github.com
/
verdaccio
mirror of https://github.com/verdaccio/verdaccio.git
1
0
Fork 0
Code Releases Wiki Activity

chore: add versioning website (#3320) 

* chore: add versioning website

* Update docusaurus.config.js

* chore: updated versions

* Update docusaurus.config.js
This commit is contained in:
Juan Picado 2022-10-01 17:21:26 +02:00 committed by GitHub
parent 3dc8591e26
commit 0041d9407d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
51 changed files with 4665 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
website/docusaurus.config.js
View File

@ -6,7 +6,6 @@ const progress = translations;
const isDeployPreview = process.env.CONTEXT === "deploy-preview";
const isProductionDeployment = process.env.CONTEXT === "production";
// const localesWithLowRatioOfTranslation = ["ar-SA", "fil-PH", "gl-ES", "hi-IN", "ja-JP", "ko-KR", "pt-PT", "sr-SP", "tg-TJ", "ro-RO", "zh-CN"];
const i18nConfig = {
defaultLocale: 'en',
locales: isDeployPreview ? ['en'] : [
@ -106,7 +105,11 @@ module.exports = {
label: 'Docs',
},
{ to: '/blog', label: 'Blog', position: 'left' },
{ to: '/help', label: 'Help', position: 'left' },
{ to: '/help', label: 'Help', position: 'left' },
{
type: 'docsVersionDropdown',
"position": "right",
},
{
href: 'https://opencollective.com/verdaccio',
label: 'Sponsor us',
@ -139,7 +142,7 @@ module.exports = {
'aria-label': 'GitHub repository',
},
],
},
},
footer: {
style: 'dark',
links: [
@ -236,6 +239,15 @@ module.exports = {
}
return `https://github.com/verdaccio/verdaccio/edit/master/website/docs/${docPath}`;
},
lastVersion : '5.x',
versions: {
current: {
label: `6.x`,
},
'5.x': {
label: `5.x (Latest)`,
},
},
},
googleAnalytics: {
trackingID: 'UA-2527438-21'
@ -259,7 +271,7 @@ module.exports = {
},
theme: {
customCss: require.resolve('./src/css/custom.scss'),
},
},
},
],
],

2
website/package.json
View File

@ -1,7 +1,7 @@
{
"private": true,
"name": "@verdaccio/website",
"version": "5.14.0",
"version": "5.15.4",
"scripts": {
"docusaurus": "docusaurus",
"start": "docusaurus start",

54
website/versioned_docs/version-5.x/amazon.md Normal file
View File

@ -0,0 +1,54 @@
---
id: amazon
title: "Amazon Web Services"
---
This document describes several approaches for deploying Verdaccio in the AWS cloud.
## EC2 {#ec2}
[CloudFormation template for deploying this stack.](https://github.com/verdaccio/verdaccio/blob/master/contrib/aws/cloudformation-ec2-efs.yaml)
Architecture:
```
Clients
|
| (HTTPS)
v
Application Load Balancer
|
| (HTTP)
v
EC2 Auto Scaling Group (Amazon Linux 2)
Docker image (Verdaccio)
|
| (NFS)
v
Elastic File System
```
Architecture notes:
* Deploy this stack into the region closest to your users for maximum performance.
* We use an auto scaling group primarily for self-healing. The system requirements of Verdaccio are pretty low, so it's unlikely you'll need multiple instances to handle traffic load.
* Because Amazon Linux 2 doesn't include Node, we run Verdaccio as a Docker image rather than natively on the instance. This is faster and more secure than relying on third party package sources for Node.
* Elastic File System is cheap and stateful, and works across AZs. An alternative would be the [third-party S3 storage plugin](https://github.com/remitly/verdaccio-s3-storage).
* For backup, use AWS Backup
Estimated monthly cost for a small installation (in us-east-1):
* ALB (1 LCU average): $22.265/mo
* EC2 (t3.nano): $3.796/mo
* EBS (8gb): $0.80/mo
* EFS (5gb): $1.5/mo
* Data transfer: (10gb): $0.9/mo
* **TOTAL:** Under $30/mo
## ECS {#ecs}
You can deploy Verdaccio as a task with an [ECS Volume](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_data_volumes.html) for persistent storage.
Note: Fargate doesn't support persistent volumes, so you have to use the S3 storage plugin.
## EKS {#eks}
See the documentation pages on [Kubernetes](kubernetes) and [Docker](docker).

21
website/versioned_docs/version-5.x/ansible.md Normal file
View File

@ -0,0 +1,21 @@
---
id: ansible
title: "Ansible"
---
We have a customised solution for `verdaccio` in our organization.
[https://github.com/verdaccio/ansible-verdaccio](https://github.com/verdaccio/ansible-verdaccio)
#### Other options {#other-options}
* Ansible role for Gentoo users: [jirutka/ansible-role-sinopia](https://github.com/jirutka/ansible-role-sinopia).
* Ansible role for Ubuntu users: [jagregory/sinopia-ansible](https://github.com/jagregory/sinopia-ansible).
* ansible-verdaccio-role [https://github.com/refinery29/ansible-verdaccio-role](https://github.com/refinery29/ansible-verdaccio-role)
#### Related talks {#related-talks}
> Only in Spanish
<iframe width="560" height="315" src="https://www.youtube.com/embed/EWAxCgZQMAY?enablejsapi=1" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

100
website/versioned_docs/version-5.x/articles.md Normal file
View File

@ -0,0 +1,100 @@
---
id: articles
title: "Articles"
---
Below is a list of articles about Verdaccio. If you have written a blog post or tutorial that mentions Verdaccio, feel free to add it here!
> Any language is allowed
## Maintainer Articles {#maintainers-articles}
* [An Introduction to Verdaccio](https://medium.com/@jotadeveloper/an-introduction-to-verdaccio-f6c72e865425)
* [Five use cases where a npm private proxy fits in your workflow](https://medium.com/@jotadeveloper/five-use-cases-where-a-npm-private-proxy-fits-in-your-workflow-632a81779c14)
* [An Introduction to Verdaccio](https://medium.com/@jotadeveloper/an-introduction-to-verdaccio-f6c72e865425)
* [NPM Registry for your organisation](https://medium.com/@ayusharma.in/npm-registry-for-your-organisation-aeb8ea76144)
* [Verdaccio 3 released 🎉!!](https://medium.com/verdaccio/verdaccio-3-released-feb06ef38558)
* [The crazy story of Verdaccio](https://medium.com/verdaccio/the-crazy-story-of-verdaccio-d35d924728bc)
* [Verdaccio 4 alpha release 🚀](https://medium.com/verdaccio/verdaccio-4-alpha-release-400c7ed4884d)
* [Verdaccio and deterministic lock files](https://medium.com/verdaccio/verdaccio-and-deterministic-lock-files-5339d82d611e)
* [Setting up Verdaccio on DigitalOcean](https://medium.com/verdaccio/setting-up-verdaccio-on-digitalocean-61b5d08e4f0d)
* [How I learned React Js and how you can…](https://medium.com/verdaccio/how-i-learned-react-js-and-how-you-can-8663f938426c)
* [How did I fall in the open source world…and that was a nice thing!](https://medium.com/@priscilawebdev/how-do-i-fall-in-the-open-source-world-and-that-was-a-nice-thing-b0e85d05490d)
# Articles / Blogs / Tutorials (by Language)
### Remarkable Articles {#remarkable-articles}
* [Why Private Npm Registries Matter and How Verdaccio Makes It Easy](https://fusebit.io/blog/private-npm-verdaccio/?utm_source=verdaccio.org&utm_medium=referral)
* [Automating package publishing in JavaScript projects](https://blog.codecentric.de/en/2021/02/automating-package-publishing-in-javascript-projects/)
* [10 npm Security Best Practices](https://snyk.io/blog/ten-npm-security-best-practices/)
* [Cover Your Apps While Still Using npm](https://nodesource.com/blog/cover-your-apps-while-still-using-npm/)
* [Containerizing Node.js Applications with Docker](https://nodesource.com/blog/containerizing-node-js-applications-with-docker)
* [Verdaccio - A lightweight npm proxy registry - Interview with Juan Picado](https://survivejs.com/blog/verdaccio-interview/)
* [Host, Publish and Manage Private npm Packages with Verdaccio](https://www.sitepoint.com/private-npm-packages-verdaccio/)
* [Free Private NPM with Verdaccio and AWS](https://medium.com/@odahcam/free-private-npm-with-verdaccio-and-aws-a88e6f0f4beb)
* [Run your own Unity Package Server!](https://medium.com/@markushofer/run-your-own-unity-package-server-b4fe9995704e)
* [Ways to have your private npm registryand a final DIY solution](https://medium.com/engenharia-noalvo/ways-to-have-your-private-npm-registry-and-a-final-diy-solution-eed001a88e74)
* [How to set up a free private npm registry… for Windows](https://medium.com/@Anderson7301/how-to-set-up-a-free-private-npm-registry-for-windows-f532c6a381ce)
* [Setup a Private NPM Server on Azure in 45 Seconds](https://edi.wang/post/2020/7/7/setup-a-private-npm-server-on-azure-in-45-seconds)
### English {#english}
* [Testing your npm package before releasing it using Verdaccio + ngrok](https://medium.com/strapi/testing-your-npm-package-before-releasing-it-using-verdaccio-ngrok-28e2832c850a)
* [Host your own private NPM repository with Verdaccio](https://medium.com/devopslinks/host-your-own-private-npm-repository-with-verdaccio-e8a3202b97c5)
* [Local npm private registry with zero configuration](https://dev.to/iriskatastic/local-npm-private-registry-with-zero-configuration-njo)
* [It depends. On the registry](https://blog.softwaremill.com/it-depends-on-the-registry-8fa9d9c5a3b)
* [Host, Publish and Manage Private npm Packages with Verdaccio](http://allprowebdesigns.com/2017/01/host-publish-and-manage-private-npm-packages-with-verdaccio/)
* [Setting Up a Private NPM Registry](https://gir.me.uk/posts/private-npm-registry.html)
* [Testing NPM alpha / beta / rc packages](https://medium.com/@the1mills/testing-npm-alpha-beta-rc-packages-108b65eb03d2)
* [Running a local npm repository on Windows Server using Verdaccio](https://robertwray.co.uk/blog/running-a-local-npm-repository-on-windows-server-using-verdaccio)
* [Kubernetes private NPM registry](https://medium.com/@tompape/kubernetes-private-npm-registry-fb5f450fa611)
* [Verdaccio examples for Google Cloud and K8s setups. https://github.com/papezt/verdaccio-examples](https://github.com/papezt/verdaccio-examples)
* [Setting up a private NPM Registry Is Easier Than You Think](https://medium.com/@902Labs/setting-up-a-private-npm-registry-is-easier-than-you-think-455e1bd438f2)
### Japanese {#japanese}
* [Verdaccio でプライベート npm リポジトリをサクッと立てる](http://neos21.hatenablog.com/entry/2017/09/08/080000)
* [verdaccioでprivateなnpmリポジトリを作成](https://qiita.com/mtokiwa/items/1bc22a2270e4408d4cdd)
* [Version control of my own UnityPackage with Unity × Verdaccio / Unity×Verdaccioで自作UnityPackageをバージョン管理する](https://synamon.hatenablog.com/entry/2018/08/15/185607)
### Chinese {#chinese}
* [使用 verdaccio 搭建 npm 私有仓储](https://blog.sigoden.com/verdaccio--private-npm-registry/)
* [Verdaccio一个轻量级的私有npm代理注册表sinopia fork)](https://www.ctolib.com/verdaccio-verdaccio.html)
* [npm 私服工具verdaccio 安装配置试用](http://www.cnblogs.com/rongfengliang/p/7811838.html)
* [搭建私有npm镜像](http://www.blackcater.win/2018/03/01/%E6%90%AD%E5%BB%BA%E7%A7%81%E6%9C%89npm%E9%95%9C%E5%83%8F/)
* [搭建离线npm私库——verdaccio](https://www.jishux.com/plus/view-765581-1.html)
* [[筆記] 建立自己的 npm, 以npm Orgs跟Verdaccio為例](https://medium.com/@ceall8650/%E7%AD%86%E8%A8%98-%E5%BB%BA%E7%AB%8B%E8%87%AA%E5%B7%B1%E7%9A%84-npm-%E4%BB%A5npm-orgs%E8%B7%9Fverdaccio%E7%82%BA%E4%BE%8B-cfb83b2307e6)
### French {#french}
* [Installer un registre NPM](https://allons-y.io/wiki/installer-un-registre-npm)
* [Verdaccio - Un registre de paquets npm](https://blog.yoannfleury.dev/verdaccio-un-registre-de-paquets-npm/)
### Spanish {#spanish}
* [NPM privado: instalar y configurar Verdaccio](https://www.todojs.com/npm-privado-con-verdaccio/)
* [NPM privado: 5 razones y 7 recomendaciones para utilizarlo](https://www.todojs.com/npm-privado-5-razones-y-7-recomendaciones/)
### Portuguese-BR {#portuguese-BR}
* [Problemas com pacotes do npm? Verdaccio pode ser a solução](https://dev.to/dxwebster/pt-br-problemas-com-pacotes-do-npm-verdaccio-pode-ser-a-solucao-2966)
### German {#german}
* [Struktur für große Angular-Anwendungen: Microservices, Module, MonoRepo?](https://jaxenter.de/struktur-angular-anwendungen-67467)
* [Angular in einer Microservices-Welt](https://jaxenter.de/angular-microservices-66445)
* [Privates NPM Repository mit Verdaccio (SSL & Docker)](https://blog.zotorn.de/privates-npm-repository-mit-verdaccio-ssl-docker-1/)
## Slides {#slides}
* [Introduction to Verdaccio VueJS Meetup 2018](https://www.slideshare.net/juancarlospicado/introduction-to-verdaccio)
* [Introduction Verdaccio Vienna JS Meetup 2019](https://docs.google.com/presentation/d/1eam_OtXCQh5IVYyia2GHhxVD8tb37B0yIadVa8wxQSk/edit?usp=sharing)
* [Cover Your Apps While Still Using npm](https://www.slideshare.net/TierneyCoren/cover-your-apps-while-still-using-npm)
* [Unity 2018-2019を見据えたDeNAのUnity開発のこれから [DeNA TechCon 2019]](https://www.slideshare.net/dena_tech/unity-20182019denaunity-dena-techcon-2019)

86
website/versioned_docs/version-5.x/auth.md Normal file
View File

@ -0,0 +1,86 @@
---
id: authentication
title: "Authentication"
---
The authentication is tied to the auth [plugin](plugins.md) you are using. The package restrictions are also handled by the [Package Access](packages.md).
The client authentication is handled by the `npm` client itself. Once you log in to the application:
```bash
npm adduser --registry http://localhost:4873
```
A token is generated in the `npm` configuration file hosted in your user home folder. For more information about `.npmrc` read the [official documentation](https://docs.npmjs.com/files/npmrc).
```bash
cat .npmrc
registry=http://localhost:5555/
//localhost:5555/:_authToken="secretVerdaccioToken"
//registry.npmjs.org/:_authToken=secretNpmjsToken
```
#### Anonymous publish {#anonymous-publish}
`verdaccio` allows you to enable anonymous publish. To achieve that you will need to correctly set up your [packages access](packages.md).
Eg:
```yaml
'my-company-*':
access: $anonymous
publish: $anonymous
proxy: npmjs
```
As is described [on issue #212](https://github.com/verdaccio/verdaccio/issues/212#issuecomment-308578500) until `npm@5.3.0` and all minor releases **won't allow you publish without a token**.
## Understanding Groups {#understanding-groups}
### The meaning of `$all` and `$anonymous` {#the-meaning-of-all-and-anonymous}
As you know *Verdaccio* uses `htpasswd` by default. That plugin does not implement the methods `allow_access`, `allow_publish` and `allow_unpublish`.
Thus, *Verdaccio* will handle that in the following way:
* If you are not logged in (you are anonymous), `$all` and `$anonymous` means exactly the same.
* If you are logged in, `$anonymous` won't be part of your groups and `$all` will match any logged user. A new group `$authenticated` will be added to your group list.
Please note: `$all` **will match all users, whether logged in or not**.
**The previous behavior only applies to the default authentication plugin**. If you are using a custom plugin and such plugin implements
`allow_access`, `allow_publish` or `allow_unpublish`, the resolution of the access depends on the plugin itself. Verdaccio will only set the default groups.
Let's recap:
* **logged in**: `$all` and `$authenticated` + groups added by the plugin.
* **logged out (anonymous)**: `$all` and `$anonymous`.
## Default htpasswd {#default-htpasswd}
In order to simplify the setup, `verdaccio` uses a plugin based on `htpasswd`. Since version v3.0.x the `verdaccio-htpasswd` plugin
is used by default.
```yaml
auth:
htpasswd:
file: ./htpasswd
# Maximum amount of users allowed to register, defaults to "+inf".
# You can set this to -1 to disable registration.
# max_users: 1000
# Hash algorithm, possible options are: "bcrypt", "md5", "sha1", "crypt".
algorithm: bcrypt # by default is crypt, but is recommended use bcrypt for new installations
# Rounds number for "bcrypt", will be ignored for other algorithms.
rounds: 10
```
> The default algorithm is `crypt`, considered not secure for production environments, it's recommended for new installations use `bcrypt` instead. Note after verdaccio 6.x
the default will be `bcrypt`.
Property | Type | Required | Example | Support | Description
--- | --- | --- | --- | --- | ---
file | string | Yes | ./htpasswd | all | file that host the encrypted credentials
max_users | number | No | 1000 | all | set limit of users
algorithm | string | No | bcrypt/md5/sha1/crypt | >=5.13.0 | set hasing password algorithm
rounds | number | No | 10 | >=5.13.0 | Rounds number for "bcrypt", will be ignored for other algorithms
> In case you decide to prevent users from signing up themselves, you can set `max_users: -1`.

194
website/versioned_docs/version-5.x/best-practices.md Normal file
View File

@ -0,0 +1,194 @@
---
id: best
title: "Best Practices"
---
The following guide is a list of the best practices collected and that we usually recommend to all users. Do not take this guide as
mandatory, you might pick some of them according your needs.
**Feel free to suggest your best practices to the Verdaccio community**.
## Private Registry {#private-registry}
You can add users and manage which users can access which packages.
It is recommended that you define a prefix for your private packages, for example `local-*` or scoped `@my-company/*`, so all your private things will look like this: `local-foo`. This way you can clearly separate public packages from private ones.
```yaml
packages:
'@my-company/*':
access: $all
publish: $authenticated
'local-*':
access: $all
publish: $authenticated
'@*/*':
access: $all
publish: $authenticated
'**':
access: $all
publish: $authenticated
```
Always remember, **the order of packages access is important**, packages are matched always top to bottom.
### Using public packages from npmjs.org {#using-public-packages-from-npmjsorg}
If a package doesn't exist in the storage, the server will try to fetch it from npmjs.org. If npmjs.org is down, it serves packages from the cache pretending that no other packages exist. **Verdaccio will download only what's needed (requested by clients)**, and this information will be cached, so if the client requests the same thing a second time it can be served without asking npmjs.org for it.
**Example:**
If you successfully request `express@4.0.1` from the server once, you'll be able to do it again (with all of it's dependencies) any time, even if npmjs.org is down. Though note that `express@4.0.0` will not be downloaded until it's actually needed by somebody. And if npmjs.org is offline, the server will say that only `express@4.0.1` (what's in the cache) is published, but nothing else.
### Override public packages {#override-public-packages}
If you want to use a modified version of some public package `foo`, you can just publish it to your local server, so when your type `npm install foo`, **it'll consider installing your version**.
There's two options here:
1. You want to create a separate **fork** and stop synchronizing with public version.
If you want to do that, you should modify your configuration file so Verdaccio won't make requests regarding this package to npmjs anymore. Add a separate entry for this package to `config.yaml` and remove `npmjs` from `proxy` list and restart the server.
```yaml
packages:
"@my-company/*":
access: $all
publish: $authenticated
# comment it out or leave it empty
# proxy:
```
When you publish your package locally, **you should probably start with a version string higher than the existing package** so it won't conflict with that package in the cache.
2. You want to temporarily use your version, but return to the public one as soon as it's updated.
In order to avoid version conflicts, **you should use a custom pre-release suffix of the next patch version**. For example, if a public package has version 0.1.2, you can upload `0.1.3-my-temp-fix`.
```bash
npm version 0.1.3-my-temp-fix
npm publish --tag fix --registry http://localhost:4873
```
This way your package will be used until its original maintainer updates his public package to `0.1.3`.
## Security {#security}
> Security starts in your environment.
<iframe width="560" height="315" src="https://www.youtube.com/embed/qTRADSp3Hpo?enablejsapi=1" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
Additional reading:
- **[10 npm Security Best Practices](https://snyk.io/blog/ten-npm-security-best-practices/)** and following the steps outlined there.
- **[Avoiding npm substitution attacks](https://github.blog/2021-02-12-avoiding-npm-substitution-attacks/)**
- **[Dependency Confusion: When Are Your npm Packages Vulnerable?](https://blog.includesecurity.com/2021/02/dependency-confusion-when-are-your-npm-packages-vulnerable/)**
- **[Practical Mitigations For Dependency Confusion Attack](https://www.kernelcrypt.com/posts/depedency-confusion-explained/)**
> Feel free to attach here new useful articles to improve the security.
### Strong package access with `$authenticated` {#strong-package-access-with-authenticated}
By default all packages you publish in Verdaccio are accessible for all users. We recommend protecting your registry from external non-authorized users by updating the `access` property of your packages to `$authenticated`.
```yaml
packages:
"@my-company/*":
access: $authenticated
publish: $authenticated
"@*/*":
access: $authenticated
publish: $authenticated
"**":
access: $authenticated
publish: $authenticated
```
That way, **nobody can access your registry unless they are authorized, and private packages won't be displayed in the web interface**.
### Remove `proxy` to increase security at private packages {#remove-proxy-to-increase-security-at-private-packages}
After a clean installation, by default all packages will be resolved to the default uplink (the public registry `npmjs`).
```yaml
packages:
"@*/*":
access: $authenticated
publish: $authenticated
proxy: npmjs
"**":
access: $authenticated
publish: $authenticated
proxy: npmjs
```
This means that even if a private package like `@my-company/auth` is published locally, the server will look up at the public registry. If that's not your intention, remove the `proxy` property and use a configuration like this one:
```yaml
packages:
"@my-company/*":
access: $authenticated
publish: $authenticated
unpublish: $authenticated
"@*/*":
access: $authenticated
publish: $authenticated
proxy: npmjs
"**":
access: $authenticated
publish: $authenticated
proxy: npmjs
```
This will **avoid downloading tarballs, and merge metadata needlessly from external registries**.
## Server {#server}
### Secured Connections {#secured-connections}
Using **HTTPS** is a common recommendation. For this reason we recommend reading the [SSL](ssl.md) section to make Verdaccio secure, or alternatively using an HTTPS [reverse proxy](reverse-proxy.md) on top of Verdaccio.
### Expiring Tokens {#expiring-tokens}
Since `verdaccio@3.x` the tokens have no expiration date. For such reason we introduced in the next `verdaccio@4.x` the JWT feature [PR#896](https://github.com/verdaccio/verdaccio/pull/896)
```yaml
security:
api:
jwt:
sign:
expiresIn: 15d
notBefore: 0
web:
sign:
expiresIn: 1h
```
**Using this configuration will override the current system and you will be able to control how long the token will live**.
Using JWT also improves the performance with authentication plugins. The old system will perform an unpackage and validate the credentials on every request, while JWT will rely on the token signature instead, avoiding the overhead for the plugin.
As a side note, be aware at **npmjs** and the **legacy** verdaccio token never expires\*\* unless you invalidate manually.
### Rate Limit {#rate-limit}
Since version `v5.4.0` critical endpoints have enabled by default rate limit. The following commands are considered user endpoints:
- `npm token` all variants
- `npm login/adduser`
- `npm profile` all supported variants
- User website `/sec/login` endpoint.
The previous list of endpoints are limited to `100` request peer _15 minutes_ which is enough for a basic usage, if you need to increase this levels please check the `userRateLimit` configuration options.
```yaml
userRateLimit:
windowMs: 50000 <- (minutes * 60 * 1000)
max: 1000 (number of request peer windowMs)
```
The website endpoints as, _search_, _packages_, _sidebar_, and _detail_ are protected by default to 5,000 request peer 2 minutes, also configurable via web ui options.
We recommend customize this values to those that addapt your needs to avoid any kind of (DDoS) or _brute-force_ attack to the critical endpoints.
> The CLI API endpoints used by eg `npm install` are not limited at this point since are not considered critical, but if you find any good reason please open a discussion.

77
website/versioned_docs/version-5.x/caching.md Normal file
View File

@ -0,0 +1,77 @@
---
id: caching
title: "Caching strategies"
---
Verdaccio caches all packages by default into the `/storage` folder. But you can decide whether you want to follow
a different strategy. Using of plugins you might use the cloud or any sort of database.
## Caching scenarios {#caching-scenarios}
* Build a Node.js project on **Continuous Integration** (Bamboo, GitLab, Jenkins, etc) servers is a task that might take several times at a day, thus, the server will download tons of tarballs from the registry every time takes place. As usual, the CI tools clear the cache after each build and the process start over and over again. That is a waste of bandwidth and reduces the external traffic.
**You can use Verdaccio for caching tarballs and metadata in our internal network and give a boost in your build time.**
* **Latency and Connectivity**, not all countries enjoy a high-speed connection. For such reason cache packages locally in your network
is really handy. Either if you are traveling, or have a weak connection, roaming or countries with strong Firewalls that might affect the user experience (eg: corrupting tarballs).
* **Offline Mode**, all Node Package Managers nowadays uses their own internal cache, but it common that different projects might use
different tools, which implies lock files and so on. Those tools are unable to share cache, the unique solution is centralized and relies on
a proxy registry, Verdaccio cache all metadata and tarballs are downloaded by demand being able to share them across all your project.
* Avoid that any remote registry suddenly returns *HTTP 404* error for tarballs were previously available a.k.a ([left-pad issue](https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/)).
# Strategies for faster builds
> We are looking for more strategies, feel free to share your experience in this field
## Avoid Caching tarballs {#avoid-caching-tarballs}
If you have a limited storage space, you might need to avoid cache tarballs, enabling `cache` false in each
uplink will cache only metadata files.
```
uplinks:
npmjs:
url: https://registry.npmjs.org/
cache: false
```
## Extending Cache Expiration Time {#extending-cache-expiration-time}
Verdaccio by default waits 2 minutes to invalidate the cache metadata before fetching new information from the remote registry.
```yaml
uplinks:
npmjs:
url: https://registry.npmjs.org/
maxage: 30m
```
Increasing the value of `maxage` in each `uplink` remotes will be asked less frequently. This might be a valid strategy if
you don't update dependencies so often.
## Using the memory instead the hardrive {#using-the-memory-instead-the-hardrive}
Sometimes caching packages is not a critical step, rather than route packages from different registries and achieving
faster build times. There are two plugins that avoid write in a physical hard drive at all using the memory.
```bash
npm install -g verdaccio-auth-memory
npm install -g verdaccio-memory
```
The configuration looks like this
```yaml
auth:
auth-memory:
users:
foo:
name: test
password: test
store:
memory:
limit: 1000
```
Remember, once the server is restarted the data is being lost, we recommend this setup in cases where you do not
need to persist at all.

17
website/versioned_docs/version-5.x/chef.md Normal file
View File

@ -0,0 +1,17 @@
---
id: chef
title: "Chef Cookbook"
---
Using Chef Cookbook for Verdaccio
For further information:
* [https://github.com/verdaccio/verdaccio-cookbook](https://github.com/verdaccio/verdaccio-cookbook)
* [https://supermarket.chef.io/cookbooks/verdaccio](https://supermarket.chef.io/cookbooks/verdaccio)
> We are looking for contributors for this repository, if you are interested please notify the author via tickets.
Author: [Keli Grubb](https://github.com/kgrubb) && Barthelemy Vessemont.

14
website/versioned_docs/version-5.x/ci.md Normal file
View File

@ -0,0 +1,14 @@
---
id: ci
title: "Continuous Integration"
---
Verdaccio can be used with continuous integration (CI) platforms to install or publish packages.
When using NPM to install a private package in a CI environment for the first time, you may run
into some issues. The `npm login` command is designed to be used interactively. This poses an
issue in CI, scripts, etc. Below are some articles detailing how to use `npm login` on different
CI platforms.
- [Travis CI](https://remysharp.com/2015/10/26/using-travis-with-private-npm-deps)
- [Circle CI](https://circleci.com/docs/deploy-to-npm-registry)
- [GitHub Actions](https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages)

10
website/versioned_docs/version-5.x/cli-registry.md Normal file
View File

@ -0,0 +1,10 @@
---
id: cli-registry
title: "Using a private registry"
---
Setting up a private registry is quite easy on all major Package managers and can be achieved in a few different ways depenging on your goals. The following links details how you can achieve this goal for each major package manager.
* [npm](setup-npm.md)
* [yarn](setup-yarn.md)
* [pnpm](setup-pnpm.md)

45
website/versioned_docs/version-5.x/cli.md Normal file
View File

@ -0,0 +1,45 @@
---
id: cli
title: "Command Line Tool"
---
The Verdaccio CLI is your tool to start and stop the application.
## Commands {#commands}
```bash
verdaccio --listen 4000 --config ~./config.yaml
```
Command | Default | Example | Description
--- | --- | --- | ---
--listen \ **-l** | http:localhost:4873 | 7000 | Define protocol + host + port ([formats](https://github.com/verdaccio/verdaccio/blob/08c36e688e8635733f92080eb3598239d43259cb/packages/node-api/src/cli-utils.ts#L7-L16))
--config \ **-c** | ~/.local/verdaccio/config.yaml | ~./config.yaml | Set location of the configuration file
--info \ **-i** | | | Print local environment information
--version \ **-v** | | | Show version information
## Default config file location {#default-config-file-location}
To locate the home directory, we rely on **$XDG_DATA_HOME** as a first choice and for Windows environments we look for the [APPDATA environment variable](https://www.howtogeek.com/318177/what-is-the-appdata-folder-in-windows/).
## Config file format {#config-file-format}
Config files should be YAML, JSON or a NodeJS module. YAML format is detected by parsing config file extension (yaml or yml, case insensitive).
## Default storage location {#default-storage-location}
We use the **$XDG_DATA_HOME** environment by variable default to locate the storage by default which [should be the same](https://askubuntu.com/questions/538526/is-home-local-share-the-default-value-for-xdg-data-home-in-ubuntu-14-04) as $HOME/.local/share.
If you are using a custom storage, this location is irrelevant.
## Default database file location {#default-database-file-location}
The default database file location is in the storage location.
Starting with version 4.0.0, the database file name will be **.verdaccio-db.json** for a new installation of Verdaccio.
When upgrading an existing Verdaccio server, the file name will remain **.sinopia-db.json**.
## Environment variables {#environment-variables}
[Full list of environment variables](https://github.com/verdaccio/verdaccio/blob/master/docs/env.variables.md).
* `VERDACCIO_HANDLE_KILL_SIGNALS` to enable gracefully shutdown (since v4.12.0)

311
website/versioned_docs/version-5.x/config.md Normal file
View File

@ -0,0 +1,311 @@
---
id: configuration
title: "Configuration File"
---
This file is the cornerstone of Verdaccio where you can modify the default behaviour, enable plugins and extend features.
A default configuration file `config.yaml` is created the very first time you run `verdaccio`.
## Default Configuration {#default-configuration}
The default configuration has support for **scoped** packages and allows any user to **access** all packages, but only authenticated users to **publish**.
```yaml
storage: ./storage
auth:
htpasswd:
file: ./htpasswd
uplinks:
npmjs:
url: https://registry.npmjs.org/
packages:
"@*/*":
access: $all
publish: $authenticated
proxy: npmjs
"**":
proxy: npmjs
log: { type: stdout, format: pretty, level: http }
```
## Sections {#sections}
The following sections explain what each property means and their different options.
### Storage {#storage}
Is the location of the default storage. **Verdaccio is by default based on local file system**.
```yaml
storage: ./storage
```
> Released at v5.6.0: The environment variable `VERDACCIO_STORAGE_PATH` could be used to replace the location of the storage (only for the default storage, does not apply to plugins unless it is implemented independently).
### Plugins {#plugins}
Is the location of the plugin directory. Useful for Docker/Kubernetes-based deployments.
```yaml
plugins: ./plugins
```
### Authentication {#authentication}
The authentication setup is done here. The default auth is based on `htpasswd` and is built in. You can modify this behaviour via [plugins](plugins.md). For more information about this section read the [auth page](auth.md).
```yaml
auth:
htpasswd:
file: ./htpasswd
max_users: 1000
```
### Security {#security}
<small>Since: `verdaccio@4.0.0` [#168](https://github.com/verdaccio/verdaccio/pull/168)</small>
The security block allows you to customise the token signature. To enable a new [JWT (JSON Web Tokens)](https://jwt.io/) signature you need to add the block `jwt` to the `api` section; `web` uses `jwt` by default.
The configuration is separated in two sections, `api` and `web`. To use JWT on `api` it has to be defined, otherwise the legacy token signature (`aes192`) will be used. For JWT you might want to customize the [signature](https://github.com/auth0/node-jsonwebtoken#jwtsignpayload-secretorprivatekey-options-callback) and the token [verification](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback) with your own properties.
```
security:
api:
legacy: true
jwt:
sign:
expiresIn: 29d
verify:
someProp: [value]
web:
sign:
expiresIn: 1h # 1 hour by default
verify:
someProp: [value]
```
> We highly recommend move to JWT since legacy signature (`aes192`) is deprecated and will disappear in future versions.
### Server {#server}
A set of properties to modify the behavior of the server application, specifically the API (Express.js).
> You can specify HTTP/1.1 server keep alive timeout in seconds for incomming connections.
> A value of 0 makes the http server behave similarly to Node.js versions prior to 8.0.0, which did not have a keep-alive timeout.
> WORKAROUND: Through given configuration you can workaround following issue https://github.com/verdaccio/verdaccio/issues/301. Set to 0 in case 60 is not enough.
```yaml
server:
keepAliveTimeout: 60
```
### Web UI {#web-ui}
This property allow you to modify the look and feel of the web UI. For more information about this section read the [web UI page](web.md).
```yaml
web:
enable: true
title: Verdaccio
logo: logo.png
scope:
```
### Uplinks {#uplinks}
Uplinks add the ability to fetch packages from remote registries when those packages are not available locally. For more information about this section read the [uplinks page](uplinks.md).
```yaml
uplinks:
npmjs:
url: https://registry.npmjs.org/
```
### Packages {#packages}
This section allows you to control how packages are accessed. For more information about this section read the [packages page](packages.md).
```yaml
packages:
"@*/*":
access: $all
publish: $authenticated
proxy: npmjs
```
## Advanced Settings {#advanced-settings}
### Offline Publish {#offline-publish}
By default `verdaccio` does not allow you to publish packages when the client is offline. This can be can be overridden by setting this value to _true_.
```yaml
publish:
allow_offline: false
```
<small>Since: `verdaccio@2.3.6` due [#223](https://github.com/verdaccio/verdaccio/pull/223)</small>
### URL Prefix {#url-prefix}
The prefix is intended to be used when the server runs behinds the proxy and won't work properly if is used without a reverse proxy, check the **reverse proxy setup** page for more details.
The internal logic builds correctly the public url, validates the `host` header and and bad shaped `url_prefix`.
eg: `url_prefix: /verdaccio`, `url_prefix: verdaccio/`, `url_prefix: verdaccio` would be `/verdaccio/`
```yaml
url_prefix: /verdaccio/
```
The new `VERDACCIO_PUBLIC_URL` is intended to be used behind proxies, this variable will be used for:
- Used as base path to serve UI resources as (js, favicon, etc)
- Used on return metadata `dist` base path
- Ignores `host` and `X-Forwarded-Proto` headers
- If `url_prefix` is defined would be appened to the env variable.
```
VERDACCIO_PUBLIC_URL='https://somedomain.org';
url_prefix: '/my_prefix'
// url -> https://somedomain.org/my_prefix/
VERDACCIO_PUBLIC_URL='https://somedomain.org';
url_prefix: '/'
// url -> https://somedomain.org/
VERDACCIO_PUBLIC_URL='https://somedomain.org/first_prefix';
url_prefix: '/second_prefix'
// url -> https://somedomain.org/second_prefix/'
```
### User Agent {#user-agent}
<small>Since: `verdaccio@5.4.0`</small>
The user agent is disabled by default, in exchange the user agent client (package manager, browser, etc ...) is being bypassed to the remote. To enable the previous behaviour use boolean values.
```yaml
user_agent: true
user_agent: false
user_agent: 'custom user agent'
```
### User Rate Limit {#user-rate-limit}
<small>Since: [verdaccio@5.4.0](https://github.com/verdaccio/verdaccio/releases/tag/v5.4.0)</small>
Add default rate limit to user endpoints, `npm token`, `npm profile`, `npm loding/adduser` and login website to 100 request peer 15 min, customizable via:
```
userRateLimit:
windowMs: 50000
max: 1000
```
Additonal configuration (only feature flags) is also possible via the [middleware docs](https://github.com/nfriedly/express-rate-limit/#configuration-options).
### Max Body Size {#max-body-size}
By default the maximum body size for a JSON document is `10mb`, if you run into errors that state `"request entity too large"` you may increase this value.
```yaml
max_body_size: 10mb
```
### Listen Port {#listen-port}
`verdaccio` runs by default on the port `4873`. Changing the port can be done via [CLI](cli.md) or in the configuration file. The following options are valid:
```yaml
listen:
# - localhost:4873 # default value
# - http://localhost:4873 # same thing
# - 0.0.0.0:4873 # listen on all addresses (INADDR_ANY)
# - https://example.org:4873 # if you want to use https
# - "[::1]:4873" # ipv6
# - unix:/tmp/verdaccio.sock # unix socket
```
### HTTPS {#https}
To enable `https` in `verdaccio` it's enough to set the `listen` flag with the protocol _https://_. For more information about this section read the [SSL page](ssl.md).
```yaml
https:
key: ./path/verdaccio-key.pem
cert: ./path/verdaccio-cert.pem
ca: ./path/verdaccio-csr.pem
```
### Proxy {#proxy}
Proxies are special-purpose HTTP servers designed to transfer data from remote servers to local clients.
#### http_proxy and https_proxy {#http_proxy-and-https_proxy}
If you have a proxy in your network you can set a `X-Forwarded-For` header using the following properties:
```yaml
http_proxy: http://something.local/
https_proxy: https://something.local/
```
#### no_proxy {#no_proxy}
This variable should contain a comma-separated list of domain extensions that the proxy should not be used for.
```yaml
no_proxy: localhost,127.0.0.1
```
### Notifications {#notifications}
Enabling notifications to third-party tools is fairly easy via webhooks. For more information about this section read the [notifications page](notifications.md).
```yaml
notify:
method: POST
headers: [{ "Content-Type": "application/json" }]
endpoint: https://usagge.hipchat.com/v2/room/3729485/notification?auth_token=mySecretToken
content: '{"color":"green","message":"New package published: * {{ name }}*","notify":true,"message_format":"text"}'
```
> For more detailed configuration settings, please [check the source code](https://github.com/verdaccio/verdaccio/tree/master/packages/config/src/conf).
### Audit {#audit}
<small>Since: `verdaccio@3.0.0`</small>
`npm audit` is a new command released with [npm 6.x](https://github.com/npm/npm/releases/tag/v6.1.0). Verdaccio includes
a built-in middleware plugin to handle this command.
> If you have a new installation it comes by default, otherwise you need to add the following props to your config file
```yaml
middlewares:
audit:
enabled: true
```
### Experiments {#experiments}
This release includes a new property named `experiments` that can be placed in the `config.yaml` and is completely optional.
We want to be able to ship new things without affecting production environments. This flag allows us to add new features and get feedback from the community who decides to use them.
The features under this flag might not be stable or might be removed in future releases.
Here is one example:
```yaml
experiments:
changePassword: false
```
> To disable the experiments warning in the console, you must comment out the whole `experiments` section.

71
website/versioned_docs/version-5.x/dev-plugins.md Normal file
View File

@ -0,0 +1,71 @@
---
id: dev-plugins
title: "Developing Plugins"
---
There are many ways to extend `verdaccio`, the kind of plugins supported are:
* [Authentication](plugin-auth.md)
* [Middleware](plugin-middleware.md)
* [Storage](plugin-storage.md)
* Theme
* Filter plugins
> We recommend developing plugins using our [TypeScript type definitions](https://github.com/verdaccio/monorepo/tree/9.x/core/types).
# Other plugins
The following plugins are valid and in process of incubation.
## Theme Plugin {#theme-plugin}
The plugin must return a function that returns a **string**. The string should be the absolute location of the root of your user interface.
### API {#api}
```javascript
const path = require('path');
module.exports = (...arguments) => {
return path.join(__dirname, 'static');
};
```
It is imporant that the name of the plugin **must start with `verdaccio-theme-` prefix**.
### Theme Example {#theme-example}
* [@verdaccio/ui-theme](https://github.com/verdaccio/ui): The default Verdaccio theme based in React.js.
## Filter Plugin {#filter-plugin}
Since [`4.1.0`](https://github.com/verdaccio/verdaccio/pull/1313)
Filter plugins were introduced due a [request](https://github.com/verdaccio/verdaccio/issues/818) in order
to be able to filter metadata from uplinks.
More [info in the PR](https://github.com/verdaccio/verdaccio/pull/1161).
```yaml
filters:
storage-filter-blackwhitelist:
filter_file: /path/to/file
```
### API {#api-1}
The method `filter_metadata` will allow you to filter metadata that comes from any uplink, it is `Promise` based
and has to return the same metadata modified.
> Do not remove properties from the metadata, try to do not mutate rather return a new object.
```
interface IPluginStorageFilter<T> extends IPlugin<T> {
filter_metadata(packageInfo: Package): Promise<Package>;
}
```

245
website/versioned_docs/version-5.x/docker.md Normal file
View File

@ -0,0 +1,245 @@
---
id: docker
title: Docker
---
<iframe width="560" height="515" src="https://www.youtube.com/embed/zRI0skF1f8I" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
To pull the latest pre-built [docker image](https://hub.docker.com/r/verdaccio/verdaccio/):
```bash
docker pull verdaccio/verdaccio
```
![Docker pull](/img/docker_verdaccio.gif)
## Tagged Versions {#tagged-versions}
![alt Docker Pulls Count](https://dockeri.co/image/verdaccio/verdaccio "Docker Pulls Count")
Since version `v2.x` you can pull docker images by [tag](https://hub.docker.com/r/verdaccio/verdaccio/tags/), as follows:
For a major version:
```bash
docker pull verdaccio/verdaccio:4
```
For a minor version:
```bash
docker pull verdaccio/verdaccio:4.0
```
For a specific (patch) version:
```bash
docker pull verdaccio/verdaccio:4.0.0
```
> If you are interested on a list of tags, [please visit the Docker Hub website](https://hub.docker.com/r/verdaccio/verdaccio/tags/).
## Running Verdaccio using Docker {#running-verdaccio-using-docker}
To run the docker container:
```bash
docker run -it --rm --name verdaccio -p 4873:4873 verdaccio/verdaccio
```
The last argument defines which image to use.
The above line will pull the latest prebuilt image from dockerhub, if you haven't done that already.
If you have [build an image locally](#build-your-own-docker-image) use `verdaccio` as the last argument.
You can use `-v` to bind mount `conf`, `storage` and `plugins` to the hosts filesystem (example below).
Note that if you do mount conf like this, that you will first need to supply a copy of config.yaml in that directory; the Docker container will not start properly if this file is missing. You can copy this file initially from https://github.com/verdaccio/verdaccio/blob/5.x/conf/docker.yaml. However, note the security warnings in that file; you will definitely want to lock it down in production.
```bash
V_PATH=/path/for/verdaccio; docker run -it --rm --name verdaccio \
-p 4873:4873 \
-v $V_PATH/conf:/verdaccio/conf \
-v $V_PATH/storage:/verdaccio/storage \
-v $V_PATH/plugins:/verdaccio/plugins \
verdaccio/verdaccio
```
> if you are running in a server, you might want to add -d to run it in the background
>Note: Verdaccio runs as a non-root user (uid=10001) inside the container, if you use bind mount to override default,
you need to make sure the mount directory is assigned to the right user. In above example, you need to run `sudo chown -R 10001:65533 /path/for/verdaccio` otherwise
you will get permission errors at runtime.
[Use docker volume](https://docs.docker.com/storage/volumes/) is recommended over using bind mount.
Verdaccio 4 provides a new set of environment variables to modify either permissions, port or http protocol. Here the complete list:
Property | default | Description
--- | --- | ---
VERDACCIO_APPDIR | `/opt/verdaccio` | the docker working directory
VERDACCIO_USER_NAME | `verdaccio` | the system user
VERDACCIO_USER_UID | `10001` | the user id being used to apply folder permissions
VERDACCIO_PORT | `4873` | the verdaccio port
VERDACCIO_PROTOCOL | `http` | the default http protocol
### SELinux {#selinux}
If SELinux is enforced in your system, the directories to be bind-mounted in the container need to be relabeled. Otherwise verdaccio will be forbidden from reading those files.
```
fatal--- cannot open config file /verdaccio/conf/config.yaml: Error: CONFIG: it does not look like a valid config file
```
If verdaccio can't read files on a bind-mounted directory and you are unsure, please check `/var/log/audit/audit.log` to confirm that it's a SELinux issue. In this example, the error above produced the following AVC denial.
```
type=AVC msg=audit(1606833420.789:9331): avc: denied { read } for pid=1251782 comm="node" name="config.yaml" dev="dm-2" ino=8178250 scontext=system_u:system_r:container_t:s0:c32,c258 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
```
`chcon` can change the labels of shared files and directories. To make a directory accessible to containers, change the directory type to `container_file_t`.
```sh
$ chcon -Rt container_file_t ./conf
```
If you want to make the directory accessible only to a specific container, use `chcat` to specify a matching SELinux category.
An alternative solution is to use [z and Z flags](https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label). To add the `z` flag to the mountpoint `./conf:/verdaccio/conf` simply change it to `./conf:/verdaccio/conf:z`. The `z` flag relabels the directory and makes it accessible by every container while the `Z` flags relables the directory and makes it accessible only to that specific container. However using these flags is dangerous. A small configuration mistake, like mounting `/home/user` or `/var` can mess up the labels on those directories and make the system unbootable.
### Plugins {#plugins}
Plugins can be installed in a separate directory and mounted using Docker or Kubernetes, however make sure you build plugins with native dependencies using the same base image as the Verdaccio Dockerfile.
```docker
FROM node:lts-alpine as builder
RUN mkdir -p /verdaccio/plugins \
&& cd /verdaccio/plugins \
&& npm install --global-style --no-bin-links --omit=optional verdaccio-auth-memory@latest
FROM verdaccio/verdaccio:5
ADD docker.yaml /verdaccio/conf/config.yaml
COPY --chown=$VERDACCIO_USER_UID:root --from=builder \
/verdaccio/plugins/node_modules/verdaccio-auth-memory \
/verdaccio/plugins/verdaccio-auth-memory
```
For more information check real plugin examples with Docker in our [source code](https://github.com/verdaccio/verdaccio/tree/master/docker-examples/v5/plugins).
### Docker and custom port configuration {#docker-and-custom-port-configuration}
Any `host:port` configured in `conf/config.yaml` under `listen` **is currently ignored when using docker**.
If you want to reach Verdaccio docker instance under different port, lets say `5000`
in your `docker run` command add the environment variable `VERDACCIO_PORT=5000` and then expose the port `-p 5000:5000`.
```bash
V_PATH=/path/for/verdaccio; docker run -it --rm --name verdaccio \
-e "VERDACCIO_PORT=8080" -p 8080:8080 \
verdaccio/verdaccio
```
Of course the numbers you give to the `-p` parameter need to match.
### Using HTTPS with Docker {#using-https-with-docker}
You can configure the protocol verdaccio is going to listen on, similarly to the port configuration.
You have to overwrite the default value("http") of the `PROTOCOL` environment variable to "https", after you specified the certificates in the config.yaml.
```bash
docker run -it --rm --name verdaccio \
--env "VERDACCIO_PROTOCOL=https" -p 4873:4873
verdaccio/verdaccio
```
### Using docker-compose {#using-docker-compose}
1. Get the latest version of [docker-compose](https://github.com/docker/compose).
2. Build and run the container:
```bash
$ docker-compose up --build
```
You can set the port to use (for both container and host) by prefixing the above command with `VERDACCIO_PORT=5000 `.
```yaml
version: '3.1'
services:
verdaccio:
image: verdaccio/verdaccio
container_name: "verdaccio"
networks:
- node-network
environment:
- VERDACCIO_PORT=4873
ports:
- "4873:4873"
volumes:
- "./storage:/verdaccio/storage"
- "./config:/verdaccio/conf"
- "./plugins:/verdaccio/plugins"
networks:
node-network:
driver: bridge
```
Docker will generate a named volume in which to store persistent application data. You can use `docker inspect` or `docker volume inspect` to reveal the physical location of the volume and edit the configuration, such as:
```bash
$ docker volume inspect verdaccio_verdaccio
[
{
"Name": "verdaccio_verdaccio",
"Driver": "local",
"Mountpoint": "/var/lib/docker/volumes/verdaccio_verdaccio/_data",
"Labels": null,
"Scope": "local"
}
]
```
## Build your own Docker image {#build-your-own-docker-image}
```bash
docker build -t verdaccio .
```
There is also an npm script for building the docker image, so you can also do:
```bash
yarn run build:docker
```
Note: The first build takes some minutes to build because it needs to run `npm install`,
and it will take that long again whenever you change any file that is not listed in `.dockerignore`.
Please note that for any of the above docker commands you need to have docker installed on your machine and the docker executable should be available on your `$PATH`.
## Docker Examples {#docker-examples}
There is a separate repository that hosts multiple configurations to compose Docker images with `verdaccio`, for instance, as reverse proxy:
[https://github.com/verdaccio/docker-examples](https://github.com/verdaccio/verdaccio/tree/master/docker-examples)
## Docker Custom Builds {#docker-custom-builds}
> If you have made an image based on Verdaccio, feel free to add it to this list.
* [docker-verdaccio-multiarch](https://github.com/hertzg/docker-verdaccio-multiarch) Multiarch image mirrors
* [docker-verdaccio-gitlab](https://github.com/snics/docker-verdaccio-gitlab)
* [docker-verdaccio](https://github.com/deployable/docker-verdaccio)
* [docker-verdaccio-s3](https://github.com/asynchrony/docker-verdaccio-s3) Private NPM container that can backup to s3
* [docker-verdaccio-ldap](https://github.com/snadn/docker-verdaccio-ldap)
* [verdaccio-ldap](https://github.com/nathantreid/verdaccio-ldap)
* [verdaccio-compose-local-bridge](https://github.com/shingtoli/verdaccio-compose-local-bridge)
* [docker-verdaccio](https://github.com/Global-Solutions/docker-verdaccio)
* [verdaccio-docker](https://github.com/idahobean/verdaccio-docker)
* [verdaccio-server](https://github.com/andru255/verdaccio-server)
* [coldrye-debian-verdaccio](https://github.com/coldrye-docker/coldrye-debian-verdaccio) docker image providing verdaccio from coldrye-debian-nodejs.
* [verdaccio-github-oauth-ui](https://github.com/n4bb12/verdaccio-github-oauth-ui/blob/master/Dockerfile)

103
website/versioned_docs/version-5.x/e2e.md Normal file
View File

@ -0,0 +1,103 @@
---
id: e2e
title: "End to End testing"
---
### Testing the integrity of React components by publishing in a private registry
> The final stage of a react component is when it is being published and distributed. How can I ensure my packages wont crash in production? This talk will help you to test your React components by publishing them to a private registry and running End-to-End tests against them.
<iframe width="300" height="600" src="https://www.youtube.com/embed/bRKZbrlQqLY" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
- [Slides](https://docs.google.com/presentation/d/1a2xkqj1KlUayR1Bva1bVYvavwOPVuLplxFtup9MI_U4/edit?usp=sharing)
- [Demo](https://github.com/juanpicado/verdaccio-end-to-end-tests)
## End to End and Verdaccio
Some projects organize packages in multi-packages repositories or [monorepos](https://github.com/babel/babel/blob/master/doc/design/monorepo.md). End to End testing is a topic that usually is only relevant for User Interfaces, but from a Node.js perspective, **publishing packages also need to be tested**.
Such approach has been really hard to achieve considering:
* Populate canary packages on public services seems not to be a good idea
* Some self-hosted OSS registries are too heavy
* Offline environments (private networks)
**Verdaccio** is a lightweight registry with zero-configuration that **fits perfectly in any E2E + CI workflow**.
## Implementation {#implementation}
There is no a silver bullet yet, each implementation seems to be specific for each project, you can check some of them in
the following thread [clicking here](https://stackoverflow.com/a/50222427/308341).
## Examples in Open Source
The following projects have examples using Verdaccio in Open Source
### Bash Examples
* [Babel.js](https://github.com/babel/babel) *(+35k ⭐️)*
* [Docusaurus](https://github.com/facebook/docusaurus) *(+31k ⭐️)*
* [create-react-app](https://github.com/facebook/create-react-app/blob/master/CONTRIBUTING.md#contributing-to-e2e-end-to-end-tests) *(+73.5k ⭐️)*
* [Uppy](https://github.com/transloadit/uppy) *(+21k ⭐️)*
* [ethereum/web3.js](https://github.com/ethereum/web3.js) *(+8k ⭐️)*
* [adobe react-spectrum](https://github.com/adobe/react-spectrum/pull/2432) *(+6k ⭐️)*
* [Mozilla Neutrino](https://github.com/neutrinojs/neutrino) *(+3k ⭐️)*
This is the most simple example using Verdaccio in a bash script (extracted from *create-react-app*).
```bash
#!/bin/sh
set -e
local_registry="http://0.0.0.0:4873"
# start local registry
tmp_registry_log=`mktemp`
sh -c "mkdir -p $HOME/.config/verdaccio"
sh -c "cp --verbose /config.yaml $HOME/.config/verdaccio/config.yaml"
sh -c "nohup verdaccio --config $HOME/.config/verdaccio/config.yaml &>$tmp_registry_log &"
# wait for `verdaccio` to boot
grep -q 'http address' <(tail -f $tmp_registry_log)
# login so we can publish packages
sh -c "npm-auth-to-token -u test -p test -e test@test.com -r $local_registry"
# Run nmp command
sh -c "npm --registry $local_registry publish"
```
### Docker Examples
* [Hyperledger](https://github.com/hyperledger/fabric-chaincode-node)
### Programtically Examples
* [Storybook](https://github.com/storybooks/storybook) *(+44k ⭐️)*
* [Gatsby](https://github.com/gatsbyjs/gatsby) *(+40k ⭐️)
#### Verdaccio module
Via CLI:
* [Aurelia Framework](https://github.com/aurelia) *(+12k ⭐️)*
* [Netlify CLI](https://github.com/netlify/cli) *(+1k ⭐️)*
* [Embark](https://embark.status.im/) *(+3k ⭐️)*
* [Microsoft Beachball](https://github.com/microsoft/beachball)
#### Node.js `child_process` examples
* [Angular CLI](https://github.com/angular/angular-cli) *(+25k ⭐️)*
* [bit](https://github.com/teambit/bit) *(+6k ⭐️)*
* [pnpm](https://github.com/pnpm/pnpm) *(+6k ⭐️)*
* [aws-sdk cli v3](https://github.com/aws/aws-sdk-js-v3) *(+1k ⭐️)*
* [angular-eslint](https://github.com/angular-eslint/angular-eslint) *(+1k ⭐️)*
## Example repositories
- [e2e-ci-example-gh-actions](https://github.com/juanpicado/e2e-ci-example-gh-actions)
- [verdaccio-end-to-end-tests](https://github.com/juanpicado/verdaccio-end-to-end-tests)
- [verdaccio-fork](https://github.com/juanpicado/verdaccio-fork)

24
website/versioned_docs/version-5.x/github-actions.md Normal file
View File

@ -0,0 +1,24 @@
---
id: github-actions
title: "GitHub Actions"
---
With [GitHub Actions](https://github.com/features/actions) you can automate your workflow, each GitHub Action performs a specific step in a process.
![actions](/img/github-actions.png)
## Testing your packages {#testing-your-packages}
Verdaccio provides a custom action for easy integration in your flow by adding the following to your workflow file's `steps` key.
```yaml
- name: Publish with Verdaccio
uses: verdaccio/github-actions/publish@master
```
The action will perform a `npm publish` and if the publishing finishes successfully, the workflow will continue to the next step, otherwise the step will fail.
If there are any issues publishing a package you will notice using this action.
Within the image uses `verdaccio-auth-memory` and `verdaccio-memory` plugins to handle authentification and storage to speed up the process.
If you want to know more about the action, [visit our repository](https://github.com/verdaccio/github-actions) dedicated for GitHub Actions.

133
website/versioned_docs/version-5.x/how-to-deploy-on-AWS.md Normal file
View File

@ -0,0 +1,133 @@
---
id: aws
title: "Amazon Web Services"
---
This document describes simple steps to setup Verdaccio private registry on Amazon Web Services platform using EC2 service. This assumes you have already created an EC2 Amazon Linux instance; if not then please check this tutorial on [AWS EC2 Setup](https://www.howtoinmagento.com/2018/04/aws-cli-commands-for-aws-ec2-amazon.html).
## Setup & Configuration {#setup--configuration}
**Step 1:** Open SSH & Login in using your EC2 key.
**Step 2:** Install Node Version Manager (nvm) first, close and re-open the SSH using your EC2 key.
``` sudo apt update ```
``` wget -qO- https://raw.githubusercontent.com/creationix/nvm/v0.33.11/install.sh | bash ```
``` exit ```
**Step 3:** Install Node using Node Version Manager (nvm)
``` nvm install node ```
**Step 4:** Install Verdaccio & pm2, will require to run Verdaccio service in background
``` npm i -g verdaccio pm2 ```
**Step 5:** Set the verdaccio registry as a source. By default original NPM registry set.
``` npm set registry http://localhost:4873 ```
``` npm set ca null ```
**Step 6:** Run Verdaccio and stop it (ctrl+c). It will create a config file we will use.
``` verdaccio ```
**Step 7:** Now do below configuration for listening to all addresses on that server machine / EC2 instance. [(read more)](https://github.com/verdaccio/verdaccio/blob/master/conf/full.yaml)
Open and edit `config.yaml` file:
``` nano .config/verdaccio/config.yaml ``` or ``` nano ~/verdaccio/config.yaml ```
Add below lines at the end. [(read more)](https://github.com/verdaccio/verdaccio/blob/ff409ab7c05542a152100e3bc39cfadb36a8a080/conf/full.yaml#L113)
```
listen:
- 0.0.0.0:4873
```
Change below line so that only authenticated person can access our registry
``` Replace "access: $all" with "access: $authenticated" ```
(Optional) Change below line according to how many users you wish to grant access to the scoped registry
``` Replace "#max_users: 1000" with "max_users: 1" ```
There are some more parameters available to configure it. Like storage, proxy, default port change. [(read more)](https://github.com/verdaccio/verdaccio/blob/ff409ab7c05542a152100e3bc39cfadb36a8a080/conf/full.yaml#L113)
**Step 8:** Run Verdaccio in background using PM2:
``` pm2 start verdaccio ```
**Step 9:** Now, You can access your Verdaccio web UI.
The URL will look like something:
``` http://ec2-..compute.amazonaws.com:4873 ```
{or}
``` http://your-ec2-public-ip-address:4873 (You can check your EC2 instance public ip from AWS console) ```
To confirm Verdaccio's running status, run the command below:
``` pm2 list ```
To make Verdaccio launch on startup, run the commands below:
``` pm2 stop verdaccio ```
``` pm2 delete verdaccio ```
``` pm2 startup ``` This will show a command in your terminal. Copy / paste it and execute it to have pm2 make a startup service for you.
``` which verdaccio ``` Copy the path shown by this command.
``` pm2 start /home/ubuntu/.nvm/versions/node/v17.1.0/bin/verdaccio ``` (put the path you copied from command above).
``` pm2 status ``` This should show "online" on the status of verdaccio service.
``` pm2 save ``` Now when you reboot the EC2 instance, it should launch verdaccio.
**Step 10:** Registering a user in verdaccio registry
``` npm set always-auth true ```
``` npm adduser ```
It will ask for username, password and valid email id to be entered. Make a note of this details that will use later to login in verdaccio registry to publish our library.
**Step 11:** Now we are ready to use our AWS server instance work as a private registry.
Login into verdaccio registry. Enter the same username, password and email id set in above Step.
``` npm set registry http://your-ec2-public-ip-address:4873 ```
``` npm login ```
**Step 12:** Go to your custom library package path. In my case this is my Angular 7 package path -> `/libraries/dist/your-library-name/your-library-name-0.0.1.tgz`
If you like to know how to create angular 7 library/package then [(click here)](https://www.howtoinmagento.com/2019/11/how-to-create-your-first-angular-7.html)
``` cd [custom library package path] ```
**Step 13:** Finally publish our library `your-library-name-0.0.1.tgz` on verdaccio registry
``` [custom library package path] >> npm publish your-library-name-0.0.1.tgz ```
{or}
``` [custom library package path] >> npm publish ```
{or}
``` [custom library package path] >> npm publish --registry http://your-ec2-public-ip-address:4873 ```
Now browse ``` http://your-ec2-public-ip-address:4873 ``` and you will see new library package there.

128
website/versioned_docs/version-5.x/iis-server.md Normal file
View File

@ -0,0 +1,128 @@
---
id: iss-server
title: "Installing on IIS server"
---
These instructions were written for Windows Server 2016, IIS 10, [Node.js 10.15.0](https://nodejs.org/), [iisnode 0.2.26](https://github.com/Azure/iisnode) and [verdaccio 3.11.0](https://github.com/verdaccio/verdaccio).
* Install IIS Install [iisnode](https://github.com/Azure/iisnode).
Make sure you install prerequisites (Url Rewrite Module & node) as explained in the instructions for iisnode.
* Create a new folder in Explorer where you want to host verdaccio.
For example `C:\verdaccio`.
Save [package.json](#packagejson),
[start.js](#startjs)
and [web.config](#webconfig) in this folder.
* Create a new site in Internet Information Services Manager. You can name it whatever you want.
I'll call it verdaccio in these [instructions](http://www.iis.net/learn/manage/configuring-security/application-pool-identities). Specify the path to where you saved all files and a port number.
* Go back to Explorer and give the user that runs the application pool modify rights to the folder you just created. If you've named the new site verdaccio and did not change the app pool, it's running under an ApplicationPoolIdentity and you should give the user IIS AppPool\verdaccio modify rights see instructions if you need help. (You can restrict access later if you want so that it only has modify rights on the iisnode and verdaccio\storage)
* Start a command prompt and execute the commands below to download verdaccio:
````
cd c:\verdaccio
npm install
````
* Make sure you have an inbound rule accepting TCP traffic to the port in Windows Firewall
* Thats it! Now you can navigate to the host and port that you specified
I wanted the `verdaccio` site to be the default site in IIS so I did the following:
* I stopped the "Default Web Site" and only start the site "verdaccio" site in IIS
* I set the bindings to "http", ip address "All Unassigned" on port 80, ok any warning or prompts
These instructions are based on [Host Sinopia in IIS
on Windows](https://gist.github.com/HCanber/4dd8409f79991a09ac75). I had to tweak my web config as per below but you may find the original from the
for mentioned link works better
A default configuration file will be created `c:\verdaccio\verdaccio\config.yaml`
### package.json {#packagejson}
````json
{
"name": "iisnode-verdaccio",
"version": "1.0.0",
"description": "Hosts verdaccio in iisnode",
"main": "start.js",
"dependencies": {
"verdaccio": "^3.11.0"
}
}
````
### start.js {#startjs}
````bash
process.argv.push('-l', 'unix:' + process.env.PORT, '-c', './config.yaml');
require('./node_modules/verdaccio/build/lib/cli.js');
````
### Alternate start.js for Verdaccio versions < v3.0 {#alternate-startjs-for-verdaccio-versions--v30}
````bash
process.argv.push('-l', 'unix:' + process.env.PORT);
require('./node_modules/verdaccio/src/lib/cli.js');
````
### web.config {#webconfig}
````xml
<configuration>
<system.webServer>
<modules>
<remove name="WebDAVModule" />
</modules>
<!-- indicates that the start.js file is a node.js application
to be handled by the iisnode module -->
<handlers>
<remove name="WebDAV" />
<add name="iisnode" path="start.js" verb="*" modules="iisnode" resourceType="Unspecified" requireAccess="Execute" />
<add name="WebDAV" path="*" verb="*" modules="WebDAVModule" resourceType="Unspecified" requireAccess="Execute" />
</handlers>
<rewrite>
<rules>
<!-- iisnode folder is where iisnode stores it's logs. These should
never be rewritten -->
<rule name="iisnode" stopProcessing="true">
<match url="iisnode*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="None" />
</rule>
<!-- Rewrite all other urls in order for verdaccio to handle these -->
<rule name="verdaccio">
<match url="/*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="start.js" />
</rule>
</rules>
</rewrite>
<!-- exclude node_modules directory and subdirectories from serving
by IIS since these are implementation details of node.js applications -->
<security>
<requestFiltering>
<hiddenSegments>
<add segment="node_modules" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
````
### Troubleshooting {#troubleshooting}
- **The web interface does not load when hosted with https as it tries to download scripts over http.**
Make sure that you have enabled `X-Forwarded-Proto` in IISNode using `enableXFF`. See [the related issue](https://github.com/verdaccio/verdaccio/issues/2003).
````
<configuration>
<system.webServer>
<iisnode enableXFF="true" />
</system.webServer>
</configuration>
````

144
website/versioned_docs/version-5.x/install.md Normal file
View File

@ -0,0 +1,144 @@
---
id: installation
title: "Installation"
---
Verdaccio is a Node.js private and proxy registry. To install it, you need a few basic prerequisites.
## Prerequisites {#prerequisites}
1. **Node.js** `v12` or higher.
2. Your favorite Node Package Manager `npm`, `pnpm` or `yarn` (classic and berry).
> We highly recommend to use the latest versions of Node Package Manager clients `> npm@6.x | yarn@1.x | | yarn@2.x | pnpm@6.x`. Don't support `npm@5.x` or older.
3. A modern web browser to run the web interface. We actually support `Chrome, Firefox, Edge`.
> Verdaccio will support latest Node.js version according the [Node.js Release Working Group](https://github.com/nodejs/Release) recomendations.
Are you still using **Verdaccio 4**?. Check the [migration guide](https://verdaccio.org/blog/2021/04/14/verdaccio-5-migration-guide).
### Quick Introduction {#quick-introduction}
Learn the basics before getting started, how to install, where is the location of the configuration file and more.
<iframe width="560" height="515" src="https://www.youtube.com/embed/hDIFKzmoCaA" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
## Installing the CLI {#installing-the-cli}
> Before using Verdaccio in production, please read and be [aware of the best practices](best-practices.md).
`Verdaccio` must be installed globally using either of the following methods:
Using `npm`
```bash
npm install --location=global verdaccio
```
or using `yarn`
```bash
yarn global add verdaccio
```
or using `pnpm`
```bash
pnpm install -g verdaccio
```
![install verdaccio](/img/install_verdaccio.gif)
### Next major release (verdaccio 6 alpha) {#next-major-release}
Next [major release is under development](https://github.com/verdaccio/verdaccio/discussions/2970), byt can try it out already, either for testing purposes or helping to catch any possible bug, if you find something report it under the label [6.x bugs](https://github.com/verdaccio/verdaccio/labels/6.x%20bugs).
```bash
npm install --location=global verdaccio@6-next
```
or with the docker image
```bash
docker pull verdaccio/verdaccio:nightly-master
```
> The docker image `verdaccio/verdaccio:nightly-master` is alinged with the latest commits in master branch, while the npmjs version has a longer release cycle. **It is highly recommended don't use alpha versions for production**.
## Basic Usage {#basic-usage}
Once it has been installed, you only need to execute the CLI command:
```bash
$> verdaccio
warn --- config file - /home/.config/verdaccio/config.yaml
warn --- http address - http://localhost:4873/ - verdaccio/5.0.0
```
For more information about the CLI, please [read the cli section](cli.md).
You can set the registry by using the following command.
```bash
npm set registry http://localhost:4873/
```
you can pass a `--registry` flag when needed.
```bash
npm install --registry http://localhost:4873
```
define in your `.npmrc` a `registry` field.
```bash title=".npmrc"
registry=http://localhost:4873
```
Or a `publishConfig` in your `package.json`
```json
{
"publishConfig": {
"registry": "http://localhost:4873"
}
}
```
For alternative configurations, please read the [Using a private registry](cli-registry.md) section.
## Create Your Own Private NPM Package Tutorial {#create-your-own-private-npm-package-tutorial}
If you'd like a broader explanation, don't miss the tutorial created by [thedevlife](https://mybiolink.co/thedevlife) on how to Create Your Own Private NPM Package using Verdaccio.
<iframe width="560" height="315" src="https://www.youtube.com/embed/Co0RwdpEsag?enablejsapi=1" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
## Docker Image {#docker-image}
```bash
docker run -it --rm --name verdaccio -p 4873:4873 verdaccio/verdaccio
```
`Verdaccio` has an official docker image you can use, and in most cases, the default configuration is good enough. For more information about how to install the official image, [read the docker section](docker.md), furthermore you can learn more about combining Docker images in our [docker-examples](https://github.com/verdaccio/verdaccio/tree/master/docker-examples) repository.
## Helm Chart {#helm-chart}
```bash
$ helm repo add verdaccio https://charts.verdaccio.org
$ helm repo update
$ helm install verdaccio/verdaccio
```
## Cloudron {#cloudron}
`Verdaccio` is also available as a 1-click install on [Cloudron](https://cloudron.io)
[![Install](https://cloudron.io/img/button.svg)](https://cloudron.io/button.html?app=org.eggertsson.verdaccio)
## Heroku with Docker
For easy deployment you could use [Heroku](https://www.heroku.com/home), the _free_ dyno tier allows you to test their platform using a Docker container, check this example.
[https://github.com/juanpicado/verdaccio-heroku-example](https://github.com/juanpicado/verdaccio-heroku-example)

138
website/versioned_docs/version-5.x/kubernetes.md Normal file
View File

@ -0,0 +1,138 @@
---
id: kubernetes
title: "Kubernetes"
---
You can find instructions to deploy Verdaccio on a Kubernetes cluster on the
[verdaccio/docker-example](https://github.com/verdaccio/verdaccio/tree/5.x/docker-examples/kubernetes-example)
repository. However, the recommended method to install Verdaccio on a Kubernetes
cluster is to use [Helm](https://helm.sh). Helm is a
[Kubernetes](https://kubernetes.io) package manager which bring multiple
advantages.
## Helm {#helm}
### Setup Helm {#setup-helm}
If you haven't used Helm before, you need to setup the Helm controller called
Tiller:
```bash
helm init
```
### Install {#install}
> ⚠️ If you are using this helm chart, please [be aware of the migration of the repository](https://github.com/verdaccio/verdaccio/issues/1767).
Deploy the Helm [verdaccio/verdaccio](https://github.com/verdaccio/charts)
chart.
### Add repository {#add-repository}
```
helm repo add verdaccio https://charts.verdaccio.org
```
In this example we use `npm` as release name:
```bash
helm install npm verdaccio/verdaccio
```
### Deploy a specific version {#deploy-a-specific-version}
```bash
helm install npm --set image.tag=3.13.1 verdaccio/verdaccio
```
### Upgrading Verdaccio {#upgrading-verdaccio}
```bash
helm upgrade npm verdaccio/verdaccio
```
### Uninstalling {#uninstalling}
```bash
helm uninstall npm
```
**Note:** this command delete all the resources, including packages that you may
have previously published to the registry.
### Custom Verdaccio configuration {#custom-verdaccio-configuration}
You can customize the Verdaccio configuration using a Kubernetes *configMap*.
#### Prepare {#prepare}
Copy the [existing configuration](https://github.com/verdaccio/verdaccio/blob/master/conf/docker.yaml)
and adapt it for your use case:
```bash
wget https://raw.githubusercontent.com/verdaccio/verdaccio/master/packages/config/src/conf/docker.yaml -O config.yaml
```
**Note:** Make sure you are using the right path for the storage that is used for
persistency:
```yaml
storage: /verdaccio/storage/data
auth:
htpasswd:
file: /verdaccio/storage/htpasswd
```
#### Deploy the configMap {#deploy-the-configmap}
Deploy the `configMap` to the cluster
```bash
kubectl create configmap verdaccio-config --from-file ./config.yaml
```
#### Deploy Verdaccio {#deploy-verdaccio}
Now you can deploy the Verdaccio Helm chart and specify which configuration to
use:
```bash
helm install npm --set existingConfigMap=verdaccio-config verdaccio/verdaccio
```
### Authenticate with private upstreams using Helm
As of version `4.8.0` of the helm chart, a new `secretEnvVars` field has been added.
This allows you to inject sensitive values to the container via a [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/).
1. Update your Verdaccio config according to the [Uplinks](./uplinks.md#auth-property) documentation
2. Pass the secret environment variable to your values file or via `--set secretEnvVars.FOO_TOKEN=superSecretBarToken`
```yaml
# values.yaml
secretEnvVars:
FOO_TOKEN: superSecretBarToken
```
#### NGINX proxy body-size limit {#nginx-proxy-body-size-limit}
The standard k8s NGINX ingress proxy allows for 1MB for body-size which can be increased
by modifying the default deployment options according to the [documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#custom-max-body-size):
```yaml
...
annotations:
...
kubernetes.io/proxy-body-size: 20m
....
...
```
## Rancher Support {#rancher-support}
[Rancher](http://rancher.com/) is a complete container management platform that makes managing and using containers in production really easy.
* [verdaccio-rancher](https://github.com/lgaticaq/verdaccio-rancher)

98
website/versioned_docs/version-5.x/linking.md Normal file
View File

@ -0,0 +1,98 @@
---
id: linking-remote-registry
title: "Linking a Remote Registry"
---
Verdaccio is a proxy and by default [links](uplinks.md) the public registry.
```yaml
uplinks:
npmjs:
url: https://registry.npmjs.org/
```
You can link multiple registries, the following document will drive you through some helpful configurations.
## Using Associating Scope {#using-associating-scope}
The unique way to access multiple registries using the `.npmrc` is the scope feature as follows:
```
// .npmrc
registry=https://registry.npmjs.org
@mycompany:registry=http://localhost:4873
```
This approach is valid, but comes with several disadvantages:
* It **only works with scopes**
* Scope must match, **no Regular Expressions are allowed**
* One scope **cannot fetch from multiple registries**
* Tokens/passwords **must be defined within** `.npmrc` and checked in into the repo.
See a full example [here](https://stackoverflow.com/questions/54543979/npmrc-multiple-registries-for-the-same-scope/54550940#54550940).
## Linking a Registry {#linking-a-registry}
Linking a registry is fairly simple. First, define a new section in the `uplinks` section. Note, the order here is irrelevant.
```yaml
uplinks:
private:
url: https://private.registry.net/npm
... [truncated] ...
'webpack':
access: $all
publish: $authenticated
proxy: private
```
Add a `proxy` section to define the selected registry you want to proxy.
## Linking Multiple Registries {#linking-multiple-registries}
```yaml
uplinks:
server1:
url: https://server1.registry.net/npm
server2:
url: https://server2.registry.net/npm
... [truncated] ...
'webpack':
access: $all
publish: $authenticated
proxy: server1 server2
```
Verdaccio supports multiple registries on the `proxy` field. The request will be resolved with the first in the list; if that
fails, it will try with the next in the list and so on.
## Offline Registry {#offline-registry}
Having a full Offline Registry is completely possible. If you don't want any connectivity with external remotes you
can do the following.
```yaml
auth:
htpasswd:
file: ./htpasswd
uplinks:
packages:
'@my-company/*':
access: $all
publish: none
'@*/*':
access: $all
publish: $authenticated
'**':
access: $all
publish: $authenticated
```
Remove all `proxy` fields within each section of `packages`. The registry will become full offline.

33
website/versioned_docs/version-5.x/logger.md Normal file
View File

@ -0,0 +1,33 @@
---
id: logger
title: "Logger"
---
As with any web application, Verdaccio has a customisable built-in logger. You can define multiple types of outputs.
```yaml
# console output
logs: { type: stdout, format: pretty, level: http }
```
or file output.
```yaml
# file output
logs: { type: file, path: verdaccio.log, level: info }
```
> Verdaccio 5 does not support rotation file anymore, [here more details](https://verdaccio.org/blog/2021/04/14/verdaccio-5-migration-guide#pinojs-is-the-new-logger).
Use `SIGUSR2` to notify the application, the log-file was rotated and it needs to reopen it.
Note: Rotating log stream is not supported in cluster mode. [See here](https://github.com/trentm/node-bunyan#stream-type-rotating-file)
### Configuration {#configuration}
| Property | Type | Required | Example | Support | Description |
| -------- | ------ | -------- | ---------------------------------------------- | ------- | ------------------------------------------------- |
| type | string | No | [stdout, file] | all | define the output |
| path | string | No | verdaccio.log | all | if type is file, define the location of that file |
| format | string | No | [pretty, pretty-timestamped] | all | output format |
| level | string | No | [fatal, error, warn, http, info, debug, trace] | all | verbose level |
| colors | boolean | No | false | v5.7.0 | disable or enable colors |

64
website/versioned_docs/version-5.x/logo.md Normal file
View File

@ -0,0 +1,64 @@
---
id: logo
title: "Logotype"
---
The logotype was designed by __[Breno Rodrigues](https://github.com/rodriguesbreno)__ which
won the [contest](https://github.com/verdaccio/verdaccio/issues/237)
([last stage](https://github.com/verdaccio/verdaccio/issues/328)) and donated his work to this project.
> All logos are licensed under [Creative Commons](https://github.com/verdaccio/verdaccio/blob/master/LICENSE-docs).
Special thanks to *[@Lisapressmar](https://github.com/Lisapressmar)* for her contribution
with multiple image formats and sizes.
## Symbols {#symbols}
__With text__
![symbol tiny with text](/img/logo/symbol/png/logo-small-header-bottom.png)
![symbol medium with text](/img/logo/symbol/png/logo-small-header-bottom@2x.png)
![symbol big with text](/img/logo/symbol/png/logo-small-header-bottom@3x.png)
__SVG__
![symbol svg](/img/logo/symbol/svg/logo-small-header-bottom.svg)
__No text__
![symbol tiny](/img/logo/symbol/png/verdaccio-tiny.png)
![symbol medium](/img/logo/symbol/png/verdaccio-tiny@2x.png)
![symbol big](/img/logo/symbol/png/verdaccio-tiny@3x.png)
__SVG__
![svg format symbol no text](/img/logo/symbol/svg/verdaccio-tiny.svg)
### Black&White {#blackwhite}
![symbol bw small](/img/logo/symbol/png/verdaccio-blackwhite.png)
![symbol bw medium](/img/logo/symbol/png/verdaccio-blackwhite@2x.png)
![symbol bw big](/img/logo/symbol/png/verdaccio-blackwhite@3x.png)
__SVG__
![symbol bw svg](/img/logo/symbol/svg/verdaccio-blackwhite.svg)
## Banner {#banner}
![banner small](/img/logo/banner/png/verdaccio-banner.png)
![banner medium](/img/logo/banner/png/verdaccio-banner@2x.png)
![banner big](/img/logo/banner/png/verdaccio-banner@3x.png)

82
website/versioned_docs/version-5.x/node-api.md Normal file
View File

@ -0,0 +1,82 @@
---
id: node-api
title: "Node API"
---
Verdaccio can be invoked programmatically. The Node API was introduced after version `verdaccio@3.0.0`.
## Usage {#usage}
#### Programmatically {#programmatically}
```js
const startServer = require("verdaccio").default;
let config = {
storage: "./storage",
auth: {
htpasswd: {
file: "./htpasswd"
}
},
uplinks: {
npmjs: {
url: "https://registry.npmjs.org/",
}
},
self_path: "./",
packages: {
"@*/*": {
access: "$all",
publish: "$authenticated",
proxy: "npmjs",
},
"**": {
proxy: "npmjs"
}
},
log: {
type: "stdout",
format: "pretty",
level: "http",
};
};
startServer(
config,
6000,
undefined,
"1.0.0",
"verdaccio",
(webServer, addrs) => {
webServer.listen(
addrs.port || addrs.path,
addrs.host,
() => {
console.log(`verdaccio running on : ${addrs.host}:${addrs.port}`);
}
);
}
);
```
## Other implementations {#other-implementations}
* [verdaccio-server](https://github.com/boringame/verdaccio-server) local npm registry proxy server
```js
// js
import * as verdaccioServer from "verdaccio-server";
verdaccioServer.start();
verdaccioServer.stop();
verdaccioServer.list();
verdaccioServer.stopAll();
verdaccioServer.show();
verdaccioServer.cli();
// windows .net2
verdaccioServer.serviceInstall();
verdaccioServer.serviceUninstall();
verdaccioServer.serviceStart();
verdaccioServer.serviceStop();
verdaccioServer.serviceRestart();
```

168
website/versioned_docs/version-5.x/notifications.md Normal file
View File

@ -0,0 +1,168 @@
---
id: notifications
title: "Notifications"
---
Notify was built primarily to use with Slack's Incoming
webhooks, but will also deliver a simple payload to
any endpoint. This is currently only active for the `npm publish`
command.
## Usage {#usage}
An example with a **HipChat**, **Stride** and **Google Hangouts Chat** hook:
> Verdaccio supports any API, feel free to add more examples.
#### Single notification {#single-notification}
```yaml
notify:
method: POST
headers: [{'Content-Type': 'application/json'}]
endpoint: https://usagge.hipchat.com/v2/room/3729485/notification?auth_token=mySecretToken
content: '{"color":"green","message":"New package published: * {{ name }}*","notify":true,"message_format":"text"}'
```
#### Multiple notification {#multiple-notification}
```yaml
notify:
'example-google-chat':
method: POST
headers: [{'Content-Type': 'application/json'}]
endpoint: https://chat.googleapis.com/v1/spaces/AAAAB_TcJYs/messages?key=myKey&token=myToken
content: '{"text":"New package published: `{{ name }}{{#each versions}} v{{version}}{{/each}}`"}'
'example-hipchat':
method: POST
headers: [{'Content-Type': 'application/json'}]
endpoint: https://usagge.hipchat.com/v2/room/3729485/notification?auth_token=mySecretToken
content: '{"color":"green","message":"New package published: * {{ name }}*","notify":true,"message_format":"text"}'
'example-stride':
method: POST
headers: [{'Content-Type': 'application/json'}, {'authorization': 'Bearer secretToken'}]
endpoint: https://api.atlassian.com/site/{cloudId}/conversation/{conversationId}/message
content: '{"body": {"version": 1,"type": "doc","content": [{"type": "paragraph","content": [{"type": "text","text": "New package published: * {{ name }}* Publisher name: * {{ publisher.name }}"}]}]}}'
```
## Template {#template}
We use [Handlebars](https://handlebarsjs.com/) as main template engine.
### Format Examples {#format-examples}
```
# iterate all versions
{{ name }}{{#each versions}} v{{version}}{{/each}}
# publisher and `dist-tag` package published
{{ publisher.name }} has published {{ publishedPackage }}
```
### Properties {#properties}
List of properties accesible via template
* Metadata
* Publisher (who is publishing)
* Package Published (package@1.0.0)
### Metadata {#metadata}
Package metadata that the template has access
```
{
"_id": "@test/pkg1",
"name": "@test/pkg1",
"description": "",
"dist-tags": {
"beta": "1.0.54"
},
"versions": {
"1.0.54": {
"name": "@test/pkg1",
"version": "1.0.54",
"description": "some description",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": {
"name": "Author Name",
"email": "author@domain.com"
},
"license": "MIT",
"dependencies": {
"webpack": "4.12.0"
},
"readmeFilename": "README.md",
"_id": "@ test/pkg1@1.0.54",
"_npmVersion": "6.1.0",
"_nodeVersion": "9.9.0",
"_npmUser": {},
"dist": {
"integrity": "sha512-JlXWpLtMUBAqvVZBvH7UVLhXkGE1ctmXbDjbH/l0zMuG7wVzQ7GshTYvD/b5C+G2vOL2oiIS1RtayA/kKkTwKw==",
"shasum": "29c55c52c1e76e966e706165e5b9f22e32aa9f22",
"tarball": "http://localhost:4873/@test/pkg1/-/@test/pkg1-1.0.54.tgz"
}
}
},
"readme": "# test",
"_attachments": {
"@test/pkg1-1.0.54.tgz": {
"content_type": "application/octet-stream",
"data": "H4sIAAAAAAAAE+y9Z5PjyJIgOJ ...",
"length": 33112
}
},
"time": {}
}
```
### Publisher {#publisher}
You can get access to the package publisher information in the `content` of a webhook using the `publisher` object.
See below the `publisher` object type:
```
{
name: string,
groups: string[],
real_groups: string[]
}
```
An example:
```
notify:
method: POST
headers: [{'Content-Type': 'application/json'}]
endpoint: https://usagge.hipchat.com/v2/room/3729485/notification?auth_token=mySecretToken
content: '{"color":"green","message":"New package published: * {{ name }}*. Publisher name: * {{ publisher.name }} *.","notify":true,"message_format":"text"}'
```
**Note:** it's not possible to get the publisher information if the `package.json` file already has the `publisher` property.
### Package Published {#package-published}
You can access to the package is being published with the keyword `{{publishedPackage}}` as follows.
```
{{ publisher.name }} has published {{ publishedPackage }}
```
## Configuration {#configuration}
Property | Type | Required | Support | Default | Description
--- | --- | --- | --- | --- | ---
method| string | No | all | | HTTP verb
packagePattern| string | No | all | | Only run this notification if the package name matches the regular expression
packagePatternFlags| string | No | all | | Any flags to be used with the regular expression
headers| array/object | Yes | all | | If this endpoint requires specific headers, set them here as an array of key: value objects.
endpoint| string | Yes | all | | set the URL endpoint for this call
content| string | Yes | all | | any [Handlebar](https://handlebarsjs.com/) expressions

201
website/versioned_docs/version-5.x/packages.md Normal file
View File

@ -0,0 +1,201 @@
---
id: packages
title: "Package Access"
---
This is a series of constraints that allow or restrict access to the local storage based on specific criteria.
The security constraints remain on the shoulders of the plugin being used, by default `verdaccio` uses the [htpasswd plugin](https://github.com/verdaccio/verdaccio-htpasswd). If you use a different plugin the behaviour might be different. The default plugin does not handle `allow_access` and `allow_publish` by itself, it uses an internal fallback in case the plugin is not ready for it.
For more information about permissions visit [the authentification section in the wiki](auth.md).
### Usage {#usage}
```yaml
packages:
# scoped packages
'@scope/*':
access: $all
publish: $all
proxy: server2
'private-*':
access: $all
publish: $all
proxy: uplink1
'**':
# allow all users (including non-authenticated users) to read and
# publish all packages
access: $all
publish: $all
proxy: uplink2
```
if none is specified, the default one remains
```yaml
packages:
'**':
access: $all
publish: $authenticated
```
The list internal groups handled by `verdaccio` are:
```js
'$all', '$anonymous', '@all', '@anonymous', 'all', 'undefined', 'anonymous'
```
All users receive all those set of permissions independently of is anonymous or not plus the groups provided by the plugin, in case of `htpasswd` return the username as a group. For instance, if you are logged as `npmUser` the list of groups will be.
```js
// groups without '$' are going to be deprecated eventually
'$all', '$anonymous', '@all', '@anonymous', 'all', 'undefined', 'anonymous', 'npmUser'
```
If you want to protect specific set packages under your group, you need to do something like this. Let's use a `Regex` that covers all prefixed `npmuser-` packages. We recommend using a prefix for your packages, in that way it will be easier to protect them.
```yaml
packages:
'npmuser-*':
access: npmuser
publish: npmuser
```
Restart `verdaccio` and in your console try to install `npmuser-core`.
```bash
$ npm install npmuser-core
npm install npmuser-core
npm ERR! code E403
npm ERR! 403 Forbidden: npmuser-core@latest
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/user/.npm/_logs/2017-07-02T12_20_14_834Z-debug.log
```
You can change the existing behaviour using a different plugin authentication. `verdaccio` just checks whether the user that tried to access or publish a specific package belongs to the right group.
Please note that if you set the `access` permission of a package to something that requires Verdaccio to check your identity, for example `$authenticated`, npm does not send your access key by default when fetching packages. This means all requests for downloading packages will be rejected as they are made anonymously even if you have logged in. To make npm include you access key with all requests, you should set the [always-auth](https://docs.npmjs.com/cli/v7/using-npm/config#always-auth) npm setting to true on any client machines. This can be accomplished by running:
```bash
$ npm config set always-auth=true
```
#### Set multiple groups {#set-multiple-groups}
Defining multiple access groups is fairly easy, just define them with a white space between them.
```yaml
'company-*':
access: admin internal
publish: admin
proxy: server1
'supersecret-*':
access: secret super-secret-area ultra-secret-area
publish: secret ultra-secret-area
proxy: server1
```
#### Blocking access to set of packages {#blocking-access-to-set-of-packages}
If you want to block the access/publish to a specific group of packages. Just do not define `access` and `publish`.
```yaml
packages:
'old-*':
'**':
access: $all
publish: $authenticated
```
#### Blocking proxying a set of specific packages {#blocking-proxying-a-set-of-specific-packages}
You might want to block one or several packages from fetching from remote repositories., but, at the same time, allow others to access different *uplinks*.
Let's see the following example:
```yaml
packages:
'jquery':
access: $all
publish: $all
'my-company-*':
access: $all
publish: $authenticated
'@my-local-scope/*':
access: $all
publish: $authenticated
'**':
access: $all
publish: $authenticated
proxy: npmjs
```
Let's describe what we want with the above example:
* I want to host my own `jquery` dependency but I need to avoid proxying it.
* I want all dependencies that match with `my-company-*` but I need to avoid proxying them.
* I want all dependencies that are in the `my-local-scope` scope but I need to avoid proxying them.
* I want proxying for all the rest of the dependencies.
Be **aware that the order of your packages definitions is important and always use double wilcard**. Because if you do not include it `verdaccio` will include it for you and the way that your dependencies are resolved will be affected.
#### Use multiple uplinks {#use-multiple-uplinks}
You may assign multiple uplinks for use as a proxy to use in the case of failover, or where there may be other private registries in use.
```yaml
'**':
access: $all
publish: $authenticated
proxy: npmjs uplink2
```
#### Unpublishing Packages {#unpublishing-packages}
The property `publish` handle permissions for `npm publish` and `npm unpublish`. But, if you want to be more specific, you can use the property
`unpublish` in your package access section, for instance:
```yaml
packages:
'jquery':
access: $all
publish: $all
unpublish: root
'my-company-*':
access: $all
publish: $authenticated
unpublish:
'@my-local-scope/*':
access: $all
publish: $authenticated
# unpublish: property commented out
'**':
access: $all
publish: $authenticated
proxy: npmjs
```
In the previous example, the behaviour would be described:
* all users can publish the `jquery` package, but only the user `root` would be able to unpublish any version.
* only authenticated users can publish `my-company-*` packages, but **nobody would be allowed to unpublish them**.
* If `unpublish` is commented out, the access will be granted or denied by the `publish` definition.
### Configuration {#configuration}
You can define mutiple `packages` and each of them must have an unique `Regex`. The syntax is based on [minimatch glob expressions](https://github.com/isaacs/minimatch).
Property | Type | Required | Example | Support | Description
--- | --- | --- | --- | --- | ---
access | string | No | $all | all | define groups allowed to access the package
publish | string | No | $authenticated | all | define groups allowed to publish
proxy | string | No | npmjs | all | limit look ups for specific uplink
storage | string | No | string | `/some-folder` | it creates a subfolder whithin the storage folder for each package access
> We higlight that we recommend to not use **allow_access**/**allow_publish** and **proxy_access** anymore, those are deprecated and will soon be removed, please use the short version of each of those (**access**/**publish**/**proxy**).
If you want more information about how to use the **storage** property, please refer to this [comment](https://github.com/verdaccio/verdaccio/issues/1383#issuecomment-509933674).

303
website/versioned_docs/version-5.x/plugin-auth.md Normal file
View File

@ -0,0 +1,303 @@
---
id: plugin-auth
title: "Authentication Plugin"
---
## What's an Authentication Plugin? {#whats-an-authentication-plugin}
Is a sort plugin that allows to handle who access or publish to a specific package. By default the `htpasswd` is built-in, but can
easily be replaced by your own.
## Getting Started
The authentication plugins are defined in the `auth:` section, as follows:
```yaml
auth:
htpasswd:
file: ./htpasswd
```
also multiple plugins can be chained:
```yaml
auth:
htpasswd:
file: ./htpasswd
anotherAuth:
foo: bar
bar: foo
lastPlugin:
foo: bar
bar: foo
```
> If one of the plugin in the chain is able to resolve the request, the next ones will be ignored.
## How do the authentication plugin works? {#how-do-the-authentication-plugin-works}
Basically we have to return an object with a single method called `authenticate` that will receive 3 arguments (`user, password, callback`).
On each request, `authenticate` will be triggered and the plugin should return the credentials, if the `authenticate` fails, it will fallback to the `$anonymous` role by default.
### API {#api}
```typescript
interface IPluginAuth<T> extends IPlugin<T> {
authenticate(user: string, password: string, cb: AuthCallback): void;
adduser?(user: string, password: string, cb: AuthCallback): void;
changePassword?(user: string, password: string, newPassword: string, cb: AuthCallback): void;
allow_publish?(user: RemoteUser, pkg: AllowAccess & PackageAccess, cb: AuthAccessCallback): void;
allow_access?(user: RemoteUser, pkg: AllowAccess & PackageAccess, cb: AuthAccessCallback): void;
allow_unpublish?(user: RemoteUser, pkg: AllowAccess & PackageAccess, cb: AuthAccessCallback): void;
apiJWTmiddleware?(helpers: any): Function;
}
```
> Only `adduser`, `allow_access`, `apiJWTmiddleware`, `allow_publish` and `allow_unpublish` are optional, verdaccio provide a fallback in all those cases.
#### `apiJWTmiddleware` method {#apijwtmiddleware-method}
Since `v4.0.0`
`apiJWTmiddleware` was introduced on [PR#1227](https://github.com/verdaccio/verdaccio/pull/1227) in order to have full control of the token handler, overriding this method will disable `login/adduser` support. We recommend don't implement this method unless is totally necessary. See a full example [here](https://github.com/verdaccio/verdaccio/pull/1227#issuecomment-463235068).
## What should I return in each of the methods? {#what-should-i-return-in-each-of-the-methods}
Verdaccio relies on `callback` functions at time of this writing. Each method should call the method and what you return is important, let's review how to do it.
### `authentication` callback {#authentication-callback}
Once the authentication has been executed there is 2 options to give a response to `verdaccio`.
##### If the authentication fails {#if-the-authentication-fails}
If the auth was unsuccessful, return `false` as the second argument.
```typescript
callback(null, false)
```
##### If the authentication success {#if-the-authentication-success}
The auth was successful.
`groups` is an array of strings where the user is part of.
```
callback(null, groups);
```
##### If the authentication produce an error {#if-the-authentication-produce-an-error}
The authentication service might fails, and you might want to reflect that in the user response, eg: service is unavailable.
```
import { getInternalError } from '@verdaccio/commons-api';
callback(getInternalError('something bad message), null);
```
> A failure on login is not the same as service error, if you want to notify user the credentials are wrong, just return `false` instead string of groups. The behaviour mostly depends of you.
### `adduser` callback {#adduser-callback}
##### If adduser success {#if-adduser-success}
If the service is able to create an user, return `true` as the second argument.
```typescript
callback(null, true)
```
##### If adduser fails {#if-adduser-fails}
Any other action different than success must return an error.
```typescript
import { getConflict } from '@verdaccio/commons-api';
const err = getConflict('maximum amount of users reached');
callback(err);
```
### `changePassword` callback {#changepassword-callback}
##### If the request is successful {#if-the-request-is-successful}
If the service is able to create an user, return `true` as the second argument.
```typescript
const user = serviceUpdatePassword(user, password, newPassword);
callback(null, user)
```
##### If the request fails {#if-the-request-fails}
Any other action different than success must return an error.
```typescript
import { getNotFound } from '@verdaccio/commons-api';
const err = getNotFound('user not found');
callback(err);
```
### `allow_access`, `allow_publish`, or `allow_unpublish` callback {#allow_access-allow_publish-or-allow_unpublish-callback}
These methods aims to allow or deny trigger some actions.
##### If the request success {#if-the-request-success}
If the service is able to create an user, return a `true` as the second argument.
```typescript
allow_access(user: RemoteUser, pkg: PackageAccess, cb: Callback): void {
const isAllowed: boolean = checkAction(user, pkg);
callback(null, isAllowed)
}
```
##### If the request fails {#if-the-request-fails-1}
Any other action different than success must return an error.
```typescript
import { getNotFound } from '@verdaccio/commons-api';
const err = getForbidden('not allowed to access package');
callback(err);
```
## Generate an authentication plugin {#generate-an-authentication-plugin}
For detailed info check our [plugin generator page](plugin-generator). Run the `yo` command in your terminal and follow the steps.
```
➜ yo verdaccio-plugin
Just found a `.yo-rc.json` in a parent directory.
Setting the project root at: /Users/user/verdaccio_yo_generator
_-----_ ╭──────────────────────────╮
| | │ Welcome to │
|--(o)--| │ generator-verdaccio-plug │
`---------´ │ in plugin generator! │
( _´U`_ ) ╰──────────────────────────╯
/___A___\ /
| ~ |
__'.___.'__
´ ` |° ´ Y `
? What is the name of your plugin? service-name
? Select Language typescript
? What kind of plugin you want to create? auth
? Please, describe your plugin awesome auth plugin
? GitHub username or organization myusername
? Author's Name Juan Picado
? Author's Email jotadeveloper@gmail.com
? Key your keywords (comma to split) verdaccio,plugin,auth,awesome,verdaccio-plugin
create verdaccio-plugin-authservice-name/package.json
create verdaccio-plugin-authservice-name/.gitignore
create verdaccio-plugin-authservice-name/.npmignore
create verdaccio-plugin-authservice-name/jest.config.js
create verdaccio-plugin-authservice-name/.babelrc
create verdaccio-plugin-authservice-name/.travis.yml
create verdaccio-plugin-authservice-name/README.md
create verdaccio-plugin-authservice-name/.eslintrc
create verdaccio-plugin-authservice-name/.eslintignore
create verdaccio-plugin-authservice-name/src/index.ts
create verdaccio-plugin-authservice-name/index.ts
create verdaccio-plugin-authservice-name/tsconfig.json
create verdaccio-plugin-authservice-name/types/index.ts
create verdaccio-plugin-authservice-name/.editorconfig
I'm all done. Running npm install for you to install the required dependencies. If this fails, try running the command yourself.
⸨ ░░░░░░░░░░░░░░░░░⸩ ⠋ fetchMetadata: sill pacote range manifest for @babel/plugin-syntax-jsx@^7.7.4 fetc
```
After the install finish, access to your project scalfold.
```
➜ cd verdaccio-plugin-service-name
➜ cat package.json
{
"name": "verdaccio-plugin-service-name",
"version": "0.0.1",
"description": "awesome auth plugin",
...
```
## Full implementation ES5 example {#full-implementation-es5-example}
```javascript
function Auth(config, stuff) {
var self = Object.create(Auth.prototype);
self._users = {};
// config for this module
self._config = config;
// verdaccio logger
self._logger = stuff.logger;
// pass verdaccio logger to ldapauth
self._config.client_options.log = stuff.logger;
return self;
}
Auth.prototype.authenticate = function (user, password, callback) {
var LdapClient = new LdapAuth(self._config.client_options);
....
LdapClient.authenticate(user, password, function (err, ldapUser) {
...
var groups;
...
callback(null, groups);
});
};
module.exports = Auth;
```
And the configuration will looks like:
```yaml
auth:
htpasswd:
file: ./htpasswd
```
Where `htpasswd` is the sufix of the plugin name. eg: `verdaccio-htpasswd` and the rest of the body would be the plugin configuration params.
### List Community Authentication Plugins {#list-community-authentication-plugins}
* [verdaccio-bitbucket](https://github.com/idangozlan/verdaccio-bitbucket): Bitbucket authentication plugin for verdaccio.
* [verdaccio-bitbucket-server](https://github.com/oeph/verdaccio-bitbucket-server): Bitbucket Server authentication plugin for verdaccio.
* [verdaccio-ldap](https://www.npmjs.com/package/verdaccio-ldap): LDAP auth plugin for verdaccio.
* [verdaccio-active-directory](https://github.com/nowhammies/verdaccio-activedirectory): Active Directory authentication plugin for verdaccio
* [verdaccio-gitlab](https://github.com/bufferoverflow/verdaccio-gitlab): use GitLab Personal Access Token to authenticate
* [verdaccio-gitlab-ci](https://github.com/lab360-ch/verdaccio-gitlab-ci): Enable GitLab CI to authenticate against verdaccio.
* [verdaccio-htpasswd](https://github.com/verdaccio/verdaccio-htpasswd): Auth based on htpasswd file plugin (built-in) for verdaccio
* [verdaccio-github-oauth](https://github.com/aroundus-inc/verdaccio-github-oauth): Github oauth authentication plugin for verdaccio.
* [verdaccio-github-oauth-ui](https://github.com/n4bb12/verdaccio-github-oauth-ui): GitHub OAuth plugin for the verdaccio login button.
* [verdaccio-groupnames](https://github.com/deinstapel/verdaccio-groupnames): Plugin to handle dynamic group associations utilizing `$group` syntax. Works best with the ldap plugin.
* [verdaccio-sqlite](https://github.com/bchanudet/verdaccio-sqlite): SQLite Authentication plugin for Verdaccio
* [verdaccio-okta-auth](https://github.com/hogarthww-labs/verdaccio-okta-auth) Verdaccio Okta Auth
* [verdaccio-azure-ad-login](https://github.com/IhToN/verdaccio-azure-ad-login) Let your users authenticate into Verdaccio via Azure AD OAuth 2.0 API
* [verdaccio-auth-gitlab](https://github.com/pfdgithub/verdaccio-auth-gitlab) Verdaccio authentication plugin by gitlab personal access tokens.
**Have you developed a new plugin? Add it here !**

76
website/versioned_docs/version-5.x/plugin-generator.md Normal file
View File

@ -0,0 +1,76 @@
---
id: plugin-generator
title: "Plugin Generator"
---
## Installing the Yeoman Generator {#installing-the-yeoman-generator}
Verdaccio is a pluggable application, with the objective to help developers to generate new plugins, we have a custom generator based in **[Yeoman](https://yeoman.io/)** for generate all sort of plugins.
To install the generator, as first step you must install the *yeoman* command `yo`.
```bash
npm install -g yo
```
then, install the custom generator running the following in your terminal.
```
npm i -g generator-verdaccio-plugin
```
## Using the generator {#using-the-generator}
Use `yeoman` is quite straighforward, you can read more information about it [here](https://yeoman.io/learning/index.html).
After a success install, run `yo verdaccio-plugin` in your terminal and follow the steps.
```
➜ yo verdaccio-plugin
Just found a `.yo-rc.json` in a parent directory.
Setting the project root at: /Users/user/verdaccio_yo_generator
_-----_ ╭──────────────────────────╮
| | │ Welcome to │
|--(o)--| │ generator-verdaccio-plug │
`---------´ │ in plugin generator! │
( _´U`_ ) ╰──────────────────────────╯
/___A___\ /
| ~ |
__'.___.'__
´ ` |° ´ Y `
? What is the name of your plugin? (customname)
```
### Best practices {#best-practices}
- We recommend using **Typescript** for developing new plugins, we provide an extense support of Types which help you along the development.
```
? What is the name of your plugin? my-plugin
? Select Language (Use arrow keys)
typescript
javascript
```
- On describe your plugin, be brief and explicit, remember a good description will increase your chances your pluing to be used.
```
? Please, describe your plugin (An amazing verdaccio plugin)
```
- Don't hesitate to include meaningful keywords, as `verdaccio`, `plugin` or your plugin type. Good keywords will help us to find you and future improvement in our collect information about all plugins.
```
? Key your keywords (comma to split) verdaccio,plugin,storage,minio,verdaccio-plugin
```
- Keep your generator **updated**, don't miss any bug-fixes and performance improvements.
### Contributing {#contributing}
Help us to improve the generator, you can contribute in the following repository.
[https://github.com/verdaccio/generator-verdaccio-plugin](https://github.com/verdaccio/generator-verdaccio-plugin)

120
website/versioned_docs/version-5.x/plugin-middleware.md Normal file
View File

@ -0,0 +1,120 @@
---
id: plugin-middleware
title: "Middleware Plugin"
---
## What's an Middleware Plugin? {#whats-an-middleware-plugin}
Middleware plugins have the capability to modify the API (web and cli) layer, either adding new endpoints or intercepting requests.
### API {#api}
```typescript
interface IPluginMiddleware<T> extends IPlugin<T> {
register_middlewares(app: any, auth: IBasicAuth<T>, storage: IStorageManager<T>): void;
}
```
### `register_middlewares` {#register_middlewares}
The method provide full access to the authentification and storage via `auth` and `storage`. `app` is the express application that allows you to add new endpoints.
```typescript
public register_middlewares(
app: Application,
auth: IBasicAuth<CustomConfig>,
storage: IStorageManager<CustomConfig>
): void {
const router = Router();
router.post(
'/custom-endpoint',
(req: Request, res: Response & { report_error?: Function }, next: NextFunction): void => {
const encryptedString = auth.aesEncrypt(Buffer.from(this.foo, 'utf8'));
res.setHeader('X-Verdaccio-Token-Plugin', encryptedString.toString());
next();
}
);
app.use('/-/npm/something-new', router);
}
```
The `auth` and `storage` are instances and can be extended, but we don't recommend this approach unless is well founded.
> A good example of a middleware plugin is the [verdaccio-audit](https://github.com/verdaccio/monorepo/tree/master/plugins/audit).
## Generate an middleware plugin {#generate-an-middleware-plugin}
For detailed info check our [plugin generator page](plugin-generator). Run the `yo` command in your terminal and follow the steps.
```
➜ yo verdaccio-plugin
Just found a `.yo-rc.json` in a parent directory.
Setting the project root at: /Users/user/verdaccio_yo_generator
_-----_ ╭──────────────────────────╮
| | │ Welcome to │
|--(o)--| │ generator-verdaccio-plug │
`---------´ │ in plugin generator! │
( _´U`_ ) ╰──────────────────────────╯
/___A___\ /
| ~ |
__'.___.'__
´ ` |° ´ Y `
? What is the name of your plugin? custom-endpoint
? Select Language typescript
? What kind of plugin you want to create? middleware
? Please, describe your plugin awesome middleware plugin
? GitHub username or organization myusername
? Author's Name Juan Picado
? Author's Email jotadeveloper@gmail.com
? Key your keywords (comma to split) verdaccio,plugin,middleware,awesome,verdaccio-plugin
create verdaccio-plugin-custom-endpoint/package.json
create verdaccio-plugin-custom-endpoint/.gitignore
create verdaccio-plugin-custom-endpoint/.npmignore
create verdaccio-plugin-custom-endpoint/jest.config.js
create verdaccio-plugin-custom-endpoint/.babelrc
create verdaccio-plugin-custom-endpoint/.travis.yml
create verdaccio-plugin-custom-endpoint/README.md
create verdaccio-plugin-custom-endpoint/.eslintrc
create verdaccio-plugin-custom-endpoint/.eslintignore
create verdaccio-plugin-custom-endpoint/src/index.ts
create verdaccio-plugin-custom-endpoint/index.ts
create verdaccio-plugin-custom-endpoint/tsconfig.json
create verdaccio-plugin-custom-endpoint/types/index.ts
create verdaccio-plugin-custom-endpoint/.editorconfig
I'm all done. Running npm install for you to install the required dependencies. If this fails, try running the command yourself.
⸨ ░░░░░░░░░░░░░░░░░⸩ ⠋ fetchMetadata: sill pacote range manifest for @babel/plugin-syntax-jsx@^7.7.4 fetc
```
After the install finish, access to your project scalfold.
```
➜ cd verdaccio-plugin-auth-service-name
➜ cat package.json
{
"name": "verdaccio-plugin-custom-endpoint",
"version": "0.0.1",
"description": "awesome middleware plugin",
...
```
The middleware are registrered after built-in endpoints, thus, it is not possible to override the implemented ones.
### List Community Middleware Plugins {#list-community-middleware-plugins}
* [verdaccio-audit](https://github.com/verdaccio/verdaccio-audit): verdaccio plugin for *npm audit* cli support (built-in) (compatible since 3.x)
* [verdaccio-profile-api](https://github.com/ahoracek/verdaccio-profile-api): verdaccio plugin for *npm profile* cli support and *npm profile set password* for *verdaccio-htpasswd* based authentificaton
* [verdaccio-https](https://github.com/honzahommer/verdaccio-https) Verdaccio middleware plugin to redirect to https if x-forwarded-proto header is set
* [verdaccio-badges](https://github.com/tavvy/verdaccio-badges) A verdaccio plugin to provide a version badge generator endpoint
* [verdaccio-openmetrics](https://github.com/freight-hub/verdaccio-openmetrics) Verdaccio plugin exposing an OpenMetrics/Prometheus endpoint with health and traffic metrics
* [verdaccio-sentry](https://github.com/juanpicado/verdaccio-sentry) sentry loggin errors
* [verdaccio-pacman](https://github.com/PaddeK/verdaccio-pacman) Verdaccio Middleware Plugin to manage tags and versions of packages

111
website/versioned_docs/version-5.x/plugin-storage.md Normal file
View File

@ -0,0 +1,111 @@
---
id: plugin-storage
title: "Storage Plugin"
---
## What's an Storage Plugin? {#whats-an-storage-plugin}
Verdaccio by default uses a file system storage plugin [local-storage](https://github.com/verdaccio/verdaccio/tree/master/packages/plugins/local-storage). The default storage can be easily replaced, either using a community plugin or creating one by your own.
### API {#api}
Storage plugins are composed of two objects, the `IPluginStorage<T>` and the `IPackageStorage`.
* The `IPluginStorage` object handle the local database for private packages.
```typescript
interface IPluginStorage<T> extends IPlugin<T>, ITokenActions {
logger: Logger;
config: T & Config;
add(name: string, callback: Callback): void;
remove(name: string, callback: Callback): void;
get(callback: Callback): void;
getSecret(): Promise<string>;
setSecret(secret: string): Promise<any>;
getPackageStorage(packageInfo: string): IPackageStorage;
search(onPackage: onSearchPackage, onEnd: onEndSearchPackage, validateName: onValidatePackage): void;
}
```
* The `IPackageStorage` is an object that is created by each request that handles the I/O actions for the metadata and tarballs.
```typescript
interface IPackageStorage {
logger: Logger;
writeTarball(pkgName: string): IUploadTarball;
readTarball(pkgName: string): IReadTarball;
readPackage(fileName: string, callback: ReadPackageCallback): void;
createPackage(pkgName: string, value: Package, cb: CallbackAction): void;
deletePackage(fileName: string, callback: CallbackAction): void;
removePackage(callback: CallbackAction): void;
updatePackage(
pkgFileName: string,
updateHandler: StorageUpdateCallback,
onWrite: StorageWriteCallback,
transformPackage: PackageTransformer,
onEnd: CallbackAction
): void;
savePackage(fileName: string, json: Package, callback: CallbackAction): void;
}
```
## Generate an middleware plugin {#generate-an-middleware-plugin}
For detailed info check our [plugin generator page](plugin-generator). Run the `yo` command in your terminal and follow the steps.
```
➜ yo verdaccio-plugin
Just found a `.yo-rc.json` in a parent directory.
Setting the project root at: /Users/user/verdaccio_yo_generator
_-----_ ╭──────────────────────────╮
| | │ Welcome to │
|--(o)--| │ generator-verdaccio-plug │
`---------´ │ in plugin generator! │
( _´U`_ ) ╰──────────────────────────╯
/___A___\ /
| ~ |
__'.___.'__
´ ` |° ´ Y `
? What is the name of your plugin? custom-endpoint
? Select Language typescript
? What kind of plugin you want to create? storage
? Please, describe your plugin awesome storage plugin
? GitHub username or organization myusername
? Author's Name Juan Picado
? Author's Email jotadeveloper@gmail.com
? Key your keywords (comma to split) verdaccio,plugin,storage,awesome,verdaccio-plugin
create verdaccio-plugin-storage-package-database/package.json
create verdaccio-plugin-storage-package-database/.gitignore
create verdaccio-plugin-storage-package-database/.npmignore
create verdaccio-plugin-storage-package-database/jest.config.js
create verdaccio-plugin-storage-package-database/.babelrc
create verdaccio-plugin-storage-package-database/.travis.yml
create verdaccio-plugin-storage-package-database/README.md
create verdaccio-plugin-storage-package-database/.eslintrc
create verdaccio-plugin-storage-package-database/.eslintignore
create verdaccio-plugin-storage-package-database/src/PackageStorage.ts
create verdaccio-plugin-storage-package-database/src/index.ts
create verdaccio-plugin-storage-package-database/src/plugin.ts
create verdaccio-plugin-storage-package-database/index.ts
create verdaccio-plugin-storage-package-database/tsconfig.json
create verdaccio-plugin-storage-package-database/types/index.ts
create verdaccio-plugin-storage-package-database/.editorconfig
I'm all done. Running npm install for you to install the required dependencies. If this fails, try running the command yourself.
⸨ ░░░░░░░░░░░░░░░░░⸩ ⠋ fetchMetadata: sill pacote range manifest for @babel/plugin-syntax-jsx@^7.7.4 fetc
```
### List Community Storage Plugins {#list-community-storage-plugins}
The following list of plugins are implementing the Storage API and might be used them as example.
* [verdaccio-memory](https://github.com/verdaccio/verdaccio-memory) Storage plugin to host packages in Memory
* [verdaccio-s3-storage](https://github.com/remitly/verdaccio-s3-storage) Storage plugin to host packages **Amazon S3**
* [verdaccio-aws-s3-storage](https://github.com/verdaccio/monorepo/tree/master/plugins/aws-s3-storage) Storage plugin to host packages **Amazon S3** (maintained by Verdaccio core team)
* [verdaccio-google-cloud](https://github.com/verdaccio/verdaccio-google-cloud) Storage plugin to host packages **Google Cloud Storage**
* [verdaccio-minio](https://github.com/barolab/verdaccio-minio) A verdaccio plugin for storing data in Minio
* [verdaccio-offline-storage](https://github.com/g3ngar/verdaccio-offline-storage) local-storage plugin BUT with locally available packages as first class citizens.

229
website/versioned_docs/version-5.x/plugins.md Normal file
View File

@ -0,0 +1,229 @@
---
id: plugins
title: "Plugins"
---
Verdaccio is a pluggable application. It can be extended in many ways, either new authentication methods, adding endpoints or using a custom storage.
There are 5 types of plugins:
* [Authentication](plugin-auth.md)
* [Middleware](plugin-middleware.md)
* [Storage](plugin-storage.md)
* Custom Theme and filters
> If you are interested to develop your own plugin, read the [development](dev-plugins.md) section.
## Usage {#usage}
### Installation {#installation}
```bash
$> npm install --global verdaccio-activedirectory
```
`verdaccio` as a sinopia fork it has backward compatibility with plugins that are compatible with `sinopia@1.4.0`. In such case the installation is the same.
```
$> npm install --global sinopia-memory
```
### Configuration {#configuration}
Open the `config.yaml` file and update the `auth` section as follows:
The default configuration looks like this, due we use a build-in `htpasswd` plugin by default that you can disable just commenting out the following lines.
### Naming convention {#naming-convention}
Since version `2.0.0` until version plugins must start with the following convention:
- `sinopia-xxx` (deprecated and will be removed on 6.x.x)
- `verdaccio-xxx`
After version `5.12.0` scoped plugins are supported, for example:
```yaml
auth:
'@my-org/auth-awesome-plugin':
foo: some value
bar: another value
store:
'@my-org/store-awesome-plugin':
foo: some value
bar: another value
middleware:
'@my-org/middleware-awesome-plugin':
foo: some value
bar: another value
```
### Authentication Configuration {#authentication-configuration}
```yaml
auth:
htpasswd:
file: ./htpasswd
# max_users: 1000
```
and replacing them with (in case you decide to use a `ldap` plugin.
```yaml
auth:
activedirectory:
url: "ldap://10.0.100.1"
baseDN: 'dc=sample,dc=local'
domainSuffix: 'sample.local'
```
#### Multiple Authentication plugins {#multiple-authentication-plugins}
This is technically possible, making the plugin order important, as the credentials will be resolved in order.
```yaml
auth:
htpasswd:
file: ./htpasswd
#max_users: 1000
activedirectory:
url: "ldap://10.0.100.1"
baseDN: 'dc=sample,dc=local'
domainSuffix: 'sample.local'
```
### Middleware Configuration {#middleware-configuration}
This is an example how to set up a middleware plugin. All middleware plugins must be defined in the **middlewares** namespace.
```yaml
middlewares:
audit:
enabled: true
```
> You might follow the [audit middle plugin](https://github.com/verdaccio/verdaccio-audit) as base example.
### Storage Configuration {#storage-configuration}
This is an example how to set up a storage plugin. All storage plugins must be defined in the **store** namespace.
```yaml
store:
memory:
limit: 1000
```
### Theme Configuration {#theme-configuration}
Verdaccio allows to replace the User Interface with a custom one, we call it **theme**.
By default, uses `@verdaccio/ui-theme` that comes built-in, but, you can use something different installing your own plugin.
```bash
$> npm install --global verdaccio-theme-dark
```
> The plugin name prefix must start with `verdaccio-theme`, otherwise the plugin won't load.
You can load only one theme at a time and pass through options if you need it.
```yaml
theme:
dark:
option1: foo
option2: bar
```
### Theme plugin development
> Since v.5.0.0
If you have a custom UI plugin for the them you will need to adapt your build to the new requirements.
The previous version you only need to return a function with a string and the path of the directory.
```
const path = require('path');
module.exports = () => {
return path.join(__dirname, 'static');
};
```
The module must return an object and the `index.html` is ignored since support dynamic rendering, eg:
```
staticPath: '/somePath/node_modules/verdaccio-theme-custom/static',
manifest: {
'main.js': '-/static/main.c21a97b1dbe8456a9c76.js',
'runtime.js': '-/static/runtime.c21a97b1dbe8456a9c76.js',
'NotFound.js': '-/static/NotFound.c21a97b1dbe8456a9c76.js',
'Provider.js': '-/static/Provider.c21a97b1dbe8456a9c76.js',
'Version.js': '-/static/Version.c21a97b1dbe8456a9c76.js',
'Home.js': '-/static/Home.c21a97b1dbe8456a9c76.js',
'Versions.js': '-/static/Versions.c21a97b1dbe8456a9c76.js',
'UpLinks.js': '-/static/UpLinks.c21a97b1dbe8456a9c76.js',
'Dependencies.js': '-/static/Dependencies.c21a97b1dbe8456a9c76.js',
'Engines.js': '-/static/Engines.c21a97b1dbe8456a9c76.js',
'Dist.js': '-/static/Dist.c21a97b1dbe8456a9c76.js',
'Install.js': '-/static/Install.c21a97b1dbe8456a9c76.js',
'Repository.js': '-/static/Repository.c21a97b1dbe8456a9c76.js',
'vendors.js': '-/static/vendors.c21a97b1dbe8456a9c76.js',
'718.c21a97b1dbe8456a9c76.js': '-/static/718.c21a97b1dbe8456a9c76.js',
'238.c21a97b1dbe8456a9c76.js': '-/static/238.c21a97b1dbe8456a9c76.js',
'73.c21a97b1dbe8456a9c76.js': '-/static/73.c21a97b1dbe8456a9c76.js'
},
manifestFiles: { js: [ 'runtime.js', 'vendors.js', 'main.js' ] }
```
- `staticPath`: is the same data returned in Verdaccio 4.
- `manifest`: A webpack manifest object.
- `manifestFiles`: A object with one property `js` and the array (order matters) of the manifest id to be loaded in the template dynamically.
#### Manifest and Webpack {#manifest-and-webpack}
Verdaccio uses the webpack [manifest](https://webpack.js.org/concepts/manifest/) object to render the html dynamically, in combination with the `manifestFiles` the application understand what to render.
> Currently only support `js` but if you also need `css`, we are open to discuss it and further improvements.
```
const { WebpackManifestPlugin } = require('webpack-manifest-plugin');
plugins: [
...
new WebpackManifestPlugin({
removeKeyHash: true,
}),
...
],
```
## Legacy plugins {#legacy-plugins}
### Sinopia Plugins {#sinopia-plugins}
> If you are relying on any sinopia plugin, remember are deprecated and might no work in the future.
* [sinopia-npm](https://www.npmjs.com/package/sinopia-npm): auth plugin for sinopia supporting an npm registry.
* [sinopia-memory](https://www.npmjs.com/package/sinopia-memory): auth plugin for sinopia that keeps users in memory.
* [sinopia-github-oauth-cli](https://www.npmjs.com/package/sinopia-github-oauth-cli).
* [sinopia-crowd](https://www.npmjs.com/package/sinopia-crowd): auth plugin for sinopia supporting atlassian crowd.
* [sinopia-activedirectory](https://www.npmjs.com/package/sinopia-activedirectory): Active Directory authentication plugin for sinopia.
* [sinopia-github-oauth](https://www.npmjs.com/package/sinopia-github-oauth): authentication plugin for sinopia2, supporting github oauth web flow.
* [sinopia-delegated-auth](https://www.npmjs.com/package/sinopia-delegated-auth): Sinopia authentication plugin that delegates authentication to another HTTP URL
* [sinopia-altldap](https://www.npmjs.com/package/sinopia-altldap): Alternate LDAP Auth plugin for Sinopia
* [sinopia-request](https://www.npmjs.com/package/sinopia-request): An easy and fully auth-plugin with configuration to use an external API.
* [sinopia-htaccess-gpg-email](https://www.npmjs.com/package/sinopia-htaccess-gpg-email): Generate password in htaccess format, encrypt with GPG and send via MailGun API to users.
* [sinopia-mongodb](https://www.npmjs.com/package/sinopia-mongodb): An easy and fully auth-plugin with configuration to use a mongodb database.
* [sinopia-htpasswd](https://www.npmjs.com/package/sinopia-htpasswd): auth plugin for sinopia supporting htpasswd format.
* [sinopia-leveldb](https://www.npmjs.com/package/sinopia-leveldb): a leveldb backed auth plugin for sinopia private npm.
* [sinopia-gitlabheres](https://www.npmjs.com/package/sinopia-gitlabheres): Gitlab authentication plugin for sinopia.
* [sinopia-gitlab](https://www.npmjs.com/package/sinopia-gitlab): Gitlab authentication plugin for sinopia
* [sinopia-ldap](https://www.npmjs.com/package/sinopia-ldap): LDAP auth plugin for sinopia.
* [sinopia-github-oauth-env](https://www.npmjs.com/package/sinopia-github-oauth-env) Sinopia authentication plugin with github oauth web flow.
> All sinopia plugins should be compatible with all future verdaccio versions. Anyhow, we encourage contributors to migrate them to the
modern verdaccio API and using the prefix as *verdaccio-xx-name*.

100
website/versioned_docs/version-5.x/programmatically.md Normal file
View File

@ -0,0 +1,100 @@
---
id: verdaccio-programmatically
title: "Node.js API"
---
Verdaccio is a binary command which is available in your enviroment when you install globally the package eg `npm i -g verdaccio`, but also can be dependency in your project and use it programmatically.
### Using `fork` from `child_process` module
Using the binary is the faster way to use verdaccio programatically, you need to add to the config file the `_debug: true` to enable the messaging system, when verdaccio is ready will send `verdaccio_started` string as message as the following example.
> If you are using ESM modules the `require` won't be available.
```typescript
export function runRegistry(
args: string[] = [],
childOptions: {}
): Promise<ChildProcess> {
return new Promise((resolve, reject) => {
const childFork = fork(require.resolve('verdaccio/bin/verdaccio'), args, childOptions);
childFork.on('message', (msg: {verdaccio_started: boolean}) => {
if(msg.verdaccio_started){
resolve(childFork);
}
});
childFork.on('error', (err: any) => reject([err]));
childFork.on('disconnect', (err: any) => reject([err]));
});
}
```
You can see the full example on this repository.
[https://github.com/juanpicado/verdaccio-fork](https://github.com/juanpicado/verdaccio-fork
)
### Using the module API
Feature available in `v5.11.0` and higher.
> Using const verdaccio = require('verdaccio'); as the default module is not encoraged, it's deprecated and recommend use `runServer` for future compability.
There are three ways to use it:
- No input, it will find the `config.yaml` as is you would run `verdaccio` in the console.
- With a absolute path.
- With an object (there is a catch here, see below).
```js
const {runServer} = require('verdaccio');
const app = await runServer(); // default configuration
const app = await runServer('./config/config.yaml');
const app = await runServer({ configuration });
app.listen(4000, (event) => {
// do something
});
```
With an object you need to add `self_path`, manually (it's not nice but would be a breaking change changing it now) on v6 this is not longer need it.
```js
const {runServer, parseConfigFile} = require('verdaccio');
const configPath = join(__dirname, './config.yaml');
const c = parseConfigFile(configPath);
// workaround
// on v5 the `self_path` still exists and will be removed in v6
c.self_path = 'foo';
runServer(c).then(() => {});
```
Feature available minor than `v5.11.0`.
> This is a valid way but is discoragued for future releases.
```js
const fs = require('fs');
const path = require('path');
const verdaccio = require('verdaccio').default;
const YAML = require('js-yaml');
const getConfig = () => {
return YAML.safeLoad(fs.readFileSync(path.join(__dirname, 'config.yaml'), 'utf8'));
}
const cache = path.join(__dirname, 'cache');
const config = Object.assign({}, getConfig(), {
self_path: cache
});
verdaccio(config, 6000, cache, '1.0.0', 'verdaccio', (webServer, addrs, pkgName, pkgVersion) => {
try {
webServer.unref();
webServer.listen(addrs.port || addrs.path, addrs.host, () => {
console.log('verdaccio running');
});
} catch (error) {
console.error(error);
}
});
```

45
website/versioned_docs/version-5.x/protect-your-dependencies.md Normal file
View File

@ -0,0 +1,45 @@
---
id: protect-your-dependencies
title: "Protecting packages"
---
Verdaccio allows you protect publishing to your registry. To achieve that you will need to set up correctly configure your [packages access](packages).
### Package configuration {#package-configuration}
Let's see for instance the following set up. You have a set of dependencies that are prefixed with `my-company-*` and you need to protect them from anonymous or other non-authorized logged-in users.
```yaml
"my-company-*":
access: admin teamA teamB teamC
publish: admin teamA
```
With this configuration, we allow the groups **admin** and **teamA** to _publish_ and **teamA**, **teamB** and **teamC** to _access_ the specified dependencies.
### Use case: teamD tries to access the dependency {#use-case-teamd-tries-to-access-the-dependency}
So, if I am logged as **teamD**. I shouldn't be able to access all dependencies that match the `my-company-*` pattern.
```bash
➜ npm whoami
teamD
```
I won't have access to such dependencies and they also won't be visible via the web interface for user **teamD**. If I try to access it, the following will happen:
```bash
➜ npm install my-company-core
npm ERR! code E403
npm ERR! 403 Forbidden: webpack-1@latest
```
or with `yarn`:
```bash
➜ yarn add my-company-core
yarn add v0.24.6
info No lockfile found.
[1/4] 🔍 Resolving packages...
error An unexpected error occurred: "http://localhost:5555/webpack-1: unregistered users are not allowed to access package my-company-core".
```

28
website/versioned_docs/version-5.x/puppet.md Normal file
View File

@ -0,0 +1,28 @@
---
id: puppet
title: "Puppet"
---
Install verdaccio for Debian, Ubuntu, Fedora, and RedHat.
# Usage
There are two variants to install verdaccio using this Puppet module:
* Apply-mode (with puppet-apply and no puppetmaster setup needed)
* Master-Agent-mode (with puppet-agent accessing your configuration through the puppetmaster).
In both variants you have to explicitly call "class nodejs {}" in your puppet script because
the puppet-verdaccio module only defines this as a requirement, so you have all the flexibility you want when installing nodejs.
Scroll down for details about Master-Agent-mode variant.
For further information:
[https://github.com/verdaccio/puppet-verdaccio](https://github.com/verdaccio/puppet-verdaccio)
> We are looking for active contributors for this integration, if you are interested
[refers to this ticket](https://github.com/verdaccio/puppet-verdaccio/issues/11).

9
website/versioned_docs/version-5.x/repositories.md Normal file
View File

@ -0,0 +1,9 @@
---
id: repositories
title: Source Code
---
`verdaccio` is composed or multiple repositories you might contribute. Look into the **issues** tab whether there is a ticket waiting for you 🤠.
To see the complete list of repositories, [click here](https://github.com/verdaccio/verdaccio/wiki/Repositories).

258
website/versioned_docs/version-5.x/reverse-proxy.md Normal file
View File

@ -0,0 +1,258 @@
---
id: reverse-proxy
title: "Reverse Proxy Setup"
---
Using a reverse proxy is a common practice. The following configurations are the
most recommended and used ones.
**Important**, the headers are considered to resolve the public are `X-Forwarded-Proto` for the protocol and `Host` for the domain, please include them in your configuration.
# Apache
Apache and `mod_proxy` should **not decode/encode slashes** and leave them as they are:
For installing at relative path, `/npm`, on the server
````
<VirtualHost *:80>
AllowEncodedSlashes NoDecode
ProxyPass /npm http://127.0.0.1:4873 nocanon
ProxyPassReverse /npm http://127.0.0.1:4873
</VirtualHost>
````
For installing at root path, `/`, on the server
````
<VirtualHost *:80>
ServerName your.domain.com
ServerAdmin hello@your.domain.com
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
ProxyPass / http://127.0.0.1:4873/ nocanon
ProxyPassReverse / http://127.0.0.1:4873/
</VirtualHost>
````
### Configuration with SSL {#configuration-with-ssl}
Apache virtual server configuration.
````apache
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName npm.your.domain.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/npm.your.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/npm.your.domain.com/privkey.pem
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
ProxyPass / http://127.0.0.1:4873/ nocanon
ProxyPassReverse / http://127.0.0.1:4873/
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
</IfModule>
````
## Invalid checksum
Sometimes the gzip compression can mess with the request when running `npm install` and result in error messages like this:
````
npm WARN tar TAR_ENTRY_INVALID checksum failure
npm WARN tar zlib: incorrect data check
````
A possible fix for this, can be by disabling gzip compression for the virtual host, by adding this to your config:
````
SetEnv no-gzip 1
````
Resulting in a config like so:
````
<VirtualHost *:80>
AllowEncodedSlashes NoDecode
SetEnv no-gzip 1
ProxyPass /npm http://127.0.0.1:4873 nocanon
ProxyPassReverse /npm http://127.0.0.1:4873
</VirtualHost>
````
You should only add it to your virtual host config, if you are experiencing the issue.
# Nginx
The following snippet is a full `docker` example can be tested in our [Docker examples repository](https://github.com/verdaccio/verdaccio/tree/5.x/docker-examples/reverse_proxy/nginx).
````nginx
upstream verdaccio_v4 {
server verdaccio_relative_path_v4:4873;
keepalive 8;
}
upstream verdaccio_v4_root {
server verdaccio_relative_path_v4_root:8000;
keepalive 8;
}
upstream verdaccio_v3 {
server verdaccio_relative_path_latest_v3:7771;
keepalive 8;
}
server {
listen 80 default_server;
access_log /var/log/nginx/verdaccio.log;
charset utf-8;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://verdaccio_v4_root;
proxy_redirect off;
}
location ~ ^/verdaccio/(.*)$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://verdaccio_v4/$1;
proxy_redirect off;
}
location ~ ^/verdacciov3/(.*)$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://verdaccio_v3/$1;
proxy_redirect off;
}
}
````
## SSL example {#ssl-example}
````nginx
server {
listen 80;
return 302 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name localhost;
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://verdaccio_v4_root;
proxy_read_timeout 600;
proxy_redirect off;
}
location ~ ^/verdaccio/(.*)$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://verdaccio_v4_root/$1;
proxy_redirect off;
}
}
````
## Run behind reverse proxy with different domain and port {#run-behind-reverse-proxy-with-different-domain-and-port}
### Sub-directory {#sub-directory}
If the whole URL is being used for Verdaccio, you don't need to define a `url_prefix`, otherwise
you would need something like this in your `config.yaml`.
```yaml
url_prefix: /sub_directory/
```
If you run Verdaccio behind reverse proxy, you may noticed all resource file served as relative path, like `http://127.0.0.1:4873/-/static`
To resolve this issue, **you should send real domain and port to Verdaccio with `Host` header**
Nginx configure should look like this:
```nginx
location / {
proxy_pass http://127.0.0.1:4873/;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
```
For this case, `url_prefix` should **NOT** set in Verdaccio config
---
or a sub-directory installation:
```nginx
location ~ ^/verdaccio/(.*)$ {
proxy_pass http://127.0.0.1:4873/$1;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
```
For this case, `url_prefix` should set to `/verdaccio/`
> Note: There is a slash after the install path (`https://your-domain:port/verdaccio/`)!
### Overriding the public url
> Since `verdaccio@5.0.0`
The new `VERDACCIO_PUBLIC_URL` is intended to be used behind proxies, this variable will be used for:
- Used as base path to serve UI resources as (js, favicon, etc)
- Used on return metadata `dist` base path
- Ignores `host` and `X-Forwarded-Proto` headers
- If `url_prefix` is defined would be appened to the env variable.
```
VERDACCIO_PUBLIC_URL='https://somedomain.org';
url_prefix: '/my_prefix'
// url -> https://somedomain.org/my_prefix/
VERDACCIO_PUBLIC_URL='https://somedomain.org';
url_prefix: '/'
// url -> https://somedomain.org/
VERDACCIO_PUBLIC_URL='https://somedomain.org/first_prefix';
url_prefix: '/second_prefix'
// url -> https://somedomain.org/second_prefix/'
```
![Screenshot from 2021-03-24 20-20-11](https://user-images.githubusercontent.com/558752/112371003-5fa1ce00-8cde-11eb-888c-70c4e9776c57.png)

6
website/versioned_docs/version-5.x/security-policy.md Normal file
View File

@ -0,0 +1,6 @@
---
id: security-policy
title: "Security Policy"
---
Follow our security policy on [GitHub](https://github.com/verdaccio/verdaccio/security/policy)

91
website/versioned_docs/version-5.x/server.md Normal file
View File

@ -0,0 +1,91 @@
---
id: server-configuration
title: "Server Configuration"
---
This is mostly basic Linux server configuration stuff but I felt it important to document and share the steps I took to get Verdaccio running permanently on my server. You will need root (or sudo) permissions for the following steps.
## Running as a separate user {#running-as-a-separate-user}
First create a Verdaccio user:
```bash
$ sudo adduser --system --gecos 'Verdaccio NPM mirror' --group --home /var/lib/verdaccio verdaccio
```
Or, in case you do not have `adduser`:
```bash
$ sudo useradd --system --comment 'Verdaccio NPM mirror' --create-home --home-dir /var/lib/verdaccio --shell /sbin/nologin verdaccio
```
You create a shell as the Verdaccio user using the following command:
```bash
$ sudo su -s /bin/bash verdaccio
$ cd
```
The `cd` command sends you to the home directory of the Verdaccio user. Make sure you run Verdaccio at least once to generate the config file. Edit it according to your needs.
## Listening on all addresses {#listening-on-all-addresses}
If you want to listen to every external address set the listen directive in the config to:
```yaml
# you can specify listen address (or simply a port)
listen: 0.0.0.0:4873
```
If you are running Verdaccio in a Amazon EC2 Instance, [you will need set the listen in change your config file](https://github.com/verdaccio/verdaccio/issues/314#issuecomment-327852203) as is described above.
> Configure Apache or nginx? Please check out the [Reverse Proxy Setup](reverse-proxy.md)
## Keeping Verdaccio running forever {#keeping-verdaccio-running-forever}
You can use a Node package called ['forever'](https://github.com/nodejitsu/forever) to keep Verdaccio running all the time.
First install `forever` globally:
```bash
$ sudo npm install -g forever
```
Make sure you've run Verdaccio at least once to generate the config file and write down the created admin user. You can then use the following command to start Verdaccio:
```bash
$ forever start `which verdaccio`
```
You can check the documentation for more information on how to use forever.
## Surviving server restarts {#surviving-server-restarts}
You can use `crontab` and `forever` together to start Verdaccio after a server reboot.
When you're logged in as the Verdaccio user do the following:
```bash
$ crontab -e
```
This might ask you to choose an editor. Pick your favorite and proceed.
Add the following entry to the file:
```
@reboot /usr/bin/forever start /usr/lib/node_modules/verdaccio/bin/verdaccio
```
The locations may vary depending on your server setup. If you want to know where your files are you can use the 'which' command:
```bash
$ which forever
$ which verdaccio
```
## Using systemd {#using-systemd}
Instead of `forever` you can use `systemd` for starting Verdaccio and keeping it running. Verdaccio installation has systemd unit, you only need to copy it:
```bash
$ sudo cp /usr/lib/node_modules/verdaccio/systemd/verdaccio.service /lib/systemd/system/ && sudo systemctl daemon-reload
```
This unit assumes you have configuration in `/etc/verdaccio/config.yaml` and store data in `/var/lib/verdaccio`, so either move your files to those locations or edit the unit.

103
website/versioned_docs/version-5.x/setup-npm.md Normal file
View File

@ -0,0 +1,103 @@
---
id: setup-npm
title: "npm"
---
# npm {#npm}
The minimum supported NPM version is 5.
## Using Verdaccio for all my projects (recommended)
To set the registry for all your local projects in any terminal window run:
```bash
npm set registry http://localhost:4873/
```
This will set the registry for your operational system user and you can find it on the file `~/.npmrc`.
## Using Verdaccio only to a specific project
To set this value for a specific project open its root folder on a terminal window and run:
```bash
npm set registry http://localhost:4873/ --location project
```
This will set the registry in a `.npmrc` file in your project root directory.
## Using Verdaccio only on specific commands
If you want one single use append `--registry http://localhost:4873/` to the required command.
Some examples:
```bash
npm ci --registry http://localhost:4873
npm install --registry http://localhost:4873
npm install lodash --registry http://localhost:4873
```
## How to prevent your package from being published in other registries
If you only want to publish your package to Verdaccio but keep installing from other registries you can setup the `publishConfig` in your `package.json` as [described in the official documentation](https://docs.npmjs.com/cli/v8/using-npm/registry#how-can-i-prevent-my-package-from-being-published-in-the-official-registry).
```json
{
"publishConfig": {
"registry": "http://localhost:4873"
}
}
```
## Troubleshooting
### npm does not save authToken when authenticating to Verdaccio
If you are using either `npm@5.4.x` or `npm@5.5.x`, there are [known issues with tokens](https://github.com/verdaccio/verdaccio/issues/509#issuecomment-359193762), please upgrade to either `6.x` or downgrade to `npm@5.3.0`.
### SSL and certificates {#ssl-and-certificates}
When using Verdaccio under SSL without a valid certificate, defining `strict-ssl` in your config file is required otherwise you will get `SSL Error: SELF_SIGNED_CERT_IN_CHAIN` errors.
`npm` does not support [invalid certificates anymore](https://blog.npmjs.org/post/78085451721/npms-self-signed-certificate-is-no-more) since 2014.
```bash
npm config set ca ""
npm config set strict-ssl false
```
### Mixed registries in lockefile (npm v7+)
Since version 7 npm got more strict with the introduction of `lockfileVersion: 2`. If you have mixed `resolved` fields in your lockfile, for instance, having this in your lockfile:
```json
{
"name": "npm7",
"version": "1.0.0",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"version": "1.0.0",
"license": "ISC",
"dependencies": {
"lodash": "4.17.20",
"underscore": "^1.11.0"
}
},
..... // removed for simplicity
},
"dependencies": {
"lodash": {
"version": "4.17.20",
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz",
"integrity": "sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA=="
},
"underscore": {
"version": "1.11.0",
"resolved": "http://localhost:4873/underscore/-/underscore-1.11.0.tgz",
"integrity": "sha512-xY96SsN3NA461qIRKZ/+qox37YXPtSBswMGfiNptr+wrt6ds4HaMw23TP612fEyGekRE6LNRiLYr/aqbHXNedw=="
}
}
}
```
Either running `npm i --registry https://registry.npmjs.org` or using `.npmrc` will fail your installation.

11
website/versioned_docs/version-5.x/setup-pnpm.md Normal file
View File

@ -0,0 +1,11 @@
---
id: setup-pnpm
title: "pnpm"
---
### pnpm {#pnpm}
> This includes 4.x and 5.x series.
`pnpm` recognize by default the configuration at `.npmrc` and also the `--registry` value.
This means that you can follow the same commands described in [npm](setup-npm.md) replacing `npm` by `pnpm`.

64
website/versioned_docs/version-5.x/setup-yarn.md Normal file
View File

@ -0,0 +1,64 @@
---
id: setup-yarn
title: "yarn"
---
# yarn {#yarn}
#### Yarn (1.x) {#yarn-1x}
> Be aware npm configurations are valid on the classic version
The classic version is able to regonize the `.npmrc` file, but also provides their own configuration file named `.yarnrc`.
To set up a registry, create a file and define a registry.
```
// .yarnrc
registry "http://localhost:4873"
```
By using this version you should enable `always-auth` in your configuration running:
```
npm config set always-auth true
```
`yarn@1.x` does not send the authorization header on `yarn install` if your packages requires authentication, by enabling `always-auth` will force yarn do it on each request.
#### Yarn Berry (>=2.x) {#yarn-berry-2x}
> Yarn berry does not recognize `--registry` or `.npmrc` file anymore.
For defining a registry you must use the `.yarnrc.yml` located in the root of your project or global configuration.
When you publish a package the `npmRegistryServer` must be used. Keep in mind the `publishConfig.registry` in the `package.json` will override this configuration.
```yaml
// .yarnrc.yml
npmRegistryServer: "http://localhost:4873"
unsafeHttpWhitelist:
- localhost
```
> `unsafeHttpWhitelist` is only need it if you don't use `https` with a valid certificate.
Using scopes is also possible and more segmented, you can define a token peer scope if is required.
```
npmRegistries:
"https://registry.myverdaccio.org":
npmAlwaysAuth: true
npmAuthToken: <TOKEN>
npmScopes:
my-company:
npmRegistryServer: https://registry.myverdaccio.org
npmPublishRegistry: https://registry.myverdaccio.org
```
for logging via CLi use:
```
yarn npm login --scope my-company
```

53
website/versioned_docs/version-5.x/ssl.md Normal file
View File

@ -0,0 +1,53 @@
---
id: ssl
title: "Set up the SSL Certificates"
---
Follow these instructions to configure an SSL certificate to serve an npm registry over HTTPS.
* Update the listen property in your `~/.config/verdaccio/config.yaml`:
````
listen: 'https://your.domain.com/'
````
Once you've updated the listen property and try to run verdaccio again, it will ask for certificates.
* Generate your certificates
````
$ openssl genrsa -out /Users/user/.config/verdaccio/verdaccio-key.pem 2048
$ openssl req -new -sha256 -key /Users/user/.config/verdaccio/verdaccio-key.pem -out /Users/user/.config/verdaccio/verdaccio-csr.pem
$ openssl x509 -req -in /Users/user/.config/verdaccio/verdaccio-csr.pem -signkey /Users/user/.config/verdaccio/verdaccio-key.pem -out /Users/user/.config/verdaccio/verdaccio-cert.pem
````
* Edit your config file `/Users/user/.config/verdaccio/config.yaml` and add the following section:
````
https:
key: /Users/user/.config/verdaccio/verdaccio-key.pem
cert: /Users/user/.config/verdaccio/verdaccio-cert.pem
ca: /Users/user/.config/verdaccio/verdaccio-csr.pem
````
Alternatively, if you have a certificate with the `server.pfx` format, you can add the following configuration section: (The passphrase is optional and only needed if your certificate is encrypted.)
````
https:
pfx: /Users/user/.config/verdaccio/server.pfx
passphrase: 'secret'
````
You can find more info on the `key`, `cert`, `ca`, `pfx`, and `passphrase` arguments in the [Node documentation](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)
* Run `verdaccio` in your command line.
* Open the browser and visit `https://your.domain.com:port/`
These instructions are mostly valid under OSX and Linux; on Windows the paths will vary, but the steps are the same.
## Docker
If you are using the Docker image, you have to set the `VERDACCIO_PROTOCOL` environment variable to `https`, as the `listen` argument is provided in the [Dockerfile](https://github.com/verdaccio/verdaccio/blob/master/Dockerfile#L43) and thus ignored from your config file.
You can also set the `VERDACCIO_PORT` environment variable if you are using a port other than `4873`.

11
website/versioned_docs/version-5.x/talks.md Normal file
View File

@ -0,0 +1,11 @@
---
id: talks
title: "Talks"
---
All talks could be find on our YouTube channel, please subscribe for new content.
[![logo](https://cdn.verdaccio.dev/website/watch-us.png)](https://www.youtube.com/channel/UC5i20v6o7lSjXzAHOvatt0w)
> If you want to reference any of your talks or tutorials, please write in your channel #contribute on discord and will be added to the channel.

87
website/versioned_docs/version-5.x/uplinks.md Normal file
View File

@ -0,0 +1,87 @@
---
id: uplinks
title: "Uplinks"
---
An *uplink* is a link with an external registry that provides access to external packages.
![Uplinks](https://user-images.githubusercontent.com/558752/52976233-fb0e3980-33c8-11e9-8eea-5415e6018144.png)
### Usage {#usage}
```yaml
uplinks:
npmjs:
url: https://registry.npmjs.org/
server2:
url: http://mirror.local.net/
timeout: 100ms
server3:
url: http://mirror2.local.net:9000/
baduplink:
url: http://localhost:55666/
```
### Configuration {#configuration}
You can define mutiple uplinks and each of them must have an unique name (key). They can have the following properties:
Property | Type | Required | Example | Support | Description | Default
--- | --- | --- | --- | --- | --- | ---
url | string | Yes | https://registry.npmjs.org/ | all | The registry url | npmjs
ca | string | No | ~./ssl/client.crt' | all | SSL path certificate | No default
timeout | string | No | 100ms | all | set new timeout for the request | 30s
maxage | string | No |10m | all | the time threshold to the cache is valid | 2m
fail_timeout | string | No |10m | all | defines max time when a request becomes a failure | 5m
max_fails | number | No |2 | all | limit maximun failure request | 2
cache | boolean | No |[true,false] | >= 2.1 | cache all remote tarballs in storage | true
auth | list | No | [see below](uplinks.md#auth-property) | >= 2.5 | assigns the header 'Authorization' [more info](http://blog.npmjs.org/post/118393368555/deploying-with-npm-private-modules) | disabled
headers | list | No | authorization: "Bearer SecretJWToken==" | all | list of custom headers for the uplink | disabled
strict_ssl | boolean | No | [true,false] | >= 3.0 | If true, requires SSL certificates be valid. | true
agent_options | object | No | maxSockets: 10 | >= 4.0.2 | options for the HTTP or HTTPS Agent responsible for managing uplink connection persistence and reuse [more info](https://nodejs.org/api/http.html#http_class_http_agent) | No default
#### Auth property {#auth-property}
The `auth` property allows you to use an auth token with an uplink. Using the default environment variable:
```yaml
uplinks:
private:
url: https://private-registry.domain.com/registry
auth:
type: bearer
token_env: true # by defaults points to the environment variable `NPM_TOKEN`
```
or via a specified _custom_ environment variable:
```yaml
uplinks:
private:
url: https://private-registry.domain.com/registry
auth:
type: bearer
token_env: FOO_TOKEN # override the default `NPM_TOKEN` by a custom one
```
`token_env: FOO_TOKEN `internally will use `process.env['FOO_TOKEN']`
or by directly specifying a token oh the configuration file (not recommended by security corcerns):
```yaml
uplinks:
private:
url: https://private-registry.domain.com/registry
auth:
type: bearer
token: "token"
```
> Note: `token` has priority over `token_env`
### You Must know {#you-must-know}
* Uplinks must be registries compatible with the `npm` endpoints. Eg: *verdaccio*, `sinopia@1.4.0`, *npmjs registry*, *yarn registry*, *JFrog*, *Nexus* and more.
* Setting `cache` to false will help to save space in your hard drive. This will avoid store `tarballs` but [it will keep metadata in folders](https://github.com/verdaccio/verdaccio/issues/391).
* Multiple uplinks might slow down the lookup of your packages. For each request an npm client makes, verdaccio makes 1 call to each configured uplink.
* The (timeout, maxage and fail_timeout) format follow the [NGINX measurement units](http://nginx.org/en/docs/syntax.html)
* When using the [Helm Chart](https://github.com/verdaccio/charts), you can use `secretEnvVars` to inject sensitive environment variables, which can be used to configure private uplink auth.

97
website/versioned_docs/version-5.x/web.md Normal file
View File

@ -0,0 +1,97 @@
---
id: webui
title: "Web User Interface"
---
![Uplinks](https://user-images.githubusercontent.com/558752/52916111-fa4ba980-32db-11e9-8a64-f4e06eb920b3.png)
Verdaccio has a web user interface to display only the private packages and can be customised to your liking.
```yaml
web:
enable: true
title: Verdaccio
logo: http://somedomain/somelogo.png
primary_color: "#4b5e40"
gravatar: true | false
scope: "@scope"
sort_packages: asc | desc
darkMode: false
favicon: http://somedomain/favicon.ico | /path/favicon.ico
rateLimit:
windowMs: 50000
max: 1000
pkgManagers:
- npm
- yarn
- pnpm
login: true
scriptsBodyAfter:
- '<script type="text/javascript" src="https://my.company.com/customJS.min.js"></script>'
metaScripts:
- '<script type="text/javascript" src="https://code.jquery.com/jquery-3.5.1.slim.min.js"></script>'
- '<script type="text/javascript" src="https://browser.sentry-cdn.com/5.15.5/bundle.min.js"></script>'
- '<meta name="robots" content="noindex" />'
scriptsbodyBefore:
- '<div id="myId">html before webpack scripts</div>'
html_cache: true
showInfo: true
showSettings: true
# In combination with darkMode you can force specific theme
showThemeSwitch: true
showFooter: true
showSearch: true
showDownloadTarball: true
showRaw: true
```
All access restrictions defined to [protect your packages](protect-your-dependencies.md) will also apply to the Web Interface.
> The `primary_color` and `scope` must be wrapped by quotes: eg: ('#000000' or "#000000")
The `primary_color` **must be a valid hex representation**.
### Internationalization {#internationalization}
_Since v4.5.0_, there are translations available.
```yaml
i18n:
web: en-US
```
> ⚠️ Only the enabled languages on this [file](https://github.com/verdaccio/verdaccio/blob/master/packages/plugins/ui-theme/src/i18n/enabledLanguages.ts) are available, you can contribute by adding new more languages. The default
> one is en-US
### Configuration {#configuration}
| Property | Type | Required | Example | Support | Description |
| ------------- | ---------- | -------- | ------------------------------------------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------ |
| enable | boolean | No | true/false | all | allow to display the web interface |
| title | string | No | Verdaccio | all | HTML head title description (if is not define set "Verdaccio" by default). |
| gravatar | boolean | No | true | `>v4` | Gravatars will be generated under the hood if this property is enabled |
| sort_packages | [asc,desc] | No | asc | `>v4` | By default private packages are sorted by ascending |
| logo | string | No | `/local/path/to/my/logo.png` `http://my.logo.domain/logo.png` | all | a URI where logo is located (header logo) |
| primary_color | string | No | "#4b5e40" | `>4` | The primary color to use throughout the UI (header, etc) |
| scope | string | No | @myscope | `>v3.x` | If you're using this registry for a specific module scope, specify that scope to set it in the webui instructions header |
| darkMode | boolean | No | false | `>=v4.6.0` | This mode is an special theme for those want to live in the dark side |
| favicon | string | No | false | `>=v5.0.1` | Display a custom favicon, can be local resource or valid url |
| rateLimit | object | No | use `userRateLimit` configuration | `>=v5.4.0` | Increase or decrease rate limit, by default is 5k request every 2 minutes, only limit web api endpoints, the CSS, JS, etcc are ingnored |
| pkgManagers | npm, pnpm or yarn | No | npm | `>=v5.5.0` | Allow customise which package managers on the side bar and registry information dialog are visible |
| login | boolean | No | true or false | `>=v5.5.0` | Allow disable login on the UI (also include web endpoints). |
| scriptsBodyAfter | string[] | No | any list of strings | `>=5.0.0` | inject scripts after the <body/> tag |
| metaScripts | string[] | No | any list of strings | `>=5.0.0` | inject scripts inside <head/> |
| scriptsbodyBefore | string[] | No | any list of strings | `>=5.0.0` | inject scripts before the <body/>|
| html_cache | boolean | No | true | `>=v5.9.0` | whether the html cache is enabled, default true |
| showInfo | boolean | No | true | `>=v5.10.0` | display the info button on the header |
| showSettings | boolean | No | true | `>=v5.10.0` | display the settings button on the header |
| showThemeSwitch | boolean | No | true | `>=v5.10.0` | display the theme switch button on the header |
| showFooter | boolean | No | true | `>=v5.10.0` | allow hide footer |
| showSearch | boolean | No | true | `>=v5.10.0` | allow hide search component |
| showDownloadTarball | boolean | No | true | `>=v5.10.0` | allow hide download button on the sidebar |
| showRaw | boolean | No | true | `>=v5.10.0` | allow hide manifest button on the sidebar (experimental feature) |
> The recommended logo size is `40x40` pixels.
> The `darkMode` can be enabled via UI and is persisted in the browser local storage. If you combine `showThemeSwitch: false` with `darkMode` users will be forced to use an specific theme. Furthermore, also void `primary_color` and dark cannot be customized.

68
website/versioned_docs/version-5.x/what-is-verdaccio.md Normal file
View File

@ -0,0 +1,68 @@
---
id: what-is-verdaccio
title: "What is Verdaccio?"
---
Verdaccio is a **lightweight private npm proxy registry** built in **Node.js**
Using a private npm registry like Verdaccio is one of the [Top 10 NPM Security Best Practices](https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html#6-use-a-local-npm-proxy)
recommended by the Open Web Application Security Project ([OWASP](https://owasp.org/)).
<iframe width="560" height="515" src="https://www.youtube.com/embed/qRMucS3i3kQ" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
## What's a registry? {#whats-a-registry}
* A registry is a repository for packages, that implements the **CommonJS Compliant Package Registry specification** for reading package's information.
* Provide a compatible API with npm clients **(yarn/npm/pnpm)**.
* Semantic Versioning compatible **(semver)**.
```bash
$> verdaccio
```
![registry](/img/verdaccio_server.gif)
## Using Verdaccio {#using-verdaccio}
Using Verdaccio with any Node.js package manager client is quite straightforward.
![registry](/img/npm_install.gif)
You can use a custom registry either by setting it globally for all your projects
```bash
npm set registry http://localhost:4873
```
or by using it in command line as an argument `--registry` in npm (slightly different in yarn)
```bash
npm install lodash --registry http://localhost:4873
```
```bash
yarn config set registry http://localhost:4873
```
To have a more detailed explanation, I invite you to watch the full explanation **Angular Library: How To Use a Library in a poly-repo Using Verdaccio** by [_Fanis Prodromou_](https://twitter.com/prodromouf) on his [YouTube channel](https://www.youtube.com/channel/UCgJAoZCYx1Dk3iGPHSIgV1A).
<iframe width="560" height="515" src="https://www.youtube.com/embed/tSIC3wna_d0?enablejsapi=1" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
## Private {#private}
All packages that you publish are private and only accessible based in your configuration.
## Proxy {#proxy}
Verdaccio cache all dependencies on demand and speed up installations in local or private networks.
## In a Nutshell {#in-a-nutshell}
* It's a web app based on Node.js
* It's a private npm registry
* It's a local network proxy
* It's a Pluggable application
* It's fairly easy to install and to use
* We offer Docker and Kubernetes support
* It is 100% compatible with yarn, npm and pnpm
* Verdaccio means **A green color popular in late medieval Italy for fresco painting**.

35
website/versioned_docs/version-5.x/who-is-using.md Normal file
View File

@ -0,0 +1,35 @@
---
id: who-is-using
title: "Who is using Verdaccio?"
---
### As a Business {#as-a-business}
*If you are using Verdaccio in your business and want to share your experience, let us know. We will be happy to listen to you.*
* [SheetJS](https://sheetjs.com/)
* [Satispay](https://www.satispay.com/)
### Open Source Projects {#open-source-projects}
> **Feel free to suggest other OSS are using Verdaccio.**
* [pnpm](https://pnpm.js.org/)
* [Storybook](https://storybook.js.org/)
* [Mozilla Neutrino](https://neutrinojs.org/)
* [create-react-app](https://github.com/facebook/create-react-app/blob/master/CONTRIBUTING.md#contributing-to-e2e-end-to-end-tests)
* [Gatsby](https://github.com/gatsbyjs/gatsby)
* [Apollo GraphQL](https://github.com/apollographql)
* [Uppy](https://github.com/transloadit/uppy)
* [Aurelia Framework](https://github.com/aurelia/framework)
* [bit](https://github.com/teambit/bit)
* [Wix Yoshi](https://github.com/wix/yoshi)
* [The AWS Cloud Development Kit](https://github.com/awslabs/aws-cdk)
* [Hyperledger Caliper](https://github.com/hyperledger/caliper)
#### Readme Recommendations {#readme-recommendations}
* [react-native-cli](https://github.com/react-native-community/react-native-cli/blob/master/CONTRIBUTING.md)

57
website/versioned_docs/version-5.x/windows.md Normal file
View File

@ -0,0 +1,57 @@
---
id: windows
title: "Installing As a Windows Service"
---
Loosely based upon the instructions found [here](http://asysadmin.tumblr.com/post/32941224574/running-nginx-on-windows-as-a-service). I crafted the following and it provided me with a fully working verdaccio service installation:
1. Create a directory for verdaccio
* mkdir `c:\verdaccio`
* cd `c:\verdaccio`
2. Install verdaccio locally (I ran into npm issues with global installs)
* npm install verdaccio
3. Create your `config.yaml` file in this location `(c:\verdaccio\config.yaml)`
4. Windows Service Setup
## Using NSSM {#using-nssm}
ALTERNATIVE METHOD: (WinSW package was missing when I tried to download it)
* Download [NSSM](https://www.nssm.cc/download/) and extract
* Add the path that contains nssm.exe to the PATH
* Open an administrative command
* Run nssm install verdaccio At a minimum you must fill in the Application tab Path,
Startup directory and Arguments fields. Assuming an install with node in the system path and a
location of c:\verdaccio the below values will work:
* Path: `node`
* Startup directory: `c:\verdaccio`
* Arguments: `c:\verdaccio\node_modules\verdaccio\build\lib\cli.js -c c:\verdaccio\config.yaml`
You can adjust other service settings under other tabs as desired. When you are done, click Install service button
* Start the service sc start verdaccio
## Using WinSW {#using-winsw}
* As of 2015-10-27, WinSW is no longer available at the below location. Please follow the Using NSSM instructions above.
* Download [WinSW](http://repo.jenkins-ci.org/releases/com/sun/winsw/winsw/)
* Place the executable (e.g. `winsw-1.9-bin.exe`) into this folder (`c:\verdaccio`) and rename it to `verdaccio-winsw.exe`
* Create a configuration file in `c:\verdaccio`, named `verdaccio-winsw.xml`
with the following configuration `xml verdaccio verdaccio verdaccio node c:\verdaccio\node_modules\verdaccio\src\lib\cli.js -c c:\verdaccio\config.yaml roll c:\verdaccio\ `.
* Install your service
* `cd c:\verdaccio`
* `verdaccio-winsw.exe install`
* Start your service
* `verdaccio-winsw.exe start`
Some of the above config is more verbose than I had expected, it appears as though 'workingdirectory'
is ignored, but other than that, this works for me and allows my verdaccio instance to
persist between restarts of the server, and also restart itself should there be any crashes of the verdaccio process.
## Repositories {#repositories}
* [verdaccio-deamon-windows](https://github.com/davidenke/verdaccio-deamon-windows)

122
website/versioned_sidebars/version-5.x-sidebars.json Normal file
View File

@ -0,0 +1,122 @@
{
"docs": [
{
"type": "category",
"label": "Introduction",
"items": [
"what-is-verdaccio",
"installation",
"cli",
{
"type": "category",
"label": "Setting up Verdaccio",
"items": [
"cli-registry",
"setup-npm",
"setup-yarn",
"setup-pnpm"
]
},
"who-is-using",
"best",
"docker",
"protect-your-dependencies",
"e2e",
"verdaccio-programmatically",
"security-policy",
"logo",
{
"type": "category",
"label": "Uses Cases",
"items": [
"caching",
"github-actions",
"linking-remote-registry"
]
},
{
"type": "category",
"label": "Talks & Articles",
"items": [
"articles",
"talks"
]
}
]
},
{
"type": "category",
"label": "Features",
"items": [
"configuration",
"uplinks",
"packages",
"authentication",
"notifications",
"logger",
"webui"
]
},
{
"type": "category",
"label": "Server",
"items": [
"server-configuration",
"reverse-proxy",
"ssl",
"windows",
"iss-server"
]
},
{
"type": "category",
"label": "Development",
"items": [
"plugins",
"dev-plugins",
{
"type": "category",
"label": "Dev Guides",
"items": [
"plugin-generator",
"plugin-auth",
"plugin-middleware",
"plugin-storage"
]
},
"node-api"
]
},
{
"type": "category",
"label": "DevOps",
"items": [
"kubernetes",
"ci",
{
"type": "category",
"label": "Cloud",
"items": [
"amazon"
]
},
{
"type": "category",
"label": "Tools",
"items": [
"ansible",
"puppet",
"chef"
]
}
]
},
{
"type": "category",
"label": "Guides",
"items": [
"aws"
]
}
]
}

3
website/versions.json Normal file
View File

@ -0,0 +1,3 @@
[
"5.x"
]