dev dependency or peer dependency.

Loading Node.js modules

Use the Node.js require() function to load any Node.js module you have installed. You can also use the require() function to import local files you deploy alongside your function.

If you are writing functions in TypeScript, use the import statement in the same way to load any Node.js module you have installed.

Using private modules

You can use a private npm module by providing settings for authenticating with the registry in a .npmrc file in the function's directory. If you're using Yarn v2 or higher as your package manager, this file is named .yarnrc.yml.

Private modules from Artifact Registry

An Artifact Registry Node.js package repository can host private modules for your function. When you deploy a Google Cloud Functions function, the build process automatically generates Artifact Registry credentials for the Cloud Build service account. You only need to list the Artifact Registry repository in your .npmrc without generating additional credentials. For example:


This approach also works for the Yarn v1 package manager. If you're using Yarn v2 or higher, you only need to list the Artifact Registry repository in your .yarnrc.yml without additional credentials. For example:

    npmAlwaysAuth: true

Private modules from other repositories

The npm documentation explains how to create custom read-only access tokens. We discourage using the .npmrc file created in the home directory because it contains a read-write token. Write permissions are not required during deployment, and could pose a security risk.

Do not include the .npmrc file if you're not using private repositories, as it can increase the deployment time for your functions.

File format

If you're using an .npmrc file to set a custom auth token, it should include the line shown below.



  • REGISTRY_DOMAIN: the domain name of your private npm registry. If your repository is hosted with, set this field to
  • AUTH_TOKEN: the authorization token for your npm registry. This can either be the literal text value of the token or the text string ${NPM_TOKEN}, which npm replaces with the actual token value from the environment.

    You can set the $NPM_TOKEN environment variable with the --set-build-env-vars argument to your gcloud functions deploy command. See the NPM tutorial on private modules for more details of the NPM auth token.