The security constraints remain on the shoulders of the plugin being used, by default `verdaccio` uses the [htpasswd plugin](https://github.com/verdaccio/verdaccio-htpasswd). Si usas una extensión diferente ten en cuenta que el comportamiento podría ser diferente. The default plugin does not handle `allow_access` and `allow_publish` by itself, it uses an internal fallback in case the plugin is not ready for it.
All users recieve all those set of permissions independently of is anonymous or not plus the groups provided by the plugin, in case of `htpasswd` return the username as a group. Por ejemplo, si has iniciado sesión como ` npmUser` el listado de grupos será.
If you want to protect specific set packages under your group, you need to do something like this. Vamos a usar un `Regex` que cubre los todos los páquetes prefijos con`npmuser-`. We recomend using a prefix for your packages, in that way it will be easier to protect them.
Puedes cambiar el comportamiento por defecto usando una diferente extensión de autenticación. `verdaccio` just checks whether the user that tried to access or publish a specific package belongs to the right group.
You might want to block one or several packages from fetching from remote repositories., but, at the same time, allow others to access different *uplinks*.
Se **consciente que el orden de la definición de los paquetes es importante y siempre usa doble wildcard**. Because if you do not include it `verdaccio` will include it for you and the way that your dependencies are resolved will be affected.
> We higlight that we recommend to not use **allow_access**/**allow_publish** and **proxy_access** anymore, those are deprecated and will soon be removed, please use the short version of each of those (**access**/**publish**/**proxy**).
