Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update devDependency verdaccio to v5 #739

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 10, 2022

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
verdaccio (source) 4.13.2 -> 5.14.0 age adoption passing confidence

Release Notes

verdaccio/verdaccio

v5.14.0

Compare Source

Features
Bug Fixes

v5.13.3

Compare Source

5.13.3 (2022-07-13)
Bug Fixes

v5.13.2

Compare Source

5.13.2 (2022-07-12)
Bug Fixes

v5.13.1

Compare Source

5.13.1 (2022-06-23)
Bug Fixes

There was a regression on initial release https://github.com/verdaccio/verdaccio/issues/2141 where the location of the storage was not taken in account, hopefully does not break anything. Fixed here
and here.

v5.13.0

Compare Source

Features

Enable more algorithms for hasing password only for htpasswd plugin, crypt by default to avoid breaking changes for next major release bcrypt is highly recommended.

auth:
  htpasswd:
    file: ./htpasswd
### Maximum amount of users allowed to register, defaults to "+inf".
### You can set this to -1 to disable registration.
### max_users: 1000
### Hash algorithm, possible options are: "bcrypt", "md5", "sha1", "crypt".
    algorithm: bcrypt # by default is crypt, but is recommended use bcrypt for new installations
### Rounds number for "bcrypt", will be ignored for other algorithms.
    rounds: 10

ref https://github.com/verdaccio/monorepo/pull/580

v5.12.0

Compare Source

Features

Example

middlewares:
  audit:
    enabled: true
  '@​xlts.dev/verdaccio-prometheus-middleware':
      metricsPath: /custom/path/metrics    
Bug Fixes

v5.11.0

Compare Source

The way to use verdaccio programatically is not very friendly if you are using

const startVerdaccio = require('verdaccio'); 

as this example.

⚠️ Deprecations
  • Using verdaccio with multiples listeners display a deprecation warning
    • (runServer) forbid this and only allows the first one listener listed
  • On verdaccio 6 will be removed and will throw an error

❌ Bad

listen:
 - localhost:4873            # default value
 - http://localhost:4873     # same thing

✅ Good (on v6.0.0 won't be a list anymore)

listen: localhost:4873
🚀 Feature
runServer method to run verdaccio programatically as a promise

I am looking for a better name, feel free to drop your ideas.

On v6 https://github.com/verdaccio/verdaccio/pull/2165 this was improved and I am moving the same API to v5 so is much easier to migrate in the future.

It's a bit experimental, it does not replace the old way, so won't break anything, but allows smooth migration

There are three ways to use it:

  • No input, it will find the config.yaml as is you would run verdaccio in the console
  • With a absolute path
  • With an object (there is a catch here, see below)
    const {runServer} = require('verdaccio');
    const app = await runServer(); // default configuration
    const app = await runServer('./config/config.yaml');
    const app = await runServer({ configuration });
    app.listen(4000, (event) => {
      // do something
    });

With an object you need to add self_path, manually (it's not nice but would be a breaking change changing it now) on v6 this is not longer need it.

      const configPath = join(__dirname, './config.yaml');
      const c = parseConfigFile(configPath);
      // workaround
      // on v5 the `self_path` still exists and will be removed in v6
      c.self_path = 'foo';
      runServer(c).then(() => {});

Read more here https://verdaccio.org/docs/verdaccio-programmatically

parseConfigFile method

Exposed for easy use parse a yaml file as an object

v5.10.3

Compare Source

5.10.3 (2022-05-30)
Bug Fixes

v5.10.2

Compare Source

5.10.2 (2022-05-07)
Bug Fixes

v5.10.1

Compare Source

5.10.1 (2022-05-05)
Bug Fixes

v5.10.0

Compare Source

Features
🌞 Initial new set of variables to hide features (more to come)

Add set of new variables that allow hide different parts of the UI, buttons, footer or download tarballs. ℹ️ All are
enabled by default
.

### web:
###  login: true <-- already exist but worth the reminder
###  showInfo: true
###  showSettings: true
### In combination with darkMode you can force specific theme
###  showThemeSwitch: true
###  showFooter: true
###  showSearch: true
###  showDownloadTarball: true

If you disable showThemeSwitch and force darkMode: true the local storage settings would be
ignored and force all themes to the one in the configuration file.

Future could be extended to other parts.

🚀 Raw button to display manifest package

A new experimental feature (enabled by default), button named RAW to be able navigate on the package manifest directly on the ui, kudos to react-json-view that allows an easy integration, not configurable yet until get more feedback.

### web:
 showRaw: true <-- false to disable it

|
image
|
image
|

🧑‍🏭 Rework header buttons
  • The header has been rework, the mobile was looking broken. Now only displays login and logo (for screens smaller than 400px)
  • Removed info button in the header and moved to a dialog
  • Info dialog now contains more information about the project, license and the aid content for Ukrania 🇺🇦 now is inside of the info modal.
  • Separate settings and info to avoid collapse too much info (for mobile still need some work)
🔢 Others
  • Updated translations for several languages
🪄 What's next?
  • Next updates will be focused on improving the mobile/tablet layouts (does not look so great yet)
  • More updates on v6 (alpha release)
🐞 Bug Fixes

v5.9.0

Compare Source

Features
  • web: add a config item to web,let the developer can select whether enable the html cache (#​3110) (b30ba81)

Verdaccio cache the initial HTML render to improve performance, this might be not a required in some cases, the new property web.html_cache disable this optimization. by @​Tiny-Fendy

web:
  html_cache: false
Bug Fixes

The UI is being shared between V5 and V6 (for easy maintenance) but some features are partially enabled for V5.

The search component has been improved for V6, but for V5 is does not show all the potential but is able to display the description of the package and the latest published version on search private packages. V6 will increase ammount of information could be displayed on this component. For v6 more detail info read https://github.com/verdaccio/verdaccio/pull/3057 or install npm i -g verdaccio@6-next ⚠️ v6 is not producction ready, but have some fun.

image

v5.8.0

Compare Source

UI is customizable, read docs, https://verdaccio.org/docs/webui

If you want to hide the flag for Help Provide Humanitarian Aid to Ukraine, there it is the easy solution. On the config.yaml file.

web:
  logo: https://cdn.verdaccio.dev/logos/verdaccio-tiny.png <- or any url that you prefer
  scriptsbodyBefore:
    - '<script>document.addEventListener("DOMContentLoaded", function(){ document.querySelector("[aria-label=\"Support people affected by the war in Ukraine\"]").innerHTML= ""});</script>'    

I'd prefer if you keep it.

Features

v5.7.1

Compare Source

5.7.1 (2022-03-08)
Bug Fixes

v5.7.0

Compare Source

Bug Fixes

Display CJS icon for commonJS packages, TS for those packages that have types

2022-03-04_19-46

Feature

Disable colors from logging, also could use EXPERIMENTAL_VERDACCIO_LOGGER_COLORS environment variable

logs:
  { type: stdout, format: pretty, level: http, colors: false }

v5.6.2

Compare Source

5.6.2 (2022-02-26)
New Feature

It display bagets if the package provides types, ES6 modules or strictly common.js

// package.json
"types: "some string"
"module": "commonjs" or "module"

2022-02-26_20-54

Bug Fixes

v5.6.1

Compare Source

5.6.1 (2022-02-26)
Bug Fixes

v5.6.0

Compare Source

Features

Add option to set storage from environment variable VERDACCIO_STORAGE_PATH to replace the config.yaml storage property.

#### config.yaml
 storage: ./storage <--- replace this
Bug Fixes

v5.5.2

Compare Source

5.5.2 (2022-01-27)
Bug Fixes

v5.5.1

Compare Source

5.5.1 (2022-01-24)
Bug Fixes

v5.5.0

Compare Source

Features

TL;DR

Web User Interface Improvements

The current user interface for this version is exactly the same used on the next major release, the verdaccio/ui repository has been archived, one single UI is much easier to maintain and also to share features between the future major release and the stable one.

The translations were migrated from the source code to the crowdin platform for the User interface which ensure repeated words are not translated twice and also crowding provides a nice interface for contributions, the latest translations are pulled on every release automcatically.

  • Add new options to the web disable login and pkg managers (#​2947) (1a7b1ee)

    • Users are able to select which package managers you want to enabled on the web user interface ref #​2226
    • Users are able to enable/disable login on web and endpoints option ref #​2228 (this is another security layer which some users might be interested to disable)
web:
  pkgManagers:
    - npm
    - yarn
    - pnpm
  login: true      
Improve language switch ui and package manager info
  • Remove the language switch as autocomplete, add info how to contribute to translations
  • Convert info dialog to be able host more information, learn how to use registry with Yarn 2 and add links to documentation.

2022-01-22_13-17
2022-01-20_22-09

Bug Fixes

⚠️ The marked dependency has been updated to v4 which was marked a security upgrade through the @verdaccio/readme dependency.

Announcements

The next month is the talk at Node.js Congress 2022, you can craft your own badge 😊 here, please share it with your colleagues and 👍🏼 if you want like this tweet.

Screenshot 2022-01-22 165430

v5.4.0

Compare Source

Features

add cache-control header to endpoints (#​2791) (fd3ad1e)

Some npm commands has a response the token as the body, to void cache those responses we add Cache-Control as response header.

add rate limit to user api endpoints (#​2800) (#​2799) (f64e403)

Add default rate limit to user endpoints, npm token, npm profile, npm loding/adduser to 100 request peer 15 min, customizable via

userRateLimit:
  windowMs: 50000
  max: 1000

Also X-RateLimit is part of the response headers.

curl -v http://localhost:4873/-/user/test
...
> 
< HTTP/1.1 200 OK
< X-Powered-By: foooo
< Access-Control-Allow-Origin: *
< X-RateLimit-Limit: 1000
< X-RateLimit-Remaining: 999
< Date: Fri, 24 Dec 2021 18:27:20 GMT
< X-RateLimit-Reset: 1640371089
< Content-Type: application/json; charset=utf-8
< ETag: "9bc0d4158c3e2ac5822d39f55e5ceb05"
< Content-Length: 51
< Vary: Accept-Encoding
< Connection: keep-alive
< Keep-Alive: timeout=60
add rate limit to web endpoints (#​2799) (c91d6be) (#​2803) (5b1264c)

The web endpoints that retrieve data from the cache are limited by default 5k request peer 15 min and customizable if your need exceeds the defautls.

web:
  title: Verdaccio
  rateLimit:
    windowMs: 50000
    max: 1000
JWT web signature default time reduced to 1 hour (#​2787) (1c17d09)

The JWT token for web has been reduced from 7 days to 1 hour for security reasons. To restore the previous time, use configuration.

User agent is the client by default (#​2793) (e5d79ce)

The user_agent property has been part of the config file, but undocumented, previous versions send the header User-Agent was something like Verdaccio/5.x.x. After this version is disabled and forward the one that comes from the client, also disable 'X-Powered-By by default. The new user_agent allows re-enable this feature by using true or craft your own user agent.

user_agent: true
user_agent: false
user_agent: 'custom user agent'

Bug Fixes

by @​juanpicado @​Splaktar

v5.3.2

Compare Source

5.3.2 (2021-12-16)
Bug Fixes

v5.3.1

Compare Source

5.3.1 (2021-12-11)
Bug Fixes

v5.3.0

Compare Source

⚠️ Released as minor to avoid conflicts with a v5.2.3 which was a mistake 😊 I had to deprecate just in case you notice there is a version in the middle.

Bug Fixes

v5.2.3

Compare Source

v5.2.2

Compare Source

5.2.2 (2021-11-08)
Bug Fixes

v5.2.1

Compare Source

5.2.1 (2021-11-08)
Bug Fixes

v5.2.0

Compare Source

Features
Bug Fixes

v5.1.6

Compare Source

5.1.6 (2021-09-21)
Bug Fixes

v5.1.5

Compare Source

5.1.5 (2021-09-17)
Bug Fixes

v5.1.4

Compare Source

5.1.4 (2021-09-07)
Bug Fixes

v5.1.3

Compare Source

5.1.3 (2021-08-20)
Bug Fixes

v5.1.2

Compare Source

@​@​ -0,0 +1,2048 @​@​

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.1.2 (2021-07-14)
Bug Fixes

v5.1.1

Compare Source

5.1.1 (2021-06-12)
Bug Fixes

v5.1.0

Compare Source

Features
Bug Fixes

v5.0.4

Compare Source

@​@​ -0,0 +1,2013 @​@​

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.0.4 (2021-04-28)

v5.0.3

Compare Source

@​@​ -0,0 +1,2006 @​@​

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.0.3 (2021-04-27)
Bug Fixes
5.0.2 (2021-04-27)
Bug Fixes
5.0.1 (2021-04-10)
Bug Fixes

5.0.0 (2021-04-09)

Features

5.0.0-alpha.7 (2021-04-08)

Bug Fixes

5.0.0-alpha.6 (2021-04-06)

5.0.0-alpha.5 (2021-04-03)

5.0.0-alpha.4 (2021-04-03)

Features

5.0.0-alpha.3 (2021-04-02)

Features

5.0.0-alpha.2 (2021-03-31)

Bug Fixes

5.0.0-alpha.1 (2021-03-30)

Features

5.0.0-alpha.0 (2021-03-29)

⚠ BREAKING CHANGES
  • npm token support revisited and enabled by default (#​2145)
  • drop node 8 and node 10 (#​2142)
Features

4.12.0 (2021-03-17)

Features
4.11.3 (2021-03-06)
Bug Fixes
4.11.2 (2021-03-04)
Bug Fixes
4.11.1 (2021-02-25)
Bug Fixes
  • upgrade Node from 14.15 to 14.16 for security fixes ([#​2104](https://t

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the renovate label Aug 10, 2022
@renovate renovate bot requested a review from ecraig12345 August 10, 2022 23:50
@ecraig12345
Copy link
Member

Closing since this will require some manual fixes and isn't a high priority right now

@renovate
Copy link
Contributor Author

renovate bot commented Aug 17, 2022

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 5.x releases. But if you manually upgrade to 5.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/verdaccio-5.x branch August 17, 2022 22:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant