Comments (2)
bufferoverflow
commented on July 22, 2024
Yes, this should be handled by the people maintaining the verdaccio instance. Overwriting packages could be an issue and security risk for other using the same verdaccio instance.
from verdaccio-gitlab.
zanechua
commented on July 22, 2024
I do understand that overwriting packages that use the same name could be an issue and security risk. But I'm making the assumption that most verdaccio instances are for internal use only. Hence the point of a private npm registry and that information about overwritten packages would've been communicated to the team using the instance. Anyone else using the instance that isn't authorised to do so would have another thing coming.
After I posted, I realised that the way you mapped it, is basically assuming that if you own the url path of a group, you would be able to publish to said scope. However, could the access be reworked such that you could do something like the following?
'**':
access: $all
publish: $maintainer@group
proxy: npmjs
gitlab: true
Otherwise the ** scope with this plugin wouldn't be useful except for being able to publish as the group url path and username
Even package names that do not overwrite any upstream registry would not work and you would probably have to end up creating pseudo groups to be able to do so. But if you create a pseudo group, no one else will be able to create a pseudo group unless of course they are running their own GitLab instance.
from verdaccio-gitlab.
Related Issues (20)
- Security concerns HOT 3
- Separate plugin project? HOT 1
- Can we explicitly whitelist GitLab users that can login? HOT 1
- Verdaccio gitlab authentication
- Need better documentation HOT 2
- Adding plugin to existing verdaccio HOT 3
- I can publish but I can't access
- GitLab API results are not cached, causes high CPU usage on GitLab server
- Can't Access Private gitlab server
- Remove deprecated dependencies
- Cannot install leveldown
- error authenticating user HOT 1
- Unable to load package list: Cannot read property 'includes' of null HOT 21
- Migrate plugin to TypeScript and remove flow-type HOT 3
- Uncaught SyntaxError: missing ) after argument list HOT 6
- UncaughtPromiseRejectionWarning: Error: `token` (private-token) or `oauth_token` is mandatory on startup HOT 1
- Can not see my packages in web UI HOT 9
- Whitelist specific group/project HOT 7
- Access to custom scope based on specific gitlab group HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from verdaccio-gitlab.