verdaccio/packages/plugins/htpasswd/CHANGELOG.md

Change Log

11.0.0-6-next.21

Patch Changes

• Updated dependencies [4b29d715]
  • @verdaccio/core@6.0.0-6-next.51

11.0.0-6-next.20

Patch Changes

• @verdaccio/core@6.0.0-6-next.50

11.0.0-6-next.19

Patch Changes

• @verdaccio/core@6.0.0-6-next.49

11.0.0-6-next.18

Major Changes

• 9fc2e796: feat(plugins): improve plugin loader

  Changes

  • Add scope plugin support to 6.x https://github.com/verdaccio/verdaccio/pull/3227
  • Avoid config collisions https://github.com/verdaccio/verdaccio/issues/928
  • https://github.com/verdaccio/verdaccio/issues/1394
  • config.plugins plugin path validations
  • Updated algorithm for plugin loader.
  • improved documentation (included dev)

  Features

  • Add scope plugin support to 6.x https://github.com/verdaccio/verdaccio/pull/3227
  • Custom prefix:

  // config.yaml
  server:
    pluginPrefix: mycompany
  middleware:
    audit:
        foo: 1
  

  This configuration will look up for mycompany-audit instead Verdaccio-audit.

  Breaking Changes

  sinopia plugins

  • sinopia fallback support is removed, but can be restored using pluginPrefix

  plugin filter

  • method rename filter_metadata->filterMetadata

  Plugin constructor does not merge configs anymore https://github.com/verdaccio/verdaccio/issues/928

  The plugin receives as first argument config, which represents the config of the plugin. Example:

  // config.yaml
  auth:
    plugin:
       foo: 1
       bar: 2
  
  export class Plugin<T> {
    public constructor(config: T, options: PluginOptions) {
      console.log(config);
      // {foo:1, bar: 2}
   }
  }
  

Patch Changes

• Updated dependencies [43f32687]
• Updated dependencies [62c24b63]
  • @verdaccio/core@6.0.0-6-next.48
  • @verdaccio/file-locking@11.0.0-6-next.6

11.0.0-6-next.17

Patch Changes

• @verdaccio/core@6.0.0-6-next.47

11.0.0-6-next.16

Patch Changes

• Updated dependencies [b849128d]
  • @verdaccio/core@6.0.0-6-next.8
  • @verdaccio/file-locking@11.0.0-6-next.6

11.0.0-6-next.15

Patch Changes

• 351aeeaa: fix(deps): @verdaccio/utils should be a prod dep of local-storage
• Updated dependencies [351aeeaa]
  • @verdaccio/core@6.0.0-6-next.7
  • @verdaccio/file-locking@11.0.0-6-next.6

11.0.0-6-next.14

Major Changes

• 292c0a37: feat!: replace deprecated request dependency by got

  This is a big refactoring of the core, fetching dependencies, improve code, more tests and better stability. This is essential for the next release, will take some time but would allow modularize more the core.

  Notes

  • Remove deprecated request by other got, retry improved, custom Agent ( got does not include it built-in)
  • Remove async dependency from storage (used by core) it was linked with proxy somehow safe to remove now
  • Refactor with promises instead callback wherever is possible
  • Document the API
  • Improve testing, integration tests
  • Bugfix
  • Clean up old validations
  • Improve performance

  💥 Breaking changes

  • Plugin API methods were callbacks based are returning promises, this will break current storage plugins, check documentation for upgrade.
  • Write Tarball, Read Tarball methods parameters change, a new set of options like AbortController signals are being provided to the addAbortSignal can be internally used with Streams when a request is aborted. eg: addAbortSignal(signal, fs.createReadStream(pathName));
  • @verdaccio/streams stream abort support is legacy is being deprecated removed
  • Remove AWS and Google Cloud packages for future refactoring #2574.

Patch Changes

• Updated dependencies [292c0a37]
• Updated dependencies [a3a209b5]
• Updated dependencies [00d1d2a1]
  • @verdaccio/core@6.0.0-6-next.6
  • @verdaccio/file-locking@11.0.0-6-next.5

11.0.0-6-next.13

Major Changes

• 82cb0f2b: feat!: config.logs throw an error, logging config not longer accept array or logs property

  💥 Breaking change

  This is valid

  log: { type: stdout, format: pretty, level: http }
  

  This is invalid

  logs: { type: stdout, format: pretty, level: http }
  

  or

  logs:
    - [{ type: stdout, format: pretty, level: http }]
  

Patch Changes

• Updated dependencies [82cb0f2b]
• Updated dependencies [5167bb52]
  • @verdaccio/core@6.0.0-6-next.5
  • @verdaccio/file-locking@11.0.0-6-next.4

11.0.0-6-next.12

Patch Changes

• aeff267d: Refactor htpasswd plugin to use the bcryptjs 'compare' api call instead of 'comparSync'. Add a new configuration value named 'slow_verify_ms' to the htpasswd plugin that when exceeded during password verification will log a warning message.

11.0.0-6-next.11

Patch Changes

• Updated dependencies [24b9be02]
  • @verdaccio/core@6.0.0-6-next.4
  • @verdaccio/file-locking@11.0.0-6-next.4

11.0.0-6-next.10

Patch Changes

• Updated dependencies [6c1eb021]
  • @verdaccio/core@6.0.0-6-next.3

11.0.0-6-next.9

Major Changes

• 794af76c: Remove Node 12 support

  • We need move to the new undici and does not support Node.js 12

Minor Changes

• 154b2ecd: refactor: remove @verdaccio/commons-api in favor @verdaccio/core and remove duplications

Patch Changes

• Updated dependencies [794af76c]
• Updated dependencies [154b2ecd]
  • @verdaccio/core@6.0.0-6-next.2
  • @verdaccio/file-locking@11.0.0-6-next.4

11.0.0-6-next.8

Patch Changes

• Updated dependencies [459b6fa7]
  • @verdaccio/commons-api@11.0.0-6-next.4
  • @verdaccio/file-locking@11.0.0-alpha.3

11.0.0-6-next.7

Patch Changes

• df0da3d6: Added core-js missing from dependencies though referenced in .js sources

10.0.0-alpha.6

Major Changes

• 174cdcaa: feat: allow other password hashing algorithms (#1917)

  breaking change

  The current implementation of the htpasswd module supports multiple hash formats on verify, but only crypt on sign in. crypt is an insecure old format, so to improve the security of the new verdaccio release we introduce the support of multiple hash algorithms on sign in step.

  New hashing algorithms

  The new possible hash algorithms to use are bcrypt, md5, sha1. bcrypt is chosen as a default, because of its customizable complexity and overall reliability. You can read more about them here.

  Two new properties are added to auth section in the configuration file:

  • algorithm to choose the way you want to hash passwords.
  • rounds is used to determine bcrypt complexity. So one can improve security according to increasing computational power.

  Example of the new auth config file section:

  auth:
  htpasswd:
    file: ./htpasswd
    max_users: 1000
    # Hash algorithm, possible options are: "bcrypt", "md5", "sha1", "crypt".
    algorithm: bcrypt
    # Rounds number for "bcrypt", will be ignored for other algorithms.
    rounds: 10
  

10.0.0-alpha.5

Major Changes

• f8a50baa: feat: standalone registry with no dependencies

  Usage

  To install a server with no dependencies

  npm install -g @verdaccio/standalone
  

  with no internet required

  npm install -g ./tarball.tar.gz
  

  Bundles htpasswd and audit plugins.

  Breaking Change

  It does not allow anymore the auth and middleware property at config file empty, it will fallback to those plugins by default.

10.0.0-alpha.4

Patch Changes

• fecbb9be: chore: add release step to private regisry on merge changeset pr
• Updated dependencies [fecbb9be]
  • @verdaccio/commons-api@10.0.0-alpha.3
  • @verdaccio/file-locking@10.0.0-alpha.3

10.0.0-alpha.3

Minor Changes

• 54c58d1e: feat: add server rate limit protection to all request

  To modify custom values, use the server settings property.

  server:
  
  ## https://www.npmjs.com/package/express-rate-limit#configuration-options
  
  rateLimit:
  windowMs: 1000
  max: 10000
  

  The values are intended to be high, if you want to improve security of your server consider using different values.

Patch Changes

• Updated dependencies [54c58d1e]
  • @verdaccio/commons-api@10.0.0-alpha.2
  • @verdaccio/file-locking@10.0.0-alpha.2

10.0.0-alpha.2

Minor Changes

• 2a327c4b: feat: remove level dependency by lowdb for npm token cli as storage

  new npm token database

  There will be a new database located in your storage named .token-db.json which will store all references to created tokens, it does not store tokens, just mask of them and related metadata required to reference them.

  Breaking change

  If you were relying on npm token experiment. This PR will replace the used database (level) by a json plain based one (lowbd) which does not require Node.js C++ compilation step and has less dependencies. Since was a experiment there is no migration step.

10.0.0-alpha.1

Major Changes

• d87fa026: feat!: experiments config renamed to flags

  • The experiments configuration is renamed to flags. The functionality is exactly the same.

  flags: token: false;
  search: false;
  

  • The self_path property from the config file is being removed in favor of config_file full path.
  • Refactor config module, better types and utilities

• da1ee9c8: - Replace signature handler for legacy tokens by removing deprecated crypto.createDecipher by createCipheriv

  • Introduce environment variables for legacy tokens

  Code Improvements

  • Add debug library for improve developer experience

  Breaking change

  • The new signature invalidates all previous tokens generated by Verdaccio 4 or previous versions.
  • The secret key must have 32 characters long.

  New environment variables

  • VERDACCIO_LEGACY_ALGORITHM: Allows to define the specific algorithm for the token signature which by default is aes-256-ctr
  • VERDACCIO_LEGACY_ENCRYPTION_KEY: By default, the token stores in the database, but using this variable allows to get it from memory

Minor Changes

• 26b494cb: feat: add typescript project references settings

  Reading https://ebaytech.berlin/optimizing-multi-package-apps-with-typescript-project-references-d5c57a3b4440 I realized I can use project references to solve the issue to pre-compile modules on develop mode.

  It allows to navigate (IDE) trough the packages without need compile the packages.

  Add two tsconfig, one using the previous existing configuration that is able to produce declaration files (tsconfig.build) and a new one tsconfig which is enables projects references.

Patch Changes

• b57b4338: Enable prerelease mode with changesets

• 31af0164: ESLint Warnings Fixed

  Related to issue #1461

  • max-len: most of the sensible max-len errors are fixed
  • no-unused-vars: most of these types of errors are fixed by deleting not needed declarations
  • @typescript-eslint/no-unused-vars: same as above

• Updated dependencies [d87fa026]

• Updated dependencies [da1ee9c8]

• Updated dependencies [26b494cb]

• Updated dependencies [b57b4338]

• Updated dependencies [31af0164]

  • @verdaccio/file-locking@10.0.0-alpha.1

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

9.7.2 (2020-07-20)

Note: Version bump only for package verdaccio-htpasswd

9.7.1 (2020-07-10)

Bug Fixes

• update dependencies (#375) (1e7aeec)

9.7.0 (2020-06-24)

Note: Version bump only for package verdaccio-htpasswd

9.6.1 (2020-06-07)

Note: Version bump only for package verdaccio-htpasswd

9.5.0 (2020-05-02)

Note: Version bump only for package verdaccio-htpasswd

9.4.1 (2020-04-30)

Bug Fixes

• verdaccio-htpasswd: generate non-constant legacy 2 byte salt (#357) (d522595)

9.4.0 (2020-03-21)

Note: Version bump only for package verdaccio-htpasswd

9.3.2 (2020-03-08)

Bug Fixes

• update dependencies (#332) (b6165ae)

9.3.1 (2020-02-23)

Note: Version bump only for package verdaccio-htpasswd

9.3.0 (2020-01-29)

Note: Version bump only for package verdaccio-htpasswd

9.0.0 (2020-01-07)

chore

• update dependencies (68add74)

Features

• eslint-config: enable eslint curly (#308) (91acb12)

BREAKING CHANGES

• @verdaccio/eslint-config requires ESLint >=6.8.0 and Prettier >=1.19.1 to fix compatibility with overrides.extends config

8.5.2 (2019-12-25)

Note: Version bump only for package verdaccio-htpasswd

8.5.1 (2019-12-24)

Note: Version bump only for package verdaccio-htpasswd

8.5.0 (2019-12-22)

Note: Version bump only for package verdaccio-htpasswd

8.4.2 (2019-11-23)

Note: Version bump only for package verdaccio-htpasswd

8.4.1 (2019-11-22)

Note: Version bump only for package verdaccio-htpasswd

8.4.0 (2019-11-22)

Note: Version bump only for package verdaccio-htpasswd

8.3.0 (2019-10-27)

Note: Version bump only for package verdaccio-htpasswd

8.2.0 (2019-10-23)

Note: Version bump only for package verdaccio-htpasswd

8.2.0-next.0 (2019-10-08)

Bug Fixes

• fixed lint errors (5e677f7)

8.1.2 (2019-09-29)

Note: Version bump only for package verdaccio-htpasswd

8.1.1 (2019-09-26)

Note: Version bump only for package verdaccio-htpasswd

8.1.0 (2019-09-07)

Note: Version bump only for package verdaccio-htpasswd

8.0.1-next.1 (2019-08-29)

Note: Version bump only for package verdaccio-htpasswd

8.0.1-next.0 (2019-08-29)

Note: Version bump only for package verdaccio-htpasswd

8.0.0 (2019-08-22)

Note: Version bump only for package verdaccio-htpasswd

8.0.0-next.4 (2019-08-18)

Note: Version bump only for package verdaccio-htpasswd

8.0.0-next.2 (2019-08-03)

Note: Version bump only for package verdaccio-htpasswd

8.0.0-next.1 (2019-08-01)

Note: Version bump only for package verdaccio-htpasswd

8.0.0-next.0 (2019-08-01)

Note: Version bump only for package verdaccio-htpasswd

Change Log

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.0.0 (2019-04-14)

Features

• drop node v6 suport (d1d52e8)

2.0.0-beta.1 (2019-02-24)

Bug Fixes

• package.json to reduce vulnerabilities (259bdaf)
• update @verdaccio/file-locking@1.0.0 (ec0bbfd)

2.0.0-beta.0 (2019-02-03)

Features

• migrate to typescript (79f6937)
• remove Node6 from CircleCI (d3a05ab)
• use verdaccio babel preset (3a63f88)

1.0.1 (2018-09-30)

Bug Fixes

• password hash & increase coverage (6420c26)

1.0.0 (2018-09-30)

Bug Fixes

• adds error message for user registration (0bab945)

Features

• change-passwd: implement change password #32 (830b143)