Release 3.0.0-rc.66

fix: download row create error (#1749 )
> 包名超长时，更新下载记录接口会无限重试 * 更新下载记录前，先判断当前包名是否存在 ------------- > When the package name is too long, the update download record interface will retry indefinitely. * Check pkg exists, before updating the download record.
2023-03-25 21:41:57 +08:00 · 2023-03-25 21:40:50 +08:00 · 2023-02-06 14:09:25 +08:00 · 2023-02-06 14:08:42 +08:00 · 2022-10-31 23:17:24 +08:00 · 2022-10-31 23:15:56 +08:00
107 changed files with 5223 additions and 674 deletions
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -0,0 +1,52 @@
+# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+
+name: Node.js CI
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  schedule:
+    - cron: '0 2 * * *'
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+
+    services:
+      mysql:
+        image: mysql:5.7
+        env:
+          MYSQL_ALLOW_EMPTY_PASSWORD: true
+          MYSQL_DATABASE: cnpmjs_test
+        ports:
+          - 3306:3306
+        options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=5
+
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version: [14, 16]
+        os: [ubuntu-latest]
+
+    steps:
+    - name: Checkout Git Source
+      uses: actions/checkout@v2
+
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v1
+      with:
+        node-version: ${{ matrix.node-version }}
+
+    - name: Install Dependencies
+      run: npm i -g npminstall && npminstall
+
+    - name: Continuous Integration
+      run: npm run ci
+
+    - name: Code Coverage
+      uses: codecov/codecov-action@v1
+      with:
+        token: ${{ secrets.CODECOV_TOKEN }}
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,10 +0,0 @@
-sudo: false
-language: node_js
-node_js:
-  - '8'
-  - '10'
-addons:
-  - postgresql: '9.3'
-script: 'make test-travis-all'
-after_script:
-  - 'npm i codecov && codecov'
--- a/2
+++ b/2
@@ -12,7 +12,7 @@ WORKDIR ${CNPM_DIR}

 COPY package.json ${CNPM_DIR}

-RUN npm set registry https://registry.npm.taobao.org
+RUN npm set registry https://registry.npmmirror.com

 RUN npm install --production

--- a/History.md
+++ b/History.md
@@ -1,4 +1,201 @@

+3.0.0-rc.66 / 2023-03-25
+==================
+
+**features**
+  * [[`a289d7d`](http://github.com/cnpm/cnpmjs.org/commit/a289d7dd5ec4881e86c6f500c72cab134388782b)] - feat: ignore sync private pkg (#1747) (elrrrrrrr <<elrrrrrrr@gmail.com>>)
+  * [[`af9f5f7`](http://github.com/cnpm/cnpmjs.org/commit/af9f5f749979d1f389d61e98eab7dfbf639c995b)] - feat: add changes delay (#1739) (elrrrrrrr <<elrrrrrrr@gmail.com>>)
+
+**fixes**
+  * [[`6769a46`](http://github.com/cnpm/cnpmjs.org/commit/6769a46d71508a24f4e2d4dc14aa4aebd826bf38)] - fix: download row create error (#1749) (elrrrrrrr <<elrrrrrrr@gmail.com>>)
+
+3.0.0-rc.63 / 2022-08-31
+==================
+
+**features**
+  * [[`1964d66`](http://github.com/cnpm/cnpmjs.org/commit/1964d66abf3a78bc97022db2bfd1b88fa2c1fa37)] - feat: remove block version changes (#1737) (elrrrrrrr <<elrrrrrrr@gmail.com>>)
+
+3.0.0-rc.62 / 2022-07-28
+==================
+
+**features**
+  * [[`d8b5c9f`](http://github.com/cnpm/cnpmjs.org/commit/d8b5c9f7a9a4648460415936e492ee0bb9cba9b0)] - feat: add changes api (#1734) (elrrrrrrr <<elrrrrrrr@gmail.com>>)
+  * [[`f52e9c3`](http://github.com/cnpm/cnpmjs.org/commit/f52e9c3382ef3583a9cac9be5510e11a3ab17b8c)] - feat: support sync private package from define registry (#1701) (XXBeii <<36651530+XXBeii@users.noreply.github.com>>)
+  * [[`97d501c`](http://github.com/cnpm/cnpmjs.org/commit/97d501c088aee43af30e31aef279b3036a7cc5f7)] - feat: support bug-versions on server (#1684) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`3c5bc9d`](http://github.com/cnpm/cnpmjs.org/commit/3c5bc9dc5ef46c567e718705d18edc1f57009b5e)] - feat: support package version block list (#1683) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`abc1723`](http://github.com/cnpm/cnpmjs.org/commit/abc1723bef5eb12168d084cc16916998288e879b)] - feat: support dist.integrity (#1677) (fengmk2 <<fengmk2@gmail.com>>)
+
+**fixes**
+  * [[`4d534ca`](http://github.com/cnpm/cnpmjs.org/commit/4d534cad024f08923b7d4df57d87d14fa96a975a)] - fix: listModulesByUser map error (#1731) (Ke Wu <<gemwuu@163.com>>)
+  * [[`b7bbf84`](http://github.com/cnpm/cnpmjs.org/commit/b7bbf84ea31b5c15a48edd596bbb87a72f7de595)] - fix: add missing config property for bug-versions (#1685) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`74d408d`](http://github.com/cnpm/cnpmjs.org/commit/74d408d006b1c7a08283b178e842ef98f850fcf2)] - fix: database dialect config detect error (#1503) (alsotang <<alsotang@gmail.com>>)
+  * [[`37ba629`](http://github.com/cnpm/cnpmjs.org/commit/37ba6290284f260230e6d4461311bb8739088191)] - fix: get count missing name (#1674) (Solais <<924615994@qq.com>>)
+
+**others**
+  * [[`f8bcca1`](http://github.com/cnpm/cnpmjs.org/commit/f8bcca1ea0c0ad952fffd0539b625de69b9099f0)] - 🐛 FIX: path url maybe encode (#1729) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`8663e21`](http://github.com/cnpm/cnpmjs.org/commit/8663e215f038b812b74948e28a05b704d5d7780c)] - 🐛 FIX: Should show sync button on scoped package not exists (#1728) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`8573c4a`](http://github.com/cnpm/cnpmjs.org/commit/8573c4a600077585681ac1eddcebc4b2abff4f8e)] - 📖 DOC: DEPRECATED, please use https://github.com/cnpm/cnpmcore instead (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`83497f2`](http://github.com/cnpm/cnpmjs.org/commit/83497f20521dd5016c119500aff0ccb64cf5a929)] - 👌 IMPROVE: Return libc field on abbreviated manifests (#1721) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`1e0f7e0`](http://github.com/cnpm/cnpmjs.org/commit/1e0f7e06bb7df40f1dca309b7e8e533130293ab6)] - 📖 DOC: Modify comments (#1710) (AN <<455454007@qq.com>>)
+  * [[`e682e7a`](http://github.com/cnpm/cnpmjs.org/commit/e682e7a0a39f750c61d7a2a46de862d118e61e73)] - 📖 DOC: Update contributors (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`19e5c3d`](http://github.com/cnpm/cnpmjs.org/commit/19e5c3def257f4ceab3256a1c9d615d002c5fe49)] - chore: Add license scan report and status (#1708) (fossabot <<badges@fossa.io>>)
+  * [[`9f8dca4`](http://github.com/cnpm/cnpmjs.org/commit/9f8dca4ac0292ba87c59149972f0f635bd17ec37)] - refactor: Sync exists package from cnpmcore changes stream (#1707) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`f2c4b9f`](http://github.com/cnpm/cnpmjs.org/commit/f2c4b9f1c8d0b97b0b1890ac3aec058a99f0b224)] - 📖 DOC: Use git-contributor instead (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`ac07b21`](http://github.com/cnpm/cnpmjs.org/commit/ac07b215a73f80aa11e9631d3e6c9be4c4db87a2)] - 🐛 FIX: Support new bson logId (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`559d5ba`](http://github.com/cnpm/cnpmjs.org/commit/559d5baccfc3f5fa582461856f7048927aac3f23)] - 📦 NEW: sync web support webDataRemoteRegistry (#1697) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`e5c5179`](http://github.com/cnpm/cnpmjs.org/commit/e5c5179e9e12be054aa733a5b0befbb064f32a44)] - 📦 NEW: Support set registry to new cnpmcore registry (#1696) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`ad622d5`](http://github.com/cnpm/cnpmjs.org/commit/ad622d55e384743b48e79bb6aec574a7f354ee9f)] - chore: update contributors (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`c6973a9`](http://github.com/cnpm/cnpmjs.org/commit/c6973a98cef8207b56219e1b813575f7efe13653)] - fix(db.sql): use utf8mb4 on description column (#1681) (hellojukay <<hellojukay@163.com>>)
+  * [[`f22a3e7`](http://github.com/cnpm/cnpmjs.org/commit/f22a3e7370792eef1c7b613188411af2354e59a6)] - refactor: dist tarbar url don't contains querystring (#1682) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`a49deec`](http://github.com/cnpm/cnpmjs.org/commit/a49deec3b2e1e8483801dea757c727054df34b34)] - chore: remove unused config (#1495) (alsotang <<alsotang@gmail.com>>)
+  * [[`7f0aa2a`](http://github.com/cnpm/cnpmjs.org/commit/7f0aa2ad95dedef7ec50fbebeb6df92839b42621)] - chore: update contributors (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`39cf77a`](http://github.com/cnpm/cnpmjs.org/commit/39cf77ae0f676584d93ada77c6ea61c3d044b267)] - refactor: use remote abbreviated version data (#1675) (fengmk2 <<fengmk2@gmail.com>>)
+
+3.0.0-rc.50 / 2021-11-04
+==================
+
+**features**
+  * [[`e4c3cd1`](http://github.com/cnpm/cnpmjs.org/commit/e4c3cd125ebe771ecc31b4a207ab926c13817f16)] - feat: package view add download total count (#1673) (Solais <<924615994@qq.com>>)
+  * [[`283f149`](http://github.com/cnpm/cnpmjs.org/commit/283f14976dae8ce9144d387533d1637a79c6cf12)] - feat: add missing abbreviated meta attibutes (#1668) (fengmk2 <<fengmk2@gmail.com>>)
+
+**fixes**
+  * [[`62fdbd4`](http://github.com/cnpm/cnpmjs.org/commit/62fdbd400a2259983c6793173ac8d816a732452c)] - fix: should update etag after abbreviated meta change (#1670) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`2e7354c`](http://github.com/cnpm/cnpmjs.org/commit/2e7354c647d78a41f033f2066c6eb60e270f2a6b)] - fix: allow download without scope filename (#1665) (killa <<killa123@126.com>>)
+
+3.0.0-rc.46 / 2021-09-10
+==================
+
+**fixes**
+  * [[`596bca9`](http://github.com/cnpm/cnpmjs.org/commit/596bca908ee87504dfeb3dbf463b4d9a551d9f27)] - fix: fs-cnpm on dockerize config (#1656) (wxhuang <<wxhuang1985@gmail.com>>)
+  * [[`bbae9d3`](http://github.com/cnpm/cnpmjs.org/commit/bbae9d3bc3a565a59c397a63c4301272ac4509e9)] - fix: new publish with token should add user to maintainers (#1662) (killa <<killa123@126.com>>)
+
+3.0.0-rc.45 / 2021-07-28
+==================
+
+**features**
+  * [[`d28af7f`](http://github.com/cnpm/cnpmjs.org/commit/d28af7fd7e1bf530ad2e5a73fa5a54d2caf5cf9b)] - feat: support custom tokenService (#1658) (killa <<killa123@126.com>>)
+
+**others**
+  * [[`e258241`](http://github.com/cnpm/cnpmjs.org/commit/e2582417fa06a82c2fbb4d08eaf764465683a00b)] - remove maintainers logic (#1654) (Solais <<924615994@qq.com>>)
+3.0.0-rc.44 / 2021-06-11
+==================
+
+**features**
+  * [[`a1e8a82`](https://github.com/cnpm/cnpmjs.org/commit/a1e8a8289276275b995d15b3c254fbdbace6dbae)] - feat: impl npm owner hooks (#1645) (killa <<killa123@126.com>>)
+
+3.0.0-rc.43 / 2021-05-36
+==================
+
+**features**
+  * [[`a21aed0`](https://github.com/cnpm/cnpmjs.org/commit/a21aed08c5fe1ea09f4fda157ac3c12bd609781d)] - feat: impl sync to/from backup files (#1612) (killa <<killa123@126.com>>)
+
+**fixes**
+  * [[`2245dc2`](https://github.com/cnpm/cnpmjs.org/commit/2245dc2967ec070b8bcc618ebfad0cd4cd297fb8)] - feat: impl accelerate request (#1637) (killa <<killa123@126.com>>)
+
+3.0.0-rc.42 / 2021-04-30
+==================
+
+**features**
+  * [[`a21aed0`](https://github.com/cnpm/cnpmjs.org/commit/a21aed08c5fe1ea09f4fda157ac3c12bd609781d)] - feat: impl sync to/from backup files (#1612) (killa <<killa123@126.com>>)
+
+3.0.0-rc.39 / 2021-01-14
+==================
+
+**features**
+  * [[`33dd355`](http://github.com/cnpm/cnpmjs.org/commit/33dd3554f5daf13de33f04128be6853ce120636f)] - feat: impl dist-tag hooks (#1612) (killa <<killa123@126.com>>)
+
+3.0.0-rc.38 / 2021-01-12
+==================
+
+**features**
+  * [[`c6040b`](http://github.com/cnpm/cnpmjs.org/commit/1c6040bc95610e23b4756baa09e8119cda2fe01e)] - performance: optimise query pkg latestModified  (#1611) (killa <<killa123@126.com>>)
+
+
+3.0.0-rc.37 / 2020-10-21
+==================
+
+**features**
+  * [[`39c3223`](http://github.com/cnpm/cnpmjs.org/commit/39c322332ffafc512bf56c1679d2904fece2ae07)] - feat: new registry api (#1597) (killa <<killa123@126.com>>)
+  * [[`45f2f8b`](http://github.com/cnpm/cnpmjs.org/commit/45f2f8b31f095eeadf0f47e234d6eb225e6b197f)] - feat: impl registry token api (#1590) (killa <<killa123@126.com>>)
+  * [[`e97835f`](http://github.com/cnpm/cnpmjs.org/commit/e97835f7020e945e59fa7a84b14ab58c580add1e)] - feat: support custom web middlewares (#1563) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`3cb3fe0`](http://github.com/cnpm/cnpmjs.org/commit/3cb3fe02f01dd669ad4bd3aebca51c44eb9e5938)] - feat: list all package versions by date (#1557) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`a8ff647`](http://github.com/cnpm/cnpmjs.org/commit/a8ff647aa0f73076f4625e395e5da8ced9f61680)] - feat: retry sync fail on cnpm registry (#1547) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`2c511f2`](http://github.com/cnpm/cnpmjs.org/commit/2c511f2209329e95b0cbe7603fa98a7f93c66474)] - feat: add unpublishRemoveTarball mode (#1536) (Khaidi Chu <<i@2333.moe>>)
+  * [[`19563f5`](http://github.com/cnpm/cnpmjs.org/commit/19563f58517ffaebed8006630bd467f15b71d9ff)] - feat: allow to disable npm audits proxy (#1430) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`8e2367e`](http://github.com/cnpm/cnpmjs.org/commit/8e2367ee1676bd36a4112cf0f6dce2c4f422806e)] - feat: dont check db data on tgz download request (#1477) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`be05886`](http://github.com/cnpm/cnpmjs.org/commit/be05886452803d46f614bdde497ccdec8e9ed734)] - feat: add vary header on cdn (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`ea46399`](http://github.com/cnpm/cnpmjs.org/commit/ea46399265615c70ee33d9cab9ba5d5ce312fb67)] - feat: allow disable search page (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`581925d`](http://github.com/cnpm/cnpmjs.org/commit/581925db9733d295be02e75f0090db05fd6bae75)] - feat: support cache-control header on registry request (#1468) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`7f0c141`](http://github.com/cnpm/cnpmjs.org/commit/7f0c141ac2f7679b5322aadd537c5ff1bef0b032)] - feat: allow config request protocol (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`807187e`](http://github.com/cnpm/cnpmjs.org/commit/807187ebeb0b266828a59724234e1a99c3238eb3)] - feat: add redis cache to import list all versions api perf (#1441) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`99c4c3f`](http://github.com/cnpm/cnpmjs.org/commit/99c4c3fe35a9fde805751ef3d44413413f053f45)] - feat: support customized middlewares (#1436) (Khaidi Chu <<i@2333.moe>>)
+  * [[`4b57c11`](http://github.com/cnpm/cnpmjs.org/commit/4b57c118a0b044f41b1c98eaf92449221c984c15)] - feat: can override tgz download options (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`b395c66`](http://github.com/cnpm/cnpmjs.org/commit/b395c666be3ae6b237803239fae8678647f3b70b)] - feat: proxy npm audit request (#1419) (alsotang <<alsotang@gmail.com>>)
+  * [[`a4a25f9`](http://github.com/cnpm/cnpmjs.org/commit/a4a25f9e381aa20e1ef1e709f320aae41f3ae466)] - feat: use faster etag instead of koa-etag (#1409) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`90580a7`](http://github.com/cnpm/cnpmjs.org/commit/90580a72e56c69f8f03bbdb64d79b4b1b139fbbf)] - feat: configurable view directory (#1400) (Khaidi Chu <<i@2333.moe>>)
+  * [[`ad2d341`](http://github.com/cnpm/cnpmjs.org/commit/ad2d341d2c9317b062a25363f4805aedfef3913b)] - feat: sync downloads total <= 10000 unpublish package (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`25a9030`](http://github.com/cnpm/cnpmjs.org/commit/25a90300473e6ac437e393de139cebde1e354e8c)] - feat: allow to close mysql trace (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`017af69`](http://github.com/cnpm/cnpmjs.org/commit/017af69cce23c870694d124f4a865864e5c061cd)] - feat: add badgeService define on config (#1387) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`842c031`](http://github.com/cnpm/cnpmjs.org/commit/842c0316ede2b19b76d9c1ca790902de467c82e9)] - feat: show versions list on package page (#1386) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`bd87907`](http://github.com/cnpm/cnpmjs.org/commit/bd87907b69d3e65aa544930b5c7f04e75bdbc773)] - feat: auto retry if download tgz error (#1363) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`533c27f`](http://github.com/cnpm/cnpmjs.org/commit/533c27fa78323ee50fcd549115034915ea3017ef)] - feat: support nfs.url return multi urls (#1344) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`e61c7fa`](http://github.com/cnpm/cnpmjs.org/commit/e61c7fa32bdc54ef4474a071da686c70e512b009)] - feat: support pass through querystring to tgz url (#1334) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`34d3a1e`](http://github.com/cnpm/cnpmjs.org/commit/34d3a1eabe927dc5c8c87436e2b644c70a7abc2a)] - feat: auto sync delete packages which deleted in 24 hours (#1315) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`4210b7b`](http://github.com/cnpm/cnpmjs.org/commit/4210b7bdf8bfe8dfa2578802fd1d14e7411d4ea6)] - feat: can config to not sync deleted versions (#1282) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`56c9457`](http://github.com/cnpm/cnpmjs.org/commit/56c945740f545abe9ba55759f6b1502a3abc453d)] - feat: let opensearch host can be config (#1258) (fengmk2 <<fengmk2@gmail.com>>)
+
+**fixes**
+  * [[`b7089d3`](http://github.com/cnpm/cnpmjs.org/commit/b7089d33d400f9fd4fc398479d4dac5aab26b633)] - fix: set maintainer to current user if maintainer is undefined (#1592) (killa <<killa123@126.com>>)
+  * [[`2b74e00`](http://github.com/cnpm/cnpmjs.org/commit/2b74e00cb9ae20e9cf2f06c54ef8dbe6a36b4066)] - fix: release 3.0.0-rc.35 fix npm include functions dir (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`61549b4`](http://github.com/cnpm/cnpmjs.org/commit/61549b47a2f49c163bef6994f1e0f5f761317975)] - fix: avoid "ENAMETOOLONG: name too long" error (#1583) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`e7bafb2`](http://github.com/cnpm/cnpmjs.org/commit/e7bafb2ee9d80ce3ef4087a6b69bc17517f85ec5)] - fix: audit proxy test cases (#1537) (Khaidi Chu <<i@2333.moe>>)
+  * [[`92b7216`](http://github.com/cnpm/cnpmjs.org/commit/92b72169a89cec333177d1ba65205a31e60ebbb2)] - fix: maintainer permission greater than scope (#1494) (Khaidi Chu <<i@2333.moe>>)
+  * [[`f084eba`](http://github.com/cnpm/cnpmjs.org/commit/f084ebae2106c8d4435dc0385e493fe18c6cec8a)] - fix: cpu usage 100% in node@6.x (#1470) (Yiman Liu <<413893093@qq.com>>)
+  * [[`8d57216`](http://github.com/cnpm/cnpmjs.org/commit/8d572169b7293a33035257d3525c66b0abb5b679)] - fix: add cache on total (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`585f55b`](http://github.com/cnpm/cnpmjs.org/commit/585f55bbcc0ce257bfab2f0f545dd8a89c66ca49)] - fix: download url pathname (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`da2f964`](http://github.com/cnpm/cnpmjs.org/commit/da2f9640b87f1b110210b7b8caaf26b4b854ede8)] - fix: dont override exists weburl (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`b094f56`](http://github.com/cnpm/cnpmjs.org/commit/b094f5692f83700f152dd6ea9eb65f67385f6b5f)] - fix: changes stream syncer without deps (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`65bca46`](http://github.com/cnpm/cnpmjs.org/commit/65bca46f3c275bac5dc7497eb266d84605f6f8f8)] - fix: don't cache npm_service.cnpmjs.org request (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`f9d4858`](http://github.com/cnpm/cnpmjs.org/commit/f9d4858862a4b70cb989c3c60478c2424ca2c139)] - fix: avoid toString as downloads count key (#1438) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`8a2f744`](http://github.com/cnpm/cnpmjs.org/commit/8a2f744749fc9f1297ff298fafe14deacf67efea)] - fix: don't update __all__ downloads every times (#1417) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`9bdb695`](http://github.com/cnpm/cnpmjs.org/commit/9bdb695375a800464636d70981f433b7a11dd82d)] - fix: proxy to source registry when package is public scoped with encoded path (#1415) (Albert Zhang <<label4king@163.com>>)
+  * [[`8bd0a2d`](http://github.com/cnpm/cnpmjs.org/commit/8bd0a2d49195734afa988cce69804d8540bbda19)] - fix: swap compress middleware and notFound position (#1413) (alsotang <<alsotang@gmail.com>>)
+  * [[`93d5def`](http://github.com/cnpm/cnpmjs.org/commit/93d5def8ac8882edbd526e5a7341e07c99463b25)] - fix: show package when non-semver version of semver tag (#1411) (Khaidi Chu <<i@2333.moe>>)
+  * [[`6a8434e`](http://github.com/cnpm/cnpmjs.org/commit/6a8434e0cae391981579af1a0b533aff0008904f)] - fix: Don't display sync info when the sync mode is none (#1410) (XingKai Zhang <<jack_zhxk@163.com>>)
+  * [[`4a3a851`](http://github.com/cnpm/cnpmjs.org/commit/4a3a851256483d438753b154d80d28c12c1d625c)] - fix: use <%- instead of <%= in user profile page (#1404) (Khaidi Chu <<i@2333.moe>>)
+  * [[`3497bae`](http://github.com/cnpm/cnpmjs.org/commit/3497bae2b94237664716911de965a4b27afc083a)] - fix: Obfuscate email address (#1391) (Ankur Kumar <<ankurk91@users.noreply.github.com>>)
+  * [[`9b8491b`](http://github.com/cnpm/cnpmjs.org/commit/9b8491b736ebcb98df02d26c41334cf7fce306dc)] - fix: use https://cdn.staticfile.org (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`fc79930`](http://github.com/cnpm/cnpmjs.org/commit/fc799304d8c6710e71364bdf1d1ed0961b9e8695)] - fix: should return `[done] Sync {name}` string when task finished (#1382) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`3c20267`](http://github.com/cnpm/cnpmjs.org/commit/3c20267b22491cd2ac2d751ccc459cf1f4fb0f1f)] - fix: don't retry to save log when db error (#1381) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`5149aa5`](http://github.com/cnpm/cnpmjs.org/commit/5149aa5a1eb01dfc17f8de1cb6c6abfecca0ed96)] - fix: proxy public package from source registry (#1375) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`fc07a38`](http://github.com/cnpm/cnpmjs.org/commit/fc07a38bde81bd93ef9067f3aacb06ae8e76e12b)] - fix: make sure replicate pkg is the latest pkg (#1347) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`17f8b66`](http://github.com/cnpm/cnpmjs.org/commit/17f8b6648b2cf8cb4cf17daef2a2477f74a671e8)] - fix: retry from registry when no_db_file error on replicate (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`d1fe6ce`](http://github.com/cnpm/cnpmjs.org/commit/d1fe6cede7b5a082eabfe9eb94225c9af9399e62)] - fix: add other_urls on download dist tarball (#1345) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`8fbad39`](http://github.com/cnpm/cnpmjs.org/commit/8fbad397f3ab7177c6e6c9b458b4b0bf3d24fbd7)] - fix: use rimraf instead of fs.unlink (#1338) (Yiyu He <<dead_horse@qq.com>>)
+  * [[`0121de3`](http://github.com/cnpm/cnpmjs.org/commit/0121de31a3b7a8da38e31fca4e10d973c07d79e7)] - fix: no need to resync again (#1336) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`84a3037`](http://github.com/cnpm/cnpmjs.org/commit/84a3037d90d4b3a316752eda7440ff5c73b0872f)] - fix: avoid query too frequently (#1329) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`1f60a01`](http://github.com/cnpm/cnpmjs.org/commit/1f60a0136c5f2e4a33827d1f36b38c49e1e3dec6)] - fix: replicate request error, try to request from official registry (#1316) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`6f656a0`](http://github.com/cnpm/cnpmjs.org/commit/6f656a0736c7d1d8b58288ff97590d7cb1317ecd)] - fix: save sync last time when successes > 1000 (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`1b30146`](http://github.com/cnpm/cnpmjs.org/commit/1b30146e94e7e72f9e762947b1ecdbd176d64532)] - fix: npm >= v5.5.0 login need not `email` (#1275) (#1304) (wmzy <<1256573276@qq.com>>)
+  * [[`820ae23`](http://github.com/cnpm/cnpmjs.org/commit/820ae23454f0f9755456681f3ced03e634cb3109)] - fix: control sync frequency (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`bfb29f8`](http://github.com/cnpm/cnpmjs.org/commit/bfb29f82c967cb68f4de3a314200d95a8c59baff)] - fix: use _npmUser reset the maintainers (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`95aa035`](http://github.com/cnpm/cnpmjs.org/commit/95aa035a275089b50dfc2590497e3bc7319f4f6b)] - fix: make sure maintainers exists on sync worker (liang feng <<anhulife@gmail.com>>)
+  * [[`6c69a38`](http://github.com/cnpm/cnpmjs.org/commit/6c69a38a508812f0320866d70b555de02e1fc204)] - fix: if replicate error, retry from official registry (#1230) (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`43ffa99`](http://github.com/cnpm/cnpmjs.org/commit/43ffa995cb8a724e8cd04224c2f137d407bfe014)] - fix: "start" should wait for "stop" to remove the pid file(using Promise) (#1220) (cloudstone <<baby31529@gmail.com>>)
+  * [[`6c019de`](http://github.com/cnpm/cnpmjs.org/commit/6c019de514c9f4a62db1a1814ca2359408609074)] - fix: changes_stream_syncer log url should not contain sync_upstream=true (fengmk2 <<fengmk2@gmail.com>>)
+
+**others**
+  * [[`522ad11`](http://github.com/cnpm/cnpmjs.org/commit/522ad11124f168788b28dd925417ae37eb9d3991)] - update readme for now situation (#1506) (alsotang <<alsotang@gmail.com>>)
+  * [[`0c59791`](http://github.com/cnpm/cnpmjs.org/commit/0c59791e50ef9d3080d5a2ab3e24b5899bd91446)] - Release Release 3.0.0-rc.19 (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`79fb163`](http://github.com/cnpm/cnpmjs.org/commit/79fb163a3b12f1b9c4c9eafad7f2041e7c4c4dbf)] - chore: README fix typo ( not to use plural for code ) (#1448) (Paul Verest <<enide.github@gmail.com>>)
+  * [[`be00b65`](http://github.com/cnpm/cnpmjs.org/commit/be00b6557359d328c851e538827d6c681c2c3416)] - refactor: add detail message to error and keep reason (#1445) (alsotang <<alsotang@gmail.com>>)
+  * [[`f7e9670`](http://github.com/cnpm/cnpmjs.org/commit/f7e9670025c6e7f09d8aa88c676938a2cf4849b5)] - Release Release 3.0.0-rc.14 (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`d0c3f1b`](http://github.com/cnpm/cnpmjs.org/commit/d0c3f1b19e46e73ce389e78413304a1542811b5f)] - test: shouldjs change from getter to function call (#1420) (alsotang <<alsotang@gmail.com>>)
+  * [[`d889eba`](http://github.com/cnpm/cnpmjs.org/commit/d889ebafbd6ff1bc15fbf277fd8e143a57e6cac6)] - deps: use agentkeepalive@4 (fengmk2 <<fengmk2@gmail.com>>)
+  * [[`938a14d`](http://github.com/cnpm/cnpmjs.org/commit/938a14d0a13b711c7b91d795151a7266b0a43c5a)] - chore: Hall of Fame integration on README (#1388) (Gwenael Pluchon <<gwenael.pluchon+github@gmail.com>>)
+  * [[`26d7147`](http://github.com/cnpm/cnpmjs.org/commit/26d7147562a1ae21db8bfec26983daf311353d96)] - refactor: normalize database structure (#1376) (Khaidi Chu <<i@2333.moe>>)
+  * [[`5334375`](http://github.com/cnpm/cnpmjs.org/commit/53343751f7c0a34ea0a346172bff0818d27864dd)] - chore: add latest-3 tag (fengmk2 <<fengmk2@gmail.com>>)
+
 3.0.0-alpha.8 / 2017-06-15
 ==================

--- a/8
+++ b/8
@@ -1,6 +1,6 @@
 TESTS = $(shell ls -S `find test -type f -name "*.test.js" -print`)
 REPORTER = spec
-TIMEOUT = 60000
+TIMEOUT = 600000
 MOCHA_OPTS =
 DB = sqlite

@@ -11,8 +11,8 @@ init-database:
 	@NODE_ENV=test node test/init_db.js

 init-mysql:
-	@mysql -uroot -e 'DROP DATABASE IF EXISTS cnpmjs_test;'
-	@mysql -uroot -e 'CREATE DATABASE cnpmjs_test;'
+	@mysql -uroot -h 127.0.0.1 --port 3306 -e 'DROP DATABASE IF EXISTS cnpmjs_test;'
+	@mysql -uroot -h 127.0.0.1 --port 3306 -e 'CREATE DATABASE cnpmjs_test;'

 init-pg:
 	@psql -c 'DROP DATABASE IF EXISTS cnpmjs_test;'
@@ -61,7 +61,7 @@ test-cov-mysql: init-mysql
 	@$(MAKE) test-cov DB=mysql

 test-travis: init-database
-	@NODE_ENV=test DB=${DB} CNPM_SOURCE_NPM=https://registry.npmjs.com CNPM_SOURCE_NPM_ISCNPM=false \
+	@NODE_ENV=test DB=${DB} \
 		node \
 		node_modules/.bin/istanbul cover \
 		node_modules/.bin/_mocha \
--- a/README.md
+++ b/README.md
@@ -1,16 +1,21 @@
+# ‼️ ‼️ ‼️ ‼️ DEPRECATED, please use https://github.com/cnpm/cnpmcore instead ‼️ ‼️ ‼️ ‼️
+# ‼️ ‼️ ‼️ ‼️ DEPRECATED, please use https://github.com/cnpm/cnpmcore instead ‼️ ‼️ ‼️ ‼️
+# ‼️ ‼️ ‼️ ‼️ DEPRECATED, please use https://github.com/cnpm/cnpmcore instead ‼️ ‼️ ‼️ ‼️
+
+------
+
 cnpmjs.org
 =======

 [![npm version][npm-image]][npm-url]
-[![build status][travis-image]][travis-url]
+[![Node.js CI](https://github.com/cnpm/cnpmjs.org/actions/workflows/nodejs.yml/badge.svg)](https://github.com/cnpm/cnpmjs.org/actions/workflows/nodejs.yml)
 [![Test coverage][codecov-image]][codecov-url]
 [![Known Vulnerabilities][snyk-image]][snyk-url]
 [![npm download][download-image]][download-url]
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fcnpm%2Fcnpmjs.org.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fcnpm%2Fcnpmjs.org?ref=badge_shield)

 [npm-image]: http://cnpmjs.org/badge/v/cnpmjs.org.svg?style=flat-square
 [npm-url]: http://cnpmjs.org/package/cnpmjs.org
-[travis-image]: https://img.shields.io/travis/cnpm/cnpmjs.org.svg?style=flat-square
-[travis-url]: https://travis-ci.org/cnpm/cnpmjs.org
 [codecov-image]: https://codecov.io/gh/cnpm/cnpmjs.org/branch/master/graph/badge.svg
 [codecov-url]: https://codecov.io/gh/cnpm/cnpmjs.org
 [snyk-image]: https://snyk.io/test/npm/cnpmjs.org/badge.svg?style=flat-square
@@ -30,7 +35,8 @@ Our goal is to provide a low cost maintenance, easy to use, and easy to scale so
 ## What can you do with `cnpmjs.org`?

 * Build a private npm for your own enterprise. ([alibaba](http://www.alibaba.com/) is using `cnpmjs.org` now)
-* Build a npm mirror. (we use it to build a mirror in China: [https://npm.taobao.org/](https://npm.taobao.org/))
+* Build a npm mirror. (we use it to build a mirror in China: [https://npmmirror.com/](https://npmmirror.com/))
+* Use the private npm service provided by Alibaba Cloud DevOps which build with cnpm. [https://packages.aliyun.com/](https://packages.aliyun.com/?channel=pd_cnpm_github)

 ## Features

@@ -65,7 +71,7 @@ you only need to change the registry in client config.

 * [node](http://nodejs.org) >= 8.0.0
 * Databases: only required one type
-  * [sqlite3](https://npm.taobao.org/package/sqlite3) >= 3.0.2, we use `sqlite3` by default
+  * [sqlite3](https://npmmirror.com/package/sqlite3) >= 3.0.2, we use `sqlite3` by default
  * [MySQL](http://dev.mysql.com/downloads/) >= 5.6.16, include `mysqld` and `mysql cli`. I test on `mysql@5.6.16`.
  * MariaDB
  * PostgreSQL
@@ -156,23 +162,27 @@ $docker volume inspect cnpmjsorg_cnpm-db-volume

 Tips: make sure your code is following the [node-style-guide](https://github.com/felixge/node-style-guide).

-## Top contributors
-
-
-[![0](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/images/0)](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/links/0)
-[![1](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/images/1)](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/links/1)
-[![2](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/images/2)](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/links/2)
-[![3](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/images/3)](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/links/3)
-[![4](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/images/4)](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/links/4)
-[![5](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/images/5)](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/links/5)
-[![6](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/images/6)](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/links/6)
-[![7](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/images/7)](https://sourcerer.io/fame/fengmk2/cnpm/cnpmjs.org/links/7)
-
-
 ## Sponsors

- [![阿里云](https://static.aliyun.com/images/www-summerwind/logo.gif)](http://click.aliyun.com/m/4288/) (2016.2 - now)
+- [![阿里云](https://static.aliyun.com/images/www-summerwind/logo.gif)](http://click.aliyun.com/m/4288/) [![阿里云云效](https://img.alicdn.com/tfs/TB116yt3fb2gK0jSZK9XXaEgFXa-106-20.png)](https://devops.aliyun.com/?channel=pd_cnpm_github) (2016.2 - now)

 ## License

 [MIT](LICENSE.txt)
+
+<!-- GITCONTRIBUTOR_START -->
+
+## Contributors
+
+|[<img src="https://avatars.githubusercontent.com/u/156269?v=4" width="100px;"/><br/><sub><b>fengmk2</b></sub>](https://github.com/fengmk2)<br/>|[<img src="https://avatars.githubusercontent.com/u/985607?v=4" width="100px;"/><br/><sub><b>dead-horse</b></sub>](https://github.com/dead-horse)<br/>|[<img src="https://avatars.githubusercontent.com/u/14790466?v=4" width="100px;"/><br/><sub><b>greenkeeperio-bot</b></sub>](https://github.com/greenkeeperio-bot)<br/>|[<img src="https://avatars.githubusercontent.com/u/543405?v=4" width="100px;"/><br/><sub><b>ibigbug</b></sub>](https://github.com/ibigbug)<br/>|[<img src="https://avatars.githubusercontent.com/u/6897780?v=4" width="100px;"/><br/><sub><b>killagu</b></sub>](https://github.com/killagu)<br/>|[<img src="https://avatars.githubusercontent.com/u/1147375?v=4" width="100px;"/><br/><sub><b>alsotang</b></sub>](https://github.com/alsotang)<br/>|
+| :---: | :---: | :---: | :---: | :---: | :---: |
+|[<img src="https://avatars.githubusercontent.com/u/2842176?v=4" width="100px;"/><br/><sub><b>XadillaX</b></sub>](https://github.com/XadillaX)<br/>|[<img src="https://avatars.githubusercontent.com/u/327019?v=4" width="100px;"/><br/><sub><b>JacksonTian</b></sub>](https://github.com/JacksonTian)<br/>|[<img src="https://avatars.githubusercontent.com/u/11251401?v=4" width="100px;"/><br/><sub><b>Solais</b></sub>](https://github.com/Solais)<br/>|[<img src="https://avatars.githubusercontent.com/u/1134761?v=4" width="100px;"/><br/><sub><b>4simple</b></sub>](https://github.com/4simple)<br/>|[<img src="https://avatars.githubusercontent.com/u/6622122?v=4" width="100px;"/><br/><sub><b>21paradox</b></sub>](https://github.com/21paradox)<br/>|[<img src="https://avatars.githubusercontent.com/u/26033663?v=4" width="100px;"/><br/><sub><b>Zian502</b></sub>](https://github.com/Zian502)<br/>|
+|[<img src="https://avatars.githubusercontent.com/u/1294440?v=4" width="100px;"/><br/><sub><b>albertZhang2013</b></sub>](https://github.com/albertZhang2013)<br/>|[<img src="https://avatars.githubusercontent.com/u/6111524?v=4" width="100px;"/><br/><sub><b>ankurk91</b></sub>](https://github.com/ankurk91)<br/>|[<img src="https://avatars.githubusercontent.com/u/1935436?v=4" width="100px;"/><br/><sub><b>huangbowen521</b></sub>](https://github.com/huangbowen521)<br/>|[<img src="https://avatars.githubusercontent.com/u/5365267?v=4" width="100px;"/><br/><sub><b>gwenaelp</b></sub>](https://github.com/gwenaelp)<br/>|[<img src="https://avatars.githubusercontent.com/u/324440?v=4" width="100px;"/><br/><sub><b>KidkArolis</b></sub>](https://github.com/KidkArolis)<br/>|[<img src="https://avatars.githubusercontent.com/u/922240?v=4" width="100px;"/><br/><sub><b>tq0fqeu</b></sub>](https://github.com/tq0fqeu)<br/>|
+|[<img src="https://avatars.githubusercontent.com/u/1587797?v=4" width="100px;"/><br/><sub><b>limianwang</b></sub>](https://github.com/limianwang)<br/>|[<img src="https://avatars.githubusercontent.com/u/900947?v=4" width="100px;"/><br/><sub><b>LoicMahieu</b></sub>](https://github.com/LoicMahieu)<br/>|[<img src="https://avatars.githubusercontent.com/u/1614482?v=4" width="100px;"/><br/><sub><b>paulvi</b></sub>](https://github.com/paulvi)<br/>|[<img src="https://avatars.githubusercontent.com/u/36651530?v=4" width="100px;"/><br/><sub><b>XXBeii</b></sub>](https://github.com/XXBeii)<br/>|[<img src="https://avatars.githubusercontent.com/u/1422472?v=4" width="100px;"/><br/><sub><b>jpuncle</b></sub>](https://github.com/jpuncle)<br/>|[<img src="https://avatars.githubusercontent.com/u/20092391?v=4" width="100px;"/><br/><sub><b>vincentmrlau</b></sub>](https://github.com/vincentmrlau)<br/>|
+[<img src="https://avatars.githubusercontent.com/u/4470552?v=4" width="100px;"/><br/><sub><b>stoneChen</b></sub>](https://github.com/stoneChen)<br/>|[<img src="https://avatars.githubusercontent.com/u/2196373?v=4" width="100px;"/><br/><sub><b>dickeylth</b></sub>](https://github.com/dickeylth)<br/>|[<img src="https://avatars.githubusercontent.com/u/29791463?v=4" width="100px;"/><br/><sub><b>fossabot</b></sub>](https://github.com/fossabot)<br/>|[<img src="https://avatars.githubusercontent.com/u/1941756?v=4" width="100px;"/><br/><sub><b>gniavaj</b></sub>](https://github.com/gniavaj)<br/>|[<img src="https://avatars.githubusercontent.com/u/10371891?v=4" width="100px;"/><br/><sub><b>hellojukay</b></sub>](https://github.com/hellojukay)<br/>|[<img src="https://avatars.githubusercontent.com/u/5040076?v=4" width="100px;"/><br/><sub><b>liyangready</b></sub>](https://github.com/liyangready)<br/>
+
+This project follows the git-contributor [spec](https://github.com/xudafeng/git-contributor), auto updated at `Sun Mar 20 2022 09:50:54 GMT+0800`.
+
+<!-- GITCONTRIBUTOR_END -->
+
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fcnpm%2Fcnpmjs.org.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fcnpm%2Fcnpmjs.org?ref=badge_large)
--- a/common/sequelize.js
+++ b/common/sequelize.js
@@ -48,7 +48,7 @@ database.syncFirst = false;

 // add longtext for mysql
 Sequelize.LONGTEXT = DataTypes.LONGTEXT = DataTypes.TEXT;
-if (config.dialect === 'mysql') {
+if (database.dialect === 'mysql') {
  Sequelize.LONGTEXT = DataTypes.LONGTEXT = 'LONGTEXT';
 }

--- a/common/urllib.js
+++ b/common/urllib.js
@@ -5,6 +5,8 @@ var urllib = require('urllib');
 var HttpAgent = require('agentkeepalive');
 var HttpsAgent = require('agentkeepalive').HttpsAgent;
 var config = require('../config');
+var url = require('url');
+var URL = require('url').URL;

 var httpAgent;
 var httpsAgent;
@@ -57,5 +59,26 @@ var client = urllib.create({
  httpsAgent: httpsAgent
 });

+var request = urllib.HttpClient.prototype.request;
+
+function getAccelerateUrl(url) {
+  const urlObj = typeof url === 'string' ? new URL(url) : url;
+  const newHost = config.accelerateHostMap && config.accelerateHostMap[urlObj.host];
+  if (newHost) {
+    urlObj.host = newHost;
+  }
+  return urlObj.toString();
+}
+
+client.request = function (requestUrl, options) {
+  const accelerateUrl = getAccelerateUrl(requestUrl);
+  options = Object.assign({}, options, {
+    formatRedirectUrl: function (from, to) {
+      return getAccelerateUrl(url.resolve(from, to));
+    }
+  });
+  return Reflect.apply(request, client, [ accelerateUrl, options ]);
+};
+
 module.exports = client;
 module.exports.USER_AGENT = urllib.USER_AGENT;
--- a/config/index.js
+++ b/config/index.js
@@ -8,7 +8,7 @@ var os = require('os');
 var utility = require('utility');

 var version = require('../package.json').version;
-
+var Nfs = require('fs-cnpm');
 var root = path.dirname(__dirname);
 var dataDir = path.join(process.env.HOME || root, '.cnpmjs.org');

@@ -31,6 +31,9 @@ var config = {
  bindingHost: '127.0.0.1', // only binding on 127.0.0.1 for local access
  // default is ctx.protocol
  protocol: '',
+  // When sync package, cnpm not know the access protocol.
+  // So should set manually
+  backupProtocol: 'http',

  // debug mode
  // if in debug mode, some middleware like limit wont load
@@ -62,6 +65,7 @@ var config = {
  viewDir: path.join(root, 'view', 'web'),

  customRegistryMiddlewares: [],
+  customWebMiddlewares: [],

  // config for koa-limit middleware
  // for limit download rates
@@ -100,15 +104,13 @@ var config = {

  logoURL: 'https://os.alipayobjects.com/rmsportal/oygxuIUkkrRccUz.jpg', // cnpm logo image url
  adBanner: '',
+  customHeader: '',
  customReadmeFile: '', // you can use your custom readme file instead the cnpm one
  customFooter: '', // you can add copyright and site total script html here
  npmClientName: 'cnpm', // use `${name} install package`
-  packagePageContributorSearch: true, // package page contributor link to search, default is true

  // max handle number of package.json `dependencies` property
  maxDependencies: 200,
-  // backup filepath prefix
-  backupFilePrefix: '/cnpm/backup/',

  /**
   * database config
@@ -147,19 +149,25 @@ var config = {
    storage: path.join(dataDir, 'data.sqlite'),

    logging: !!process.env.SQL_DEBUG,
-
-    // enable proxy npm audits request or not
-    enableNpmAuditsProxy: true,
  },

+  // return total modules and versions, default is true
+  // it will use `SELECT count(DISTINCT name) FROM module` SQL on Database
+  enableTotalCount: true,
+
+  // enable proxy npm audits request or not
+  enableNpmAuditsProxy: true,
+
  // package tarball store in local filesystem by default
-  nfs: require('fs-cnpm')({
+  nfs: new Nfs({
    dir: path.join(dataDir, 'nfs')
  }),
  // if set true, will 302 redirect to `nfs.url(dist.key)`
  downloadRedirectToNFS: false,
  // don't check database and just download tgz from nfs
  downloadTgzDontCheckModule: false,
+  // remove original tarball when publishing
+  unpublishRemoveTarball: true,

  // registry url name
  registryHost: 'r.cnpmjs.org',
@@ -191,12 +199,22 @@ var config = {
  // please don't change it if not necessary
  officialNpmRegistry: 'https://registry.npmjs.com',
  officialNpmReplicate: 'https://replicate.npmjs.com',
+  cnpmRegistry: 'https://r.cnpmjs.com',
+
+  // /-/all/changes
+  // since different changes are aggregated through many tables
+  // prevent changesStream changes collisions
+  changesDelay: 5000,

  // sync source, upstream registry
  // If you want to directly sync from official npm's registry
  // please drop them an email first
-  sourceNpmRegistry: 'https://registry.npm.taobao.org',
-  sourceNpmWeb: 'https://npm.taobao.org',
+  sourceNpmRegistry: 'https://registry.npmmirror.com',
+  sourceNpmWeb: 'https://npmmirror.com',
+
+  // set remote registry to show web page data
+  enableWebDataRemoteRegistry: false,
+  webDataRemoteRegistry: '',

  // upstream registry is base on cnpm/cnpmjs.org or not
  // if your upstream is official npm registry, please turn it off
@@ -210,6 +228,8 @@ var config = {
  // exist: only sync exist modules
  // all: sync all modules
  syncModel: 'none', // 'none', 'all', 'exist'
+  // sync package.json/dist-tag.json to sync dir
+  syncBackupFiles: false,

  syncConcurrency: 1,
  // sync interval, default is 10 minutes
@@ -233,6 +253,20 @@ var config = {
  syncDownloadOptions: {
    // formatRedirectUrl: function (url, location)
  },
+
+  // all syncModel cannot sync scope pacakge, you can use this model to sync scope package from any resgitry
+  syncScope: false,
+  syncScopeInterval: '12h',
+  // scope package sync config
+  /**
+ * sync scope package from assign registry
+ * @param {Array<scope>} scopes
+ * @param {String} scope.scope scope name
+ * @param {String} scope.sourceCnpmWeb source cnpm registry web url for get scope all packages name
+ * @param {String} scope.sourceCnpmRegistry source cnpm registry url for sync packages
+ */
+  syncScopeConfig: [],
+
  handleSyncRegistry: 'http://127.0.0.1:7001',

  // default badge subject
@@ -276,6 +310,12 @@ var config = {
  // if enable this option, must create module_abbreviated and package_readme table in database
  enableAbbreviatedMetadata: false,

+  // enable package or package version block list, must create package_version_blocklist table in database
+  enableBlockPackageVersion: false,
+
+  // enable bug version hotfix by https://github.com/cnpm/bug-versions
+  enableBugVersion: false,
+
  // global hook function: function* (envelope) {}
  // envelope format please see https://github.com/npm/registry/blob/master/docs/hooks/hooks-payload.md#payload
  globalHook: null,
@@ -289,16 +329,43 @@ var config = {
    enable: false,
    connectOptions: null,
  },
+
+  // custom format full package list
+  // change `GET /:name` request response body
+  // use on `controllers/registry/list.js`
+  formatCustomFullPackageInfoAndVersions: (ctx, packageInfo) => {
+    return packageInfo;
+  },
+  // custom format one package version
+  // change `GET /:name/:version` request response body
+  // use on `controllers/registry/show.js`
+  formatCustomOnePackageVersion: (ctx, packageVersion) => {
+    return packageVersion;
+  },
+  // registry download accelerate map
+  accelerateHostMap: {},
 };

 if (process.env.NODE_ENV === 'test') {
  config.enableAbbreviatedMetadata = true;
-  config.customRegistryMiddlewares.push(() => {
+  config.customRegistryMiddlewares.push((app) => {
    return function* (next) {
      this.set('x-custom-middleware', 'true');
+      this.set('x-custom-app-models', typeof app.models.query === 'function' ? 'true' : 'false');
      yield next;
    };
  });
+
+  config.customWebMiddlewares.push((app) => {
+    return function* (next) {
+      this.set('x-custom-web-middleware', 'true');
+      this.set('x-custom-web-app-models', typeof app.models.query === 'function' ? 'true' : 'false');
+      yield next;
+    };
+  });
+
+  config.enableBlockPackageVersion = true;
+  config.enableBugVersion = true;
 }

 if (process.env.NODE_ENV !== 'test') {
--- a/controllers/registry/package/changes.js
+++ b/controllers/registry/package/changes.js
@@ -0,0 +1,53 @@
+'use strict';
+
+var packageService = require('../../../services/package');
+var lodash = require('lodash');
+var gather = require('co-gather');
+
+// GET /-/_changes?since={timestamp}&limit={number}&cursorId={number}
+// List changes since the timestamp
+// Similar with https://registry.npmmirror.com/_changes?since=1658974943840
+// Change types:
+// 1. ✅ PACKAGE_VERSION_ADDED
+// 2. ✅ PACKAGE_TAG_ADDED
+// 3. 🆕 PACKAGE_UNPUBLISHED
+// 5. ❎ PACKAGE_MAINTAINER_REMOVED
+// 6. ❎ PACKAGE_MAINTAINER_CHANGED
+// 7. ❎ PACKAGE_TAG_CHANGED
+//
+// Since we don't have the previous data,
+// We can't compute the reliable seqId
+// use gmt_modified cinstead of seqId
+module.exports = function* listSince() {
+  var query = this.query;
+  var since = query.since;
+  var limit = Number(query.limit);
+
+  // ensure limit
+  if (Number.isNaN(limit)) {
+    limit = 1000;
+  }
+  var queryResults = yield gather(
+    [
+      "listVersionSince",
+      "listTagSince",
+      "listUnpublishedModuleSince",
+    ].map(function (method) {
+      return packageService[method](since, limit);
+    })
+  );
+
+  var validResults = queryResults.map(function (result) {
+    if (!result.isError) {
+      return result.value;
+    }
+    return [];
+  });
+
+  var results = lodash.orderBy(
+    lodash.flatten(validResults).filter(Boolean),
+    "gmt_modified",
+    "asc"
+  ).slice(0, limit);
+  this.body = { results };
+};
--- a/controllers/registry/package/dist_tag.js
+++ b/controllers/registry/package/dist_tag.js
@@ -1,6 +1,7 @@
 'use strict';

 var packageService = require('../../../services/package');
+var hook = require('../../../services/hook');

 function ok() {
  return {
@@ -34,6 +35,19 @@ exports.update = function* () {
  for (var tag in tags) {
    var version = tags[tag];
    yield packageService.addModuleTag(name, tag, version);
+
+    // hooks
+    const envelope = {
+      event: 'package:dist-tag',
+      name: name,
+      tag: tag,
+      type: 'package',
+      version: version,
+      hookOwner: null,
+      payload: null,
+      change: null,
+    };
+    hook.trigger(envelope);
  }
  this.status = 201;
  this.body = ok();
@@ -60,6 +74,18 @@ exports.set = function* () {
  yield packageService.addModuleTag(name, tag, version);
  this.status = 201;
  this.body = ok();
+  // hooks
+  const envelope = {
+    event: 'package:dist-tag',
+    name: name,
+    tag: tag,
+    type: 'package',
+    version: version,
+    hookOwner: null,
+    payload: null,
+    change: null,
+  };
+  hook.trigger(envelope);
 };

 // DELETE /-/package/:pkg/dist-tags/:tag -- Remove tag from dist-tags
@@ -77,4 +103,15 @@ exports.destroy = function* () {
  }
  yield packageService.removeModuleTagsByNames(name, tag);
  this.body = ok();
+  // hooks
+  const envelope = {
+    event: 'package:dist-tag:rm',
+    name: name,
+    tag: tag,
+    type: 'package',
+    hookOwner: null,
+    payload: null,
+    change: null,
+  };
+  hook.trigger(envelope);
 };
--- a/controllers/registry/package/download.js
+++ b/controllers/registry/package/download.js
@@ -18,6 +18,13 @@ let globalDownloads = new Map();
 module.exports = function* download(next) {
  var name = this.params.name || this.params[0];
  var filename = this.params.filename || this.params[1];
+  // scope pkg and download with out scope
+  if (name.startsWith('@') && !filename.startsWith('@')) {
+    var scope = name.slice(0, name.indexOf('/'));
+    // fix filename with scope
+    filename = `${scope}/${filename}`;
+  }
+
  var version = filename.slice(name.length + 1, -4);
  // can not get dist
  var url = null;
@@ -123,9 +130,12 @@ defer.setInterval(function* () {
        err.message += '; name: ' + name + ', count: ' + count + ', date: ' + date;
        logger.error(err);
      }
-      // save back to globalDownloads, try again next time
-      count = (globalDownloads.get(name) || 0) + count;
-      globalDownloads.set(name, count);
+      var pkgExist = yield packageService.getModuleLastModified(name);
+      if (pkgExist) {
+        // save back to globalDownloads, try again next time
+        count = (globalDownloads.get(name) || 0) + count;
+        globalDownloads.set(name, count);
+      }
    }
  }
  saving = false;
--- a/controllers/registry/package/list.js
+++ b/controllers/registry/package/list.js
@@ -3,6 +3,8 @@
 var debug = require('debug')('cnpmjs.org:controllers:registry:package:list');
 var utility = require('utility');
 var packageService = require('../../../services/package');
+var blocklistService = require('../../../services/blocklist');
+var bugVersionService = require('../../../services/bug_version');
 var common = require('../../../lib/common');
 var SyncModuleWorker = require('../../sync_module_worker');
 var config = require('../../../config');
@@ -15,33 +17,33 @@ function etag(objs) {
  return 'W/"' + utility.md5(JSON.stringify(objs)) + '"';
 }

+function filterBlockVerions(rows, blocks) {
+  if (!blocks) {
+    return rows;
+  }
+  return rows.filter(row => !blocks[row.version]);
+}
+
 /**
 * list all version of a module
 * GET /:name
 */
 module.exports = function* list() {
  const name = this.params.name || this.params[0];
-  // sync request will contain this query params
-  let noCache = this.query.cache === '0';
-  if (!noCache) {
-    const ua = this.headers['user-agent'] || '';
-    // old sync client will request with these user-agent
-    if (ua.indexOf('npm_service.cnpmjs.org/') !== -1) {
-      noCache = true;
-    }
-  }
+  const isSyncWorkerRequest = common.isSyncWorkerRequest(this);
  const isJSONPRequest = this.query.callback;
-  let cacheKey;
+  let cacheKey = '';
  let needAbbreviatedMeta = false;
  let abbreviatedMetaType = 'application/vnd.npm.install-v1+json';
  if (config.enableAbbreviatedMetadata && this.accepts([ 'json', abbreviatedMetaType ]) === abbreviatedMetaType) {
    needAbbreviatedMeta = true;
-    if (cache && !isJSONPRequest) {
+    // don't cache result on sync request
+    if (cache && !isJSONPRequest && !isSyncWorkerRequest) {
      cacheKey = `list-${name}-v1`;
    }
  }
-
-  if (cacheKey && !noCache) {
+  
+  if (cacheKey) {
    const values = yield cache.hmget(cacheKey, 'etag', 'body');
    if (values && values[0] && values[1]) {
      this.body = values[1];
@@ -63,9 +65,22 @@ module.exports = function* list() {
  var rs = yield [
    packageService.getModuleLastModified(name),
    packageService.listModuleTags(name),
+    blocklistService.findBlockPackageVersions(name),
  ];
  var modifiedTime = rs[0];
  var tags = rs[1];
+  var blocks = rs[2];
+
+  if (blocks && blocks['*']) {
+    this.status = 451;
+    const error = `[block] package was blocked, reason: ${blocks['*'].reason}`;
+    this.jsonp = {
+      name,
+      error,
+      reason: error,
+    };
+    return;
+  }

  debug('show %s, last modified: %s, tags: %j', name, modifiedTime, tags);
  if (modifiedTime) {
@@ -89,14 +104,16 @@ module.exports = function* list() {

  if (needAbbreviatedMeta) {
    var rows = yield packageService.listModuleAbbreviatedsByName(name);
+    rows = filterBlockVerions(rows, blocks);
    if (rows.length > 0) {
-      yield handleAbbreviatedMetaRequest(this, name, modifiedTime, tags, rows, cacheKey);
+      yield handleAbbreviatedMetaRequest(this, name, modifiedTime, tags, rows, cacheKey, isSyncWorkerRequest);
      return;
    }
    var fullRows = yield packageService.listModulesByName(name);
+    fullRows = filterBlockVerions(fullRows, blocks);
    if (fullRows.length > 0) {
      // no abbreviated meta rows, use the full meta convert to abbreviated meta
-      yield handleAbbreviatedMetaRequestWithFullMeta(this, name, modifiedTime, tags, fullRows);
+      yield handleAbbreviatedMetaRequestWithFullMeta(this, name, modifiedTime, tags, fullRows, isSyncWorkerRequest);
      return;
    }
  }
@@ -106,7 +123,7 @@ module.exports = function* list() {
    packageService.listStarUserNames(name),
    packageService.listMaintainers(name),
  ];
-  var rows = r[0];
+  var rows = filterBlockVerions(r[0], blocks);
  var starUsers = r[1];
  var maintainers = r[2];

@@ -205,6 +222,9 @@ module.exports = function* list() {
      createdTime = t;
    }
  }
+  if (!isSyncWorkerRequest) {
+    yield bugVersionService.hotfix(rows);
+  }

  if (modifiedTime && createdTime) {
    var ts = {
@@ -258,6 +278,10 @@ module.exports = function* list() {
  info.bugs = pkg.bugs;
  info.license = pkg.license;

+  if (typeof config.formatCustomFullPackageInfoAndVersions === 'function') {
+    info = config.formatCustomFullPackageInfoAndVersions(this, info);
+  }
+
  debug('show module %s: %s, latest: %s', name, rev, latestMod.version);
  this.jsonp = info;
  // use faster etag
@@ -276,8 +300,9 @@ module.exports = function* list() {
  }
 };

-function* handleAbbreviatedMetaRequest(ctx, name, modifiedTime, tags, rows, cacheKey) {
-  debug('show %s got %d rows, %d tags, modifiedTime: %s', name, rows.length, tags.length, modifiedTime);
+function* handleAbbreviatedMetaRequest(ctx, name, modifiedTime, tags, rows, cacheKey, isSyncWorkerRequest) {
+  debug('show %s got %d rows, %d tags, modifiedTime: %s, cacheKey: %s, isSyncWorkerRequest: %s',
+    name, rows.length, tags.length, modifiedTime, cacheKey, isSyncWorkerRequest);
  const isJSONPRequest = ctx.query.callback;
  var latestMod = null;
  // set tags
@@ -303,6 +328,14 @@ function* handleAbbreviatedMetaRequest(ctx, name, modifiedTime, tags, rows, cach
    if ((!distTags.latest && !latestMod) || distTags.latest === pkg.version) {
      latestMod = row;
    }
+    // abbreviatedMeta row maybe update by syncer on missing attributes add
+    if (!modifiedTime || row.gmt_modified > modifiedTime) {
+      modifiedTime = row.gmt_modified;
+    }
+  }
+  // don't use bug-versions hotfix on sync request
+  if (!isSyncWorkerRequest) {
+    yield bugVersionService.hotfix(rows);
  }

  if (!latestMod) {
@@ -357,9 +390,9 @@ function* handleAbbreviatedMetaRequest(ctx, name, modifiedTime, tags, rows, cach
  }
 }

-function* handleAbbreviatedMetaRequestWithFullMeta(ctx, name, modifiedTime, tags, rows) {
-  debug('show %s got %d rows, %d tags',
-    name, rows.length, tags.length);
+function* handleAbbreviatedMetaRequestWithFullMeta(ctx, name, modifiedTime, tags, rows, isSyncWorkerRequest) {
+  debug('show %s got %d rows, %d tags, isSyncWorkerRequest: %s',
+    name, rows.length, tags.length, isSyncWorkerRequest);
  var latestMod = null;
  // set tags
  var distTags = {};
@@ -378,6 +411,13 @@ function* handleAbbreviatedMetaRequestWithFullMeta(ctx, name, modifiedTime, tags
      continue;
    }
    // https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md#abbreviated-version-object
+    var hasInstallScript;
+    if (row.package.scripts) {
+      // https://www.npmjs.com/package/fix-has-install-script
+      if (row.package.scripts.install || row.package.scripts.preinstall || row.package.scripts.postinstall) {
+        hasInstallScript = true;
+      }
+    }
    var pkg = {
      name: row.package.name,
      version: row.package.version,
@@ -387,22 +427,32 @@ function* handleAbbreviatedMetaRequestWithFullMeta(ctx, name, modifiedTime, tags
      devDependencies: row.package.devDependencies,
      bundleDependencies: row.package.bundleDependencies,
      peerDependencies: row.package.peerDependencies,
+      peerDependenciesMeta: row.package.peerDependenciesMeta,
      bin: row.package.bin,
+      os: row.package.os,
+      cpu: row.package.cpu,
+      libc: row.package.libc,
      directories: row.package.directories,
      dist: row.package.dist,
      engines: row.package.engines,
+      workspaces: row.package.workspaces,
      _hasShrinkwrap: row.package._hasShrinkwrap,
+      hasInstallScript: hasInstallScript,
      publish_time: row.package.publish_time || row.publish_time,
    };
    common.setDownloadURL(pkg, ctx);

    versions[pkg.version] = pkg;
+    row.package = pkg;
    allVersionString += pkg.version + ',';

    if ((!distTags.latest && !latestMod) || distTags.latest === pkg.version) {
      latestMod = row;
    }
  }
+  if (!isSyncWorkerRequest) {
+    yield bugVersionService.hotfix(rows);
+  }

  if (!latestMod) {
    latestMod = rows[0];
--- a/controllers/registry/package/list_versions.js
+++ b/controllers/registry/package/list_versions.js
@@ -0,0 +1,37 @@
+'use strict';
+
+const moment = require('moment');
+const packageService = require('../../../services/package');
+
+// GET /-/allversions?date={2020-02-20}
+// List all packages versions sync at date(gmt_modified)
+
+module.exports = function* () {
+  const query = this.query;
+  const date = moment(query.date, 'YYYY-MM-DD');
+  if (!date.isValid()) {
+    this.status = 400;
+    const error = '[query_parse_error] Invalid value for `date`, should be `YYYY-MM-DD` format.';
+    this.body = {
+      error,
+      reason: error,
+    };
+    return;
+  }
+
+  const today = date.format('YYYY-MM-DD');
+  const rows = yield packageService.findAllModuleAbbreviateds({
+    gmt_modified: {
+      $gte: `${today} 00:00:00`,
+      $lte: `${today} 23:59:59`,
+    },
+  });
+  this.body = rows.map(row => {
+    return {
+      name: row.name,
+      version: row.version,
+      publish_time: new Date(row.publish_time),
+      gmt_modified: row.gmt_modified,
+    };
+  });
+};
--- a/controllers/registry/package/remove.js
+++ b/controllers/registry/package/remove.js
@@ -6,6 +6,7 @@ var packageService = require('../../../services/package');
 var totalService = require('../../../services/total');
 var nfs = require('../../../common/nfs');
 var logger = require('../../../common/logger');
+var config = require('../../../config');

 // DELETE /:name/-rev/:rev
 // https://github.com/npm/npm-registry-client/blob/master/lib/unpublish.js#L25
@@ -27,23 +28,25 @@ module.exports = function* remove(next) {
    totalService.plusDeleteModule(),
  ];

-  var keys = [];
-  for (var i = 0; i < mods.length; i++) {
-    var row = mods[i];
-    var dist = row.package.dist;
-    var key = dist.key;
-    if (!key) {
-      key = urlparse(dist.tarball).pathname;
+  if (config.unpublishRemoveTarball) {
+    var keys = [];
+    for (var i = 0; i < mods.length; i++) {
+      var row = mods[i];
+      var dist = row.package.dist;
+      var key = dist.key;
+      if (!key) {
+        key = urlparse(dist.tarball).pathname;
+      }
+      key && keys.push(key);
    }
-    key && keys.push(key);
-  }

-  try {
-    yield keys.map(function (key) {
-      return nfs.remove(key);
-    });
-  } catch (err) {
-    logger.error(err);
+    try {
+      yield keys.map(function (key) {
+        return nfs.remove(key);
+      });
+    } catch (err) {
+      logger.error(err);
+    }
  }

  // remove the maintainers
--- a/controllers/registry/package/remove_version.js
+++ b/controllers/registry/package/remove_version.js
@@ -5,6 +5,7 @@ var packageService = require('../../../services/package');
 var nfs = require('../../../common/nfs');
 var logger = require('../../../common/logger');
 var getCDNKey = require('../../../lib/common').getCDNKey;
+var config = require('../../../config');

 // DELETE /:name/download/:filename/-rev/:rev
 // https://github.com/npm/npm-registry-client/blob/master/lib/unpublish.js#L97
@@ -38,21 +39,25 @@ module.exports = function* removeOneVersion(next) {
    return yield next;
  }

-  var key = mod.package && mod.package.dist && mod.package.dist.key;
-  if (!key) {
-    key = getCDNKey(mod.name, filename);
+  if (config.unpublishRemoveTarball) {
+    var key = mod.package && mod.package.dist && mod.package.dist.key;
+    if (!key) {
+      key = getCDNKey(mod.name, filename);
+    }
+
+    if (revertTo && revertTo.package) {
+      debug('removing key: %s from nfs, revert to %s@%s', key, revertTo.name, revertTo.package.version);
+    } else {
+      debug('removing key: %s from nfs, no revert mod', key);
+    }
+
+    try {
+      yield nfs.remove(key);
+    } catch (err) {
+      logger.error(err);
+    }
  }

-  if (revertTo && revertTo.package) {
-    debug('removing key: %s from nfs, revert to %s@%s', key, revertTo.name, revertTo.package.version);
-  } else {
-    debug('removing key: %s from nfs, no revert mod', key);
-  }
-  try {
-    yield nfs.remove(key);
-  } catch (err) {
-    logger.error(err);
-  }
  // remove version from table
  yield packageService.removeModulesByNameAndVersions(name, [version]);
  debug('removed %s@%s', name, version);
--- a/controllers/registry/package/save.js
+++ b/controllers/registry/package/save.js
@@ -1,9 +1,10 @@
 'use strict';

 var debug = require('debug')('cnpmjs.org:controllers:registry:package:save');
-var crypto = require('crypto');
+var ssri = require('ssri');
 var deprecateVersions = require('./deprecate');
 var packageService = require('../../../services/package');
+var logger = require('../../../common/logger');
 var common = require('../../../lib/common');
 var nfs = require('../../../common/nfs');
 var config = require('../../../config');
@@ -16,14 +17,42 @@ var hook = require('../../../services/hook');
 //
 // new flows: only one request
 // PUT /:name
-// https://github.com/npm/npm-registry-client/blob/master/lib/publish.js#L84
+// old publish: https://github.com/npm/npm-registry-client/blob/master/lib/publish.js#L84
+// new publish: https://github.com/npm/libnpmpublish/blob/main/publish.js#L91
 module.exports = function* save(next) {
-  // 'dist-tags': { latest: '0.0.2' },
-  //  _attachments:
-  // { 'nae-sandbox-0.0.2.tgz':
-  //    { content_type: 'application/octet-stream',
-  //      data: 'H4sIAAAAA
-  //      length: 9883
+  // {
+  //   "_id": "@cnpm/foo",
+  //   "name": "@cnpm/foo",
+  //   "dist-tags": {
+  //     "latest": "1.0.0"
+  //   },
+  //   "versions": {
+  //     "1.0.0": {
+  //       "name": "@cnpm/foo",
+  //       "version": "1.0.0",
+  //       "dependencies": {
+  //         "xprofiler": "^1.2.6"
+  //       },
+  //       "readme": "ERROR: No README data found!",
+  //       "_id": "@cnpm/foo@1.0.0",
+  //       "_nodeVersion": "16.13.0",
+  //       "_npmVersion": "8.1.0",
+  //       "dist": {
+  //         "integrity": "sha512-7nm0vpDEWs7y+tTwlxd7YnGaBc+9Gk5KaPsx2cqQz6H84ndBXlw5nMxGtL4Uy0bCQIknPAZAVe+KNheInmmJrQ==",
+  //         "shasum": "afd05dcfb8759b9b1c7151492a04f2254365c602",
+  //         "tarball": "http://127.0.0.1:7001/@cnpm/foo/-/@cnpm/foo-1.0.0.tgz"
+  //       }
+  //     }
+  //   },
+  //   "access": null,
+  //   "_attachments": {
+  //     "@cnpm/foo-1.0.0.tgz": {
+  //       "content_type": "application/octet-stream",
+  //       "data": "H4sIAAAAAA...",
+  //       "length": 208
+  //     }
+  //   }
+  // }
  var pkg = this.request.body;
  var username = this.user.name;
  var name = this.params.name || this.params[0];
@@ -78,25 +107,46 @@ module.exports = function* save(next) {
  var versionPackage = pkg.versions[version];
  var maintainers = versionPackage.maintainers;

-  // should never happened in normal request
+  var authorizeType = common.getAuthorizeType(this);
  if (!maintainers) {
-    this.status = 400;
-    const error = '[maintainers_error] request body need maintainers';
-    this.body = {
-      error,
-      reason: error,
-    };
-    return;
+    if (authorizeType === common.AuthorizeType.BEARER) {
+      // With the token mode, pub lib with no maintainers
+      // make the maintainer to be puber
+      maintainers = [{
+        name: this.user.name,
+        email: this.user.email,
+      }];
+    } else {
+      // should never happened in normal request
+      this.status = 400;
+      const error = '[maintainers_error] request body need maintainers';
+      this.body = {
+        error,
+        reason: error,
+      };
+      return;
+    }
  }

  // notice that admins can not publish to all modules
  // (but admins can add self to maintainers first)

-  // make sure user in auth is in maintainers
-  // should never happened in normal request
  var m = maintainers.filter(function (maintainer) {
    return maintainer.name === username;
  });
+
+  // package.json has maintainers and publisher in not in the list
+  if (authorizeType === common.AuthorizeType.BEARER && m.length === 0) {
+    var publisher = {
+      name: this.user.name,
+      email: this.user.email,
+    };
+    m = [ publisher ];
+    maintainers.push(publisher);
+  }
+
+  // make sure user in auth is in maintainers
+  // should never happened in normal request
  if (m.length === 0) {
    this.status = 403;
    const error = '[maintainers_error] ' + username + ' does not in maintainer list';
@@ -129,7 +179,6 @@ module.exports = function* save(next) {
    username, name, version, attachment.length, versionPackage.maintainers, distTags);

  var exists = yield packageService.getModule(name, version);
-  var shasum;
  if (exists) {
    this.status = 403;
    const error = '[forbidden] cannot modify pre-existing version: ' + version;
@@ -165,21 +214,60 @@ module.exports = function* save(next) {
    }
  }

-  shasum = crypto.createHash('sha1');
-  shasum.update(tarballBuffer);
-  shasum = shasum.digest('hex');
+  var originDist = versionPackage.dist || {};
+  var shasum;
+  var integrity = originDist.integrity;
+  // for content security reason
+  // check integrity
+  if (integrity) {
+    var algorithm = ssri.checkData(tarballBuffer, integrity);
+    if (!algorithm) {
+      logger.error('[registry:save:integrity:invalid] %s@%s, dist:%j', name, version, originDist);
+      this.status = 400;
+      const error = '[invalid] dist.integrity invalid';
+      this.body = {
+        error,
+        reason: error,
+      };
+      return;
+    }
+    var integrityObj = ssri.fromData(tarballBuffer, {
+      algorithms: ['sha1'],
+    });
+    shasum = integrityObj.sha1[0].hexDigest();
+  } else {
+    var integrityObj = ssri.fromData(tarballBuffer, {
+      algorithms: ['sha512', 'sha1'],
+    });
+    integrity = integrityObj.sha512[0].toString();
+    shasum = integrityObj.sha1[0].hexDigest();
+    if (originDist.shasum && originDist.shasum !== shasum) {
+      // if integrity not exists, check shasum
+      logger.error('[registry:save:shasum:invalid] %s@%s, dist:%j', name, version, originDist);
+      this.status = 400;
+      const error = '[invalid] dist.shasum invalid';
+      this.body = {
+        error,
+        reason: error,
+      };
+      return;
+    }
+  }

  var options = {
    key: common.getCDNKey(name, filename),
-    shasum: shasum
+    shasum: shasum,
+    integrity: integrity,
  };
  var uploadResult = yield nfs.uploadBuffer(tarballBuffer, options);
-  debug('upload %j', uploadResult);
+  debug('upload %j, options: %j', uploadResult, options);

-  var dist = {
+  var dist = Object.assign({}, originDist, {
+    tarball: '',
+    integrity: integrity,
    shasum: shasum,
-    size: attachment.length
-  };
+    size: attachment.length,
+  });

  // if nfs upload return a key, record it
  if (uploadResult.url) {
--- a/controllers/registry/package/show.js
+++ b/controllers/registry/package/show.js
@@ -1,9 +1,7 @@
 'use strict';

 var debug = require('debug')('cnpmjs.org:controllers:registry:package:show');
-var semver = require('semver');
 var packageService = require('../../../services/package');
-var setDownloadURL = require('../../../lib/common').setDownloadURL;
 var SyncModuleWorker = require('../../sync_module_worker');
 var config = require('../../../config');

@@ -18,40 +16,13 @@ var config = require('../../../config');
 module.exports = function* show() {
  var name = this.params.name || this.params[0];
  var tag = this.params.version || this.params[1];
-  if (tag === '*') {
-    tag = 'latest';
-  }
-  var version = semver.valid(tag);
-  var range = semver.validRange(tag);
-  var mod;
-  if (version) {
-    mod = yield packageService.getModule(name, version);
-  } else if (range) {
-    mod = yield packageService.getModuleByRange(name, range);
-  } else {
-    mod = yield packageService.getModuleByTag(name, tag);
-  }
+  var mod = yield packageService.showPackage(name, tag, this);

  if (mod) {
-    setDownloadURL(mod.package, this);
-    mod.package._cnpm_publish_time = mod.publish_time;
-    mod.package.publish_time = mod.package.publish_time || mod.publish_time;
-    var rs = yield [
-      packageService.listMaintainers(name),
-      packageService.listModuleTags(name),
-    ];
-    var maintainers = rs[0];
-    if (maintainers.length > 0) {
-      mod.package.maintainers = maintainers;
+    if (typeof config.formatCustomOnePackageVersion === 'function') {
+      mod.package = config.formatCustomOnePackageVersion(this, mod.package);
    }
-    var tags = rs[1];
-    var distTags = {};
-    for (var i = 0; i < tags.length; i++) {
-      var t = tags[i];
-      distTags[t.tag] = t.version;
-    }
-    // show tags for npminstall faster download
-    mod.package['dist-tags'] = distTags;
+
    this.jsonp = mod.package;
    if (config.registryCacheControlHeader) {
      this.set('cache-control', config.registryCacheControlHeader);
@@ -65,7 +36,7 @@ module.exports = function* show() {
  // if not fond, sync from source registry
  if (!this.allowSync) {
    this.status = 404;
-    const error = '[not_exists] version not found: ' + version;
+    const error = '[not_exists] version not found: ' + tag;
    this.jsonp = {
      error,
      reason: error,
--- a/controllers/registry/package/update.js
+++ b/controllers/registry/package/update.js
@@ -4,6 +4,7 @@ var debug = require('debug')('cnpmjs.org:controllers:registry:package:update');
 var packageService = require('../../../services/package');
 var userService = require('../../../services/user');
 var config = require('../../../config');
+var hook = require('../../../services/hook');

 // PUT /:name/-rev/:rev
 //
@@ -158,6 +159,31 @@ function* updateMaintainers() {

  var r = yield packageService.updatePrivateModuleMaintainers(name, usernames);
  debug('result: %j', r);
+  if (r.add && r.add.length) {
+    const envelope = {
+      event: 'package:owner',
+      name: name,
+      type: 'package',
+      version: null,
+      hookOwner: null,
+      payload: null,
+      change: null,
+    };
+    hook.trigger(envelope);
+  }
+  if (r.remove && r.remove.length) {
+    const envelope = {
+      event: 'package:owner-rm',
+      name: name,
+      type: 'package',
+      version: null,
+      hookOwner: null,
+      payload: null,
+      change: null,
+    };
+    hook.trigger(envelope);
+  }
+

  this.status = 201;
  this.body = {
--- a/controllers/registry/token/create.js
+++ b/controllers/registry/token/create.js
@@ -0,0 +1,55 @@
+'use strict';
+
+var ipRegex = require('ip-regex');
+var tokenService = require('../../../services/token');
+var userService = require('../../../services/user');
+var ipv4 = ipRegex.v4({ exact: true });
+
+module.exports = function* createToken() {
+  var readonly = this.request.body.readonly;
+  if (typeof readonly !== 'undefined' && typeof readonly !== 'boolean') {
+    this.status = 400;
+    var error = '[bad_request] readonly ' + readonly + ' is not boolean';
+    this.body = {
+      error,
+      reason: error,
+    };
+    return;
+  }
+  var cidrWhitelist = this.request.body.cidr_whitelist;
+  if (typeof cidrWhitelist !== 'undefined') {
+    var isValidateWhiteList = Array.isArray(cidrWhitelist) && cidrWhitelist.every(function (cidr) {
+      return ipv4.test(cidr);
+    });
+    if (!isValidateWhiteList) {
+      this.status = 400;
+      var error = '[bad_request] cide white list ' + JSON.stringify(cidrWhitelist) + ' is not validate ip array';
+      this.body = {
+        error,
+        reason: error,
+      };
+      return;
+    }
+  }
+
+  var password = this.request.body.password;
+  var user = yield userService.auth(this.user.name, password);
+  if (!user) {
+    this.status = 401;
+    var error = '[unauthorized] incorrect or missing password.';
+    this.body = {
+      error,
+      reason: error,
+    };
+    return;
+  }
+
+  var tokenServiceImpl = this.tokenService || tokenService;
+
+  var token = yield tokenServiceImpl.createToken(this.user.name, {
+    readonly: !!readonly,
+    cidrWhitelist: cidrWhitelist || [],
+  });
+  this.status = 201;
+  this.body = token;
+};
--- a/controllers/registry/token/del.js
+++ b/controllers/registry/token/del.js
@@ -0,0 +1,8 @@
+'use strict';
+
+var tokenService = require('../../../services/token');
+
+module.exports = function* deleteToken() {
+  yield tokenService.deleteToken(this.user.name, this.params.UUID);
+  this.status = 204;
+};
--- a/controllers/registry/token/list.js
+++ b/controllers/registry/token/list.js
@@ -0,0 +1,60 @@
+'use strict';
+
+var tokenService = require('../../../services/token');
+
+var DEFAULT_PER_PAGE = 10;
+var MIN_PER_PAGE = 1;
+var MAX_PER_PAGE = 9999;
+
+module.exports = function* createToken() {
+  var perPage = typeof this.query.perPage === 'undefined' ? DEFAULT_PER_PAGE : parseInt(this.query.perPage);
+  if (Number.isNaN(perPage)) {
+    this.status = 400;
+    var error = 'perPage ' + this.query.perPage + ' is not a number';
+    this.body = {
+      error,
+      reason: error,
+    };
+    return;
+  }
+  if (perPage < MIN_PER_PAGE || perPage > MAX_PER_PAGE) {
+    this.status = 400;
+    var error = 'perPage ' + this.query.perPage + ' is out of boundary';
+    this.body = {
+      error,
+      reason: error,
+    };
+    return;
+  }
+
+  var page = typeof this.query.page === 'undefined' ? 0 : parseInt(this.query.page);
+  if (Number.isNaN(page)) {
+    this.status = 400;
+    var error = 'page ' + this.query.page + ' is not a number';
+    this.body = {
+      error,
+      reason: error,
+    };
+    return;
+  }
+  if (page < 0) {
+    this.status = 400;
+    var error = 'page ' + this.query.page + ' is invalidate';
+    this.body = {
+      error,
+      reason: error,
+    };
+    return;
+  }
+
+  var tokens = yield tokenService.listToken(this.user.name, {
+    page: page,
+    perPage: perPage,
+  });
+
+  this.status = 200;
+  this.body = {
+    objects: tokens,
+    urls: {},
+  };
+};
--- a/controllers/registry/user/add.js
+++ b/controllers/registry/user/add.js
@@ -3,6 +3,7 @@
 var ensurePasswordSalt = require('./common').ensurePasswordSalt;
 var userService = require('../../../services/user');
 var config = require('../../../config');
+var tokenService = require('../../../services/token');

 // npm 1.4.4
 // add new user first
@@ -63,8 +64,13 @@ module.exports = function* addUser() {
    return;
  }
  if (loginedUser) {
+    var token = yield tokenService.createToken(body.name, {
+      readonly: !!body.readonly,
+      cidrWhitelist: body.cidr_whitelist || [],
+    });
    this.status = 201;
    this.body = {
+      token: token.token,
      ok: true,
      id: 'org.couchdb.user:' + loginedUser.login,
      rev: Date.now() + '-' + loginedUser.login
@@ -118,8 +124,15 @@ module.exports = function* addUser() {
  // add new user
  var result = yield userService.add(user);
  this.etag = '"' + result.rev + '"';
+
+  var token = yield tokenService.createToken(body.name, {
+    readonly: !!body.readonly,
+    cidrWhitelist: body.cidr_whitelist || [],
+  });
+
  this.status = 201;
  this.body = {
+    token: token.token,
    ok: true,
    id: 'org.couchdb.user:' + name,
    rev: result.rev
--- a/controllers/registry/user/ping.js
+++ b/controllers/registry/user/ping.js
@@ -0,0 +1,7 @@
+'use strict';
+
+// https://docs.npmjs.com/cli/ping
+module.exports = function* () {
+  this.status = 200;
+  this.body = {};
+};
--- a/controllers/registry/user/whoami.js
+++ b/controllers/registry/user/whoami.js
@@ -0,0 +1,9 @@
+'use strict';
+
+// https://docs.npmjs.com/cli/whoami
+module.exports = function* () {
+  this.status = 200;
+  this.body = {
+    username: this.user.name,
+  };
+};
--- a/controllers/sync.js
+++ b/controllers/sync.js
@@ -2,6 +2,7 @@

 var debug = require('debug')('cnpmjs.org:controllers:sync');
 var Log = require('../services/module_log');
+var npmService = require('../services/npm');
 var SyncModuleWorker = require('./sync_module_worker');
 var config = require('../config');

@@ -19,7 +20,8 @@ exports.sync = function* () {
  var publish = this.query.publish === 'true';
  var noDep = this.query.nodeps === 'true';
  var syncUpstreamFirst = this.query.sync_upstream === 'true';
-  if (!config.sourceNpmRegistryIsCNpm) {
+  var syncFromBackupFile = this.query.sync_from_backup === 'true';
+  if (!config.enableWebDataRemoteRegistry && !config.sourceNpmRegistryIsCNpm) {
    syncUpstreamFirst = false;
  }
  debug('sync %s with query: %j, syncUpstreamFirst: %s', name, this.query, syncUpstreamFirst);
@@ -38,6 +40,7 @@ exports.sync = function* () {
    publish: publish,
    noDep: noDep,
    syncUpstreamFirst: syncUpstreamFirst,
+    syncFromBackupFile: syncFromBackupFile,
  };

  var logId = yield SyncModuleWorker.sync(name, username, options);
@@ -50,6 +53,55 @@ exports.sync = function* () {
  };
 };

+exports.scopeSync = function* () {
+  var scope = this.params.scope;
+
+  var scopeConfig = (config.syncScopeConfig || []).find(function (item) {
+    return item.scope === scope
+  })
+
+  if (!scopeConfig) {
+    this.status = 404;
+    this.body = {
+      error: 'no_scope',
+      reason: 'only has syncScopeConfig config can use this feature'
+    };
+    return;
+  }
+
+  var scopeCnpmWeb = scopeConfig.sourceCnpmWeb
+  var scopeCnpmRegistry = scopeConfig.sourceCnpmRegistry
+  var packages = yield npmService.getScopePackagesShort(scope, scopeCnpmWeb)
+
+  debug('scopeSync %s with query: %j', scope, this.query);
+
+  var packageSyncWorkers = []
+
+  for (let i = 0; i < packages.length; i++) {
+    packageSyncWorkers.push(function* () {
+      var name = packages[i]
+      var logId = yield SyncModuleWorker.sync(name, 'admin', {
+        type: 'package',
+        publish: true,
+        noDep: true,
+        syncUpstreamFirst: false,
+        syncPrivatePackage: { [scope]: scopeCnpmRegistry }
+      })
+      return { name: name, logId: logId }
+    })
+  }
+
+  var logIds = yield packageSyncWorkers
+
+  debug('scopeSync %s got log id %j', scope, logIds);
+
+  this.status = 201;
+  this.body = {
+    ok: true,
+    logIds: logIds
+  };
+};
+
 exports.getSyncLog = function* (next) {
  var logId = Number(this.params.id || this.params[1]);
  var offset = Number(this.query.offset) || 0;
--- a/controllers/sync_module_worker.js
+++ b/controllers/sync_module_worker.js
@@ -8,6 +8,7 @@ var thunkify = require('thunkify-wrap');
 var EventEmitter = require('events').EventEmitter;
 var util = require('util');
 var fs = require('fs');
+var mzFs = require('mz/fs');
 var path = require('path');
 var crypto = require('crypto');
 var sleep = require('co-sleep');
@@ -48,10 +49,13 @@ function SyncModuleWorker(options) {
  this.names = options.name;
  this.startName = this.names[0];

+  this.syncPrivatePackage = options.syncPrivatePackage;
+
  this.username = options.username;
  this.concurrency = options.concurrency || 1;
  this._publish = options.publish === true; // _publish_on_cnpm
  this.syncUpstreamFirst = options.syncUpstreamFirst;
+  this.syncFromBackupFile = options.syncFromBackupFile;

  this.syncingNames = {};
  this.nameMap = {};
@@ -164,6 +168,7 @@ SyncModuleWorker.prototype.start = function () {
    }
    yield arr;
    that._saveLog();
+    yield that._saveBackupFiles();
  }).catch(function (err) {
    logger.error(err);
    that._saveLog();
@@ -215,18 +220,24 @@ SyncModuleWorker.prototype._doneOne = function* (concurrencyId, name, success) {
 };

 SyncModuleWorker.prototype.syncUpstream = function* (name) {
-  if (config.sourceNpmRegistry.indexOf('registry.npmjs.org') >= 0 ||
-      config.sourceNpmRegistry.indexOf('registry.npmjs.com') >= 0 ||
-      config.sourceNpmRegistry.indexOf('replicate.npmjs.com') >= 0) {
+  var sourceNpmRegistry = config.sourceNpmRegistry;
+  if (config.enableWebDataRemoteRegistry) {
+    sourceNpmRegistry = config.webDataRemoteRegistry;
+  }
+
+  if (sourceNpmRegistry.indexOf('registry.npmjs.org') >= 0 ||
+      sourceNpmRegistry.indexOf('registry.npmjs.com') >= 0 ||
+      sourceNpmRegistry.indexOf('replicate.npmjs.com') >= 0) {
    this.log('----------------- upstream is npm registry: %s, ignore it -------------------',
-      config.sourceNpmRegistry);
+      sourceNpmRegistry);
    return;
  }
  var syncname = name;
  if (this.type === 'user') {
    syncname = this.type + ':' + syncname;
  }
-  var url = config.sourceNpmRegistry + '/' + syncname + '/sync?sync_upstream=true';
+
+  var url = sourceNpmRegistry + '/' + syncname + '/sync?sync_upstream=true';
  if (this.noDep) {
    url += '&nodeps=true';
  }
@@ -245,7 +256,7 @@ SyncModuleWorker.prototype.syncUpstream = function* (name) {
      url, r.status, r.data);
  }

-  var logURL = config.sourceNpmRegistry + '/' + name + '/sync/log/' + r.data.logId;
+  var logURL = sourceNpmRegistry + '/' + name + '/sync/log/' + r.data.logId;
  var offset = 0;
  this.log('----------------- Syncing upstream %s -------------------', logURL);

@@ -310,23 +321,29 @@ SyncModuleWorker.prototype.next = function* (concurrencyId) {
    return setImmediate(this.finish.bind(this));
  }

-  if (config.syncModel === 'none') {
+  const defineRegistry = this.getPrivatePackageDefineRegistry(name)
+
+  if (!defineRegistry && config.syncModel === 'none') {
    this.log('[c#%d] [%s] syncModel is none, ignore',
-      concurrencyId, name);
+     concurrencyId, name);
    return this.finish();
  }

-  // try to sync from official replicate when source npm registry is not cnpmjs.org
-  const registry = config.sourceNpmRegistryIsCNpm ? config.sourceNpmRegistry : config.officialNpmReplicate;
+  // try to sync from official replicate when no defineRegistry or source npm registry is not cnpmjs.org
+  let registry
+  if (defineRegistry) {
+    registry = defineRegistry
+  } else {
+    registry = config.sourceNpmRegistryIsCNpm ? config.sourceNpmRegistry : config.officialNpmReplicate;
+  }

  yield this.syncByName(concurrencyId, name, registry);
 };

-SyncModuleWorker.prototype.syncByName = function* (concurrencyId, name, registry) {
-  var that = this;
-  that.syncingNames[name] = true;
-  var pkg = null;
-  var status = 0;
+// TODO unimplement unpublish
+SyncModuleWorker.prototype._syncByNameFromBackupFile = function* (concurrencyId, name, retryCount) {
+  const that = this;
+  this.syncingNames[name] = true;

  this.log('----------------- Syncing %s -------------------', name);

@@ -338,9 +355,198 @@ SyncModuleWorker.prototype.syncByName = function* (concurrencyId, name, registry
    return;
  }

+  // validate if unpublish
+  const unpublished = yield validateUnpublish(name);
+  if (unpublished) {
+    this.log('[c#%d] [%s] package is unpublished skip sync',
+      concurrencyId, name);
+    yield this._doneOne(concurrencyId, name, true);
+    return;
+  }
+
+  let packageJsons;
+  let tags;
+  try {
+    const packageDir = common.getSyncPackageDir(name);
+    const packageDirFiles = yield nfs.list(packageDir);
+    const packageJsonFileNames = packageDirFiles.filter(fileName => common.isBackupPkgFile(fileName));
+
+    const distTagDir = common.getSyncTagDir(name);
+    const distTagDirFiles = yield nfs.list(distTagDir);
+    const distTagFileNames = distTagDirFiles.filter(fileName => common.isBackupTagFile(fileName));
+
+    const packageJsonRes = yield gather(packageJsonFileNames.map(function* (packageJsonFileName) {
+      const version = common.getVersionFromFileName(packageJsonFileName);
+      return yield readPackage(name, version);
+    }), 5);
+    packageJsons = packageJsonRes.map(({ isError, error, value}) => {
+      if (isError) {
+        error.message = '[sync] read package.json failed: ' + error.message;
+        throw error;
+      }
+      return value;
+    });
+
+    packageJsons = packageJsons.sort((a, b) => {
+      return a.publish_time - b.publish_time;
+    });
+
+    const tagRes = yield gather(distTagFileNames.map(function* (tagFileName) {
+      const tag = common.getTagNameFromFileName(tagFileName);
+      const version = yield readDistTag(name, tag);
+      return {
+        tag,
+        version,
+      };
+    }));
+    tags = tagRes.map(({ isError, error, value}) => {
+      if (isError) {
+        error.message = '[sync] read dist-tag failed: ' + error.message;
+        throw error;
+      }
+      return value;
+    });
+  } catch (err) {
+    if (retryCount < 3) {
+      this.log('[c#%d] [%s] retry from oss after 3s, err: %s, retryCount: %s',
+        concurrencyId, name, err.stack, retryCount);
+      yield sleep(3000);
+      yield this._syncByNameFromBackupFile(concurrencyId, name, retryCount + 1);
+      return;
+    }
+    this.log('[c#%s] [error] [%s] sync error: %s', concurrencyId, name, err.stack);
+    yield this._doneOne(concurrencyId, name, false);
+    return;
+  }
+
+  const firstPkg = packageJsons[0];
+  const lastPkg = packageJsons[packageJsons.length - 1];
+
+  const times = packageJsons.reduce((times, packageJson) => {
+    times[packageJson.version] = new Date(packageJson.publish_time);
+    return times;
+  }, {
+    modified: new Date(lastPkg.publish_time),
+    created: new Date(firstPkg.publish_time),
+  });
+  const distTags = tags.reduce((distTags, tag) => {
+    distTags[tag.tag] = tag.version;
+    return distTags;
+  }, {});
+  const versions = packageJsons.reduce((versions, packageJson) => {
+    versions[packageJson.version] = packageJson;
+    return versions;
+  }, {});
+
+  const pkg = {
+    name,
+    'dist-tags': distTags,
+    versions: versions,
+    time: times,
+
+    description: lastPkg.description,
+    maintainers: lastPkg.maintainers,
+    author: lastPkg.author,
+    repository: lastPkg.repository,
+    readme: lastPkg.readme,
+    readmeFilename: lastPkg.readmeFilename,
+    homepage: lastPkg.homepage,
+    bugs: lastPkg.bugs,
+    license: lastPkg.license,
+  };
+
+  let syncVersions;
+  try {
+    syncVersions = yield this._sync(name, pkg);
+  } catch (err) {
+    this.log('[c#%s] [error] [%s] sync error: %s', concurrencyId, name, err.stack);
+    yield this._doneOne(concurrencyId, name, false);
+    return;
+  }
+
+  // has new version
+  if (syncVersions.length > 0) {
+    this.updates.push(name);
+  }
+
+  this.log('[c#%d] [%s] synced success, %d versions: %s',
+    concurrencyId, name, syncVersions.length, syncVersions.join(', '));
+  yield this._doneOne(concurrencyId, name, true);
+
+  return syncVersions;
+
+  function* validateUnpublish(name) {
+    const filePath = common.getTarballFilepath(name, '', `unpublish-package.json`);
+    const cdnKey = common.getUnpublishFileKey(name);
+    let unpublishInfo;
+    try {
+      yield nfs.download(cdnKey, filePath);
+      const packageJSONFile = yield mzFs.readFile(filePath, 'utf8');
+      unpublishInfo = JSON.parse(packageJSONFile);
+    } catch (_) {
+      // ...
+      return false;
+    } finally {
+      fs.unlink(filePath, utility.noop);
+    }
+    that.log('[c#%s] get unpublish info', concurrencyId, name);
+    yield that._unpublished(name, unpublishInfo);
+    return true;
+  }
+
+  function* readPackage(name, version) {
+    const filePath = common.getTarballFilepath(name, version, `package-${version}.json`);
+    const packageJsonKey = common.getPackageFileCDNKey(name, version);
+    try {
+      yield nfs.download(packageJsonKey, filePath);
+      const packageJSONFile = yield mzFs.readFile(filePath, 'utf8');
+      console.log('file: ', filePath, packageJSONFile);
+      const packageJSON = JSON.parse(packageJSONFile);
+      return packageJSON;
+    } finally {
+      fs.unlink(filePath, utility.noop);
+    }
+  }
+
+  function* readDistTag(name, tag) {
+    const filePath = common.getTarballFilepath(name, '', `tag-${tag}.json`);
+    const packageJsonKey = common.getDistTagCDNKey(name, tag);
+    try {
+      yield nfs.download(packageJsonKey, filePath);
+      const version = yield mzFs.readFile(filePath, 'utf8');
+      return version;
+    } finally {
+      fs.unlink(filePath, utility.noop);
+    }
+  }
+};
+
+SyncModuleWorker.prototype.syncByName = function* (concurrencyId, name, registry, retryCount) {
+  if (this.syncFromBackupFile) {
+    yield this._syncByNameFromBackupFile(concurrencyId, name, retryCount);
+    return;
+  }
+
+  retryCount = retryCount || 0;
+  var that = this;
+  that.syncingNames[name] = true;
+  var pkg = null;
+  var status = 0;
+
+  this.log('----------------- Syncing %s -------------------', name);
+
+  const isNeedSyncPrivatePackage = this.getPrivatePackageDefineRegistry(name)
+  // ignore private scoped package
+  if (!isNeedSyncPrivatePackage && common.isPrivateScopedPackage(name)) {
+    this.log('[c#%d] [%s] ignore sync private scoped %j package',
+      concurrencyId, name, config.scopes);
+    yield this._doneOne(concurrencyId, name, true);
+    return;
+  }
+
  let realRegistry = registry;
  // get from npm, don't cache
-  const packageUrl = '/' + name.replace('/', '%2f') + '?sync_timestamp=' + Date.now();
+  const packageUrl = '/' + name.replace('/', '%2f') + '?cache=0&sync_timestamp=' + Date.now();
  try {
    var result = yield npmSerivce.request(packageUrl, { registry: registry });
    pkg = result.data;
@@ -373,17 +579,28 @@ SyncModuleWorker.prototype.syncByName = function* (concurrencyId, name, registry
    // if 404
    if (!err.res || err.res.statusCode !== 404) {
      var errMessage = err.name + ': ' + err.message;
-      that.log('[c#%s] [error] [%s] get package(%s%s) error: %s, status: %s',
-        concurrencyId, name, registry, packageUrl, errMessage, status);
-      // replicate request error, try to request from official registry
-      if (registry !== config.officialNpmReplicate) {
+      that.log('[c#%s] [error] [%s] get package(%s%s) error: %s, status: %s, retryCount: %s',
+        concurrencyId, name, registry, packageUrl, errMessage, status, retryCount);
+
+      // retry from cnpmRegistry again, max 3 times
+      if (registry === config.cnpmRegistry && retryCount < 3) {
+        this.log('[c#%d] [%s] retry from %s after 3s, retryCount: %s',
+          concurrencyId, name, registry, retryCount);
+        yield sleep(3000);
+        yield that.syncByName(concurrencyId, name, registry, retryCount + 1);
+        return;
+      }
+
+      // replicate/cnpmRegistry request error, try to request from official registry
+      if (registry !== config.officialNpmReplicate && registry !== config.cnpmRegistry) {
        // sync fail
        yield that._doneOne(concurrencyId, name, false);
        return;
      }

      // retry from officialNpmRegistry when officialNpmReplicate fail
-      this.log('[c#%d] [%s] retry from %s', concurrencyId, name, config.officialNpmRegistry);
+      this.log('[c#%d] [%s] retry from %s, retryCount: %s',
+        concurrencyId, name, config.officialNpmRegistry, retryCount);
      try {
        var result = yield npmSerivce.request(packageUrl, { registry: config.officialNpmRegistry });
        pkg = result.data;
@@ -486,6 +703,21 @@ SyncModuleWorker.prototype.syncByName = function* (concurrencyId, name, registry
  return versions;
 };

+SyncModuleWorker.prototype.getPrivatePackageDefineRegistry = function (name) {
+  if (typeof name !== 'string') return false
+  return this.syncPrivatePackage && this.syncPrivatePackage[name.split('/')[0]]
+}
+
+SyncModuleWorker.prototype.isLocalModule = function (mods) {
+  var res = common.isLocalModule(mods)
+  if (!this.syncPrivatePackage) return res
+  if (!mods[0] || !mods[0].package || !mods[0].package.name) return res
+
+  if (this.getPrivatePackageDefineRegistry(mods[0].package.name)) return false
+
+  return res
+}
+
 function* _listStarUsers(modName) {
  var users = yield packageService.listStarUserNames(modName);
  var userMap = {};
@@ -526,7 +758,7 @@ SyncModuleWorker.prototype._unpublished = function* (name, unpublishedInfo) {
  var mods = yield packageService.listModulesByName(name);
  this.log('  [%s] start unpublished %d versions from local cnpm registry',
    name, mods.length);
-  if (common.isLocalModule(mods)) {
+  if (this.isLocalModule(mods)) {
    // publish on cnpm, dont sync this version package
    this.log('  [%s] publish on local cnpm registry, don\'t sync', name);
    return [];
@@ -543,36 +775,39 @@ SyncModuleWorker.prototype._unpublished = function* (name, unpublishedInfo) {
  var r = yield packageService.saveUnpublishedModule(name, unpublishedInfo);
  this.log('    [%s] save unpublished info: %j to row#%s',
    name, unpublishedInfo, r.id);
-  if (mods.length === 0) {
-    return;
-  }
-  yield [
-    packageService.removeModulesByName(name),
-    packageService.removeModuleTags(name),
-  ];
-  var keys = [];
-  for (var i = 0; i < mods.length; i++) {
-    var row = mods[i];
-    var dist = row.package.dist;
-    var key = dist.key;
-    if (!key) {
-      key = urlparse(dist.tarball).pathname;
+  if (mods.length) {
+    yield [
+      packageService.removeModulesByName(name),
+      packageService.removeModuleTags(name),
+    ];
+    var keys = [];
+    for (var i = 0; i < mods.length; i++) {
+      var row = mods[i];
+      var dist = row.package.dist;
+      var key = dist.key;
+      if (!key) {
+        key = urlparse(dist.tarball).pathname;
+      }
+      key && keys.push(key);
    }
-    key && keys.push(key);
+
+    if (keys.length > 0) {
+      try {
+        yield keys.map(function (key) {
+          return nfs.remove(key);
+        });
+      } catch (err) {
+        // ignore error here
+        this.log('    [%s] delete nfs files: %j error: %s: %s',
+          name, keys, err.name, err.message);
+      }
+    }
+    this.log('    [%s] delete nfs files: %j success', name, keys);
  }

-  if (keys.length > 0) {
-    try {
-      yield keys.map(function (key) {
-        return nfs.remove(key);
-      });
-    } catch (err) {
-      // ignore error here
-      this.log('    [%s] delete nfs files: %j error: %s: %s',
-        name, keys, err.name, err.message);
-    }
+  if (config.syncBackupFiles) {
+    yield this._saveUnpublishFile(name, unpublishedInfo);
  }
-  this.log('    [%s] delete nfs files: %j success', name, keys);
 };

 SyncModuleWorker.prototype._sync = function* (name, pkg) {
@@ -591,7 +826,7 @@ SyncModuleWorker.prototype._sync = function* (name, pkg) {
  var existsNpmMaintainers = result[3];
  var existsModuleAbbreviateds = result[4];

-  if (common.isLocalModule(moduleRows)) {
+  if (this.isLocalModule(moduleRows)) {
    // publish on cnpm, dont sync this version package
    that.log('  [%s] publish on local cnpm registry, don\'t sync', name);
    return [];
@@ -637,6 +872,8 @@ SyncModuleWorker.prototype._sync = function* (name, pkg) {

  // get package AbbreviatedMetadata
  var remoteAbbreviatedMetadatas = {};
+  // store remote abbreviated versions
+  var remoteAbbreviatedVersionsMap = {};
  if (config.enableAbbreviatedMetadata) {
    // use ?cache=0 tell registry dont use cache result
    var packageUrl = '/' + name.replace('/', '%2f') + '?cache=0&sync_timestamp=' + Date.now();
@@ -656,11 +893,32 @@ SyncModuleWorker.prototype._sync = function* (name, pkg) {
          name, err, result.headers, result.data);
      }
      if (data) {
-        var versions = data && data.versions || {};
-        for (var version in versions) {
-          const item = versions[version];
-          if (item && typeof item._hasShrinkwrap === 'boolean') {
-            remoteAbbreviatedMetadatas[version] = { _hasShrinkwrap: item._hasShrinkwrap };
+        remoteAbbreviatedVersionsMap = data && data.versions || {};
+        for (var version in remoteAbbreviatedVersionsMap) {
+          const item = remoteAbbreviatedVersionsMap[version];
+          if (!item) {
+            continue;
+          }
+          let hasMetaData = false;
+          const metaData = {};
+          // _hasShrinkwrap maybe undefined, dont change it
+          if (typeof item._hasShrinkwrap === 'boolean') {
+            hasMetaData = true;
+            metaData._hasShrinkwrap = item._hasShrinkwrap;
+          }
+
+          // https://github.com/cnpm/cnpmjs.org/issues/1667
+          const metaDataKeys = [
+            'peerDependenciesMeta', 'os', 'cpu', 'libc', 'workspaces', 'hasInstallScript',
+          ];
+          for (const key of metaDataKeys) {
+            if (key in item) {
+              hasMetaData = true;
+              metaData[key] = item[key];
+            }
+          }
+          if (hasMetaData) {
+            remoteAbbreviatedMetadatas[version] = metaData;
          }
        }
      }
@@ -680,7 +938,7 @@ SyncModuleWorker.prototype._sync = function* (name, pkg) {
  var diffNpmMaintainers = [];

  // [
-  //   { name, version, _hasShrinkwrap }
+  //   { name, version, _hasShrinkwrap(boolean), peerDependenciesMeta(object), os(array), cpu(array), workspaces(array) }
  // ]
  var missingAbbreviatedMetadatas = [];
  // [
@@ -852,16 +1110,32 @@ SyncModuleWorker.prototype._sync = function* (name, pkg) {
          });
          changedVersions[v] = 1;
        }
+
        // find missing abbreviatedMetadata
        if (abbreviatedMetadata) {
          for (var key in abbreviatedMetadata) {
-            if (!(key in exists.package) || abbreviatedMetadata[key] !== exists.package[key]) {
-              missingAbbreviatedMetadatas.push(Object.assign({
-                id: exists.id,
-                name: exists.package.name,
-                version: exists.package.version,
-              }, abbreviatedMetadata));
-              break;
+            const value = abbreviatedMetadata[key];
+            // boolean: _hasShrinkwrap, hasInstallScript
+            if ((key === '_hasShrinkwrap' || key === 'hasInstallScript') && typeof value === 'boolean') {
+              if (!(key in exists.package) || abbreviatedMetadata[key] !== exists.package[key]) {
+                missingAbbreviatedMetadatas.push(Object.assign({
+                  id: exists.id,
+                  name: exists.package.name,
+                  version: exists.package.version,
+                }, abbreviatedMetadata));
+                break;
+              }
+            } else if (Array.isArray(value) || (typeof value === 'object' && value)) {
+              // array: os, cpu, workspaces, libc
+              // object: peerDependenciesMeta
+              if (existsModuleAbbreviated && !(key in existsModuleAbbreviated.package)) {
+                missingAbbreviatedMetadatas.push(Object.assign({
+                  id: exists.id,
+                  name: exists.package.name,
+                  version: exists.package.version,
+                }, abbreviatedMetadata));
+                break;
+              }
            }
          }
        }
@@ -933,7 +1207,7 @@ SyncModuleWorker.prototype._sync = function* (name, pkg) {
    var tries = 3;
    while (true) {
      try {
-        yield that._syncOneVersion(index, syncModule);
+        yield that._syncOneVersion(index, syncModule, remoteAbbreviatedVersionsMap[syncModule.version]);
        syncedVersionNames.push(syncModule.version);
        break;
      } catch (err) {
@@ -1084,7 +1358,7 @@ SyncModuleWorker.prototype._sync = function* (name, pkg) {
    that.log('  [%s] saving %d missing moduleAbbreviateds', name, missingModuleAbbreviateds.length);

    var res = yield gather(missingModuleAbbreviateds.map(function (item) {
-      return packageService.saveModuleAbbreviated(item);
+      return packageService.saveModuleAbbreviated(item, remoteAbbreviatedVersionsMap[item.version]);
    }));

    for (var i = 0; i < res.length; i++) {
@@ -1303,7 +1577,7 @@ SyncModuleWorker.prototype._sync = function* (name, pkg) {
  return syncedVersionNames;
 };

-SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePackage) {
+SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePackage, remoteAbbreviatedVersion) {
  var delay = Date.now() - sourcePackage.publish_time;
  logger.syncInfo('[sync_module_worker] delay: %s ms, publish_time: %s, start sync %s@%s',
    delay, utility.logDate(new Date(sourcePackage.publish_time)),
@@ -1312,8 +1586,14 @@ SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePack
  var username = this.username;
  var downurl = sourcePackage.dist.tarball;
  var urlobj = urlparse(downurl);
+  // let cnpmjs.org registry know this request send from sync worker
+  if (downurl.indexOf('?') > 0) {
+    downurl = `${downurl}&cache=0&sync_timestamp=${Date.now()}`;
+  } else {
+    downurl = `${downurl}?cache=0&sync_timestamp=${Date.now()}`;
+  }
  var filename = path.basename(urlobj.pathname);
-  var filepath = common.getTarballFilepath(filename);
+  var filepath = common.getTarballFilepath(sourcePackage.name, sourcePackage.version, filename);
  var ws = fs.createWriteStream(filepath);

  var downloadOptions = {
@@ -1440,7 +1720,7 @@ SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePack
      throw err;
    }
    logger.syncInfo('[sync_module_worker] uploaded, saving %j to database', result);
-    var r = yield afterUpload(result);
+    var r = yield afterUpload(result, remoteAbbreviatedVersion);
    logger.syncInfo('[sync_module_worker] sync %s@%s done!',
      sourcePackage.name, sourcePackage.version);
    return r;
@@ -1449,7 +1729,7 @@ SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePack
    fs.unlink(filepath, utility.noop);
  }

-  function *afterUpload(result) {
+  function *afterUpload(result, remoteAbbreviatedVersion) {
    //make sure sync module have the correct author info
    //only if can not get maintainers, use the username
    var author = username;
@@ -1476,11 +1756,13 @@ SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePack
      mod.package._publish_on_cnpm = true;
    }

-    var dist = {
+    // keep orgin dist fields, like `integrity` and so on
+    var dist = Object.assign({}, sourcePackage.dist, {
+      tarball: '',
      shasum: shasum,
      size: dataSize,
      noattachment: dataSize === 0,
-    };
+    });

    if (result.url) {
      dist.tarball = result.url;
@@ -1493,7 +1775,7 @@ SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePack
    var r = yield packageService.saveModule(mod);
    var moduleAbbreviatedId = null;
    if (config.enableAbbreviatedMetadata) {
-      var moduleAbbreviatedResult = yield packageService.saveModuleAbbreviated(mod);
+      var moduleAbbreviatedResult = yield packageService.saveModuleAbbreviated(mod, remoteAbbreviatedVersion);
      moduleAbbreviatedId = moduleAbbreviatedResult.id;
    }

@@ -1511,6 +1793,141 @@ SyncModuleWorker.prototype._syncOneVersion = function *(versionIndex, sourcePack
  }
 };

+SyncModuleWorker.prototype._saveBackupFiles = function *() {
+  if (!config.syncBackupFiles) {
+    return;
+  }
+  const pkgNames = Object.keys(this.nameMap);
+  const that = this;
+  yield gather(pkgNames.map(function* (pkgName) {
+    yield that._saveBackupFile(pkgName);
+  }), 5);
+};
+
+SyncModuleWorker.prototype._saveBackupFile = function *(pkgName) {
+  const [ mods, tags ] = yield [
+    packageService.listModulesByName(pkgName, [ 'version' ]),
+    packageService.listModuleTags(pkgName),
+  ];
+  const that = this;
+  yield gather(mods.map(function* (mod) {
+    yield that._savePackageJsonBackup(pkgName, mod.version);
+  }), 5);
+  yield gather(tags.map(function* (tag) {
+    yield that._saveDistTagBackup(pkgName, tag.tag, tag.version);
+  }), 5);
+  yield this._clearDeletedDistTags(pkgName, tags.map(t => t.tag));
+};
+
+SyncModuleWorker.prototype._saveUnpublishFile = function* (pkgName, pkg) {
+  const cdnKey = common.getUnpublishFileKey(pkgName);
+  const filePath = common.getTarballFilepath(pkgName, '', 'unpublish-package.json');
+  this.log('[%s] start save unpublish-package.json', pkgName);
+  const file = JSON.stringify(pkg);
+  yield mzFs.writeFile(filePath, file);
+
+  let shasum = crypto.createHash('sha1');
+  shasum.update(file);
+  shasum = shasum.digest('hex');
+
+  yield nfs.upload(filePath, {
+    key: cdnKey,
+    size: file.length,
+    shasum: shasum,
+  });
+  this.log('[%s:%s] save unpublish package.json backup success', pkgName);
+};
+
+SyncModuleWorker.prototype._savePackageJsonBackup = function *(pkgName, version) {
+  const cdnKey = common.getPackageFileCDNKey(pkgName, version);
+  const filePath = common.getTarballFilepath(pkgName, version, `package-${version}.json`);
+  this.log('[%s:%s] start backup package.json', pkgName, version);
+  // If package.json exists no need to sync
+  try {
+    yield nfs.download(cdnKey, filePath);
+    fs.unlink(filePath, utility.noop);
+    this.log('[%s:%s] package.json exits skip backup', pkgName, version);
+    // Download success, no need to sync
+    return;
+  } catch (_) {
+    // ...
+  }
+  // Version is from db, so mod can not be null
+  const mod = yield packageService.showPackage(pkgName, version, {
+    protocol: config.backupProtocol,
+  });
+
+  const file = JSON.stringify(mod.package);
+  yield mzFs.writeFile(filePath, file);
+
+  let shasum = crypto.createHash('sha1');
+  shasum.update(file);
+  shasum = shasum.digest('hex');
+
+  yield nfs.upload(filePath, {
+    key: cdnKey,
+    size: file.length,
+    shasum: shasum,
+  });
+  this.log('[%s:%s] package.json backup success', pkgName, version);
+};
+
+SyncModuleWorker.prototype._saveDistTagBackup = function *(pkgName, tag, version) {
+  const cdnKey = common.getDistTagCDNKey(pkgName, tag);
+  const filePath = common.getTarballFilepath(pkgName, '', `tag-${tag}.json`);
+  this.log('[%s:%s] start backup dist-tag.json', pkgName, tag);
+  let oldVersion;
+  try {
+    yield nfs.download(cdnKey, filePath);
+    oldVersion = yield mzFs.readFile(filePath, 'utf8');
+    fs.unlink(filePath, utility.noop);
+  } catch (_) {
+    // ...
+  }
+  this.log('[%s:%s] backup dist tag is %j current dist tag is %j', pkgName, tag, oldVersion, version);
+  if (oldVersion === version) {
+    this.log('[%s:%s] tag equal skip sync', pkgName, tag);
+    return;
+  }
+  this.log('[%s:%s] tag not equal start sync', pkgName, tag);
+  const file = version;
+  yield mzFs.writeFile(filePath, file);
+
+  let shasum = crypto.createHash('sha1');
+  shasum.update(file);
+  shasum = shasum.digest('hex');
+
+  yield nfs.upload(filePath, {
+    key: cdnKey,
+    size: file.length,
+    shasum: shasum,
+  });
+  this.log('[%s:%s] backup dist tag success', pkgName, tag);
+};
+
+SyncModuleWorker.prototype._clearDeletedDistTags = function *(pkgName, tagNames) {
+  const syncDir = common.getSyncTagDir(pkgName);
+  const backupDistTagFiless = yield nfs.list(syncDir);
+  const currentTagNames = new Set(tagNames);
+  const shouldDelTags = backupDistTagFiless.filter(tagFileName => {
+    const tagName = common.getTagNameFromFileName(tagFileName);
+    return (
+      // File is an dist-tag file
+      tagName
+      // tag is deleted
+      && !currentTagNames.has(tagName)
+    );
+  });
+  this.log('[%s] current tags %j backup tags %j should delete tags %j', pkgName, tagNames, backupDistTagFiless, shouldDelTags);
+  const that = this;
+  yield shouldDelTags.map(function* (tagFileName) {
+    const filePath = path.join(syncDir, tagFileName);
+    that.log('[%s] delete tags %s', pkgName, filePath);
+    yield nfs.remove(filePath);
+  });
+  this.log('[%s] delete tags success', pkgName);
+};
+
 SyncModuleWorker.sync = function* (name, username, options) {
  options = options || {};
  var result = yield logService.create({name: name, username: username});
@@ -1522,6 +1939,8 @@ SyncModuleWorker.sync = function* (name, username, options) {
    noDep: options.noDep,
    publish: options.publish,
    syncUpstreamFirst: options.syncUpstreamFirst,
+    syncFromBackupFile: options.syncFromBackupFile,
+    syncPrivatePackage: options.syncPrivatePackage
  });
  worker.start();
  return result.id;
--- a/controllers/utils.js
+++ b/controllers/utils.js
@@ -69,6 +69,7 @@ exports.getDownloadTotal = function* (name) {
    lastday: 0,
    lastweek: 0,
    lastmonth: 0,
+    total: 0,
  };

  for (var i = 0; i < rows.length; i++) {
@@ -93,6 +94,9 @@ exports.getDownloadTotal = function* (name) {
      download.lastmonth += r.count;
    }
  }
+  if (name) {
+    download.total = yield downloadTotalService.getTotalByName(name);
+  }
  return download;
 };

@@ -155,3 +159,10 @@ exports.getOssLicenseUrlFromName = function (name) {
  return licenseMap[name.toLowerCase()] ?
    base + licenseMap[name.toLowerCase()] : base + name;
 };
+
+exports.ensureSinceIsDate = function(since) {
+  if (!(since instanceof Date)) {
+    return new Date(Number(since));
+  }
+  return since;
+}
--- a/controllers/web/package/show.js
+++ b/controllers/web/package/show.js
@@ -12,9 +12,14 @@ var utils = require('../../utils');
 var setDownloadURL = require('../../../lib/common').setDownloadURL;
 var renderMarkdown = require('../../../common/markdown').render;
 var packageService = require('../../../services/package');
+var blocklistService = require('../../../services/blocklist');
 var downloadTotalService = require('../../../services/download_total');
+var showWithRemote = require('./showWithRemote');

 module.exports = function* show(next) {
+  if (config.enableWebDataRemoteRegistry) {
+    return yield showWithRemote(this, next);
+  }
  var params = this.params;
  // normal: {name: $name, version: $version}
  // scope: [$name, $version]
@@ -71,6 +76,16 @@ module.exports = function* show(next) {
    return yield next;
  }

+  var blocks = yield blocklistService.findBlockPackageVersions(name);
+  if (blocks) {
+    var block = blocks['*'] || blocks[pkg.version];
+    if (block) {
+      this.status = 451;
+      this.body = `[block] package@${pkg.version} was blocked, reason: ${block.reason}`;
+      return;
+    }
+  }
+
  var r = yield [
    utils.getDownloadTotal(name),
    packageService.listDependents(name),
--- a/controllers/web/package/showWithRemote.js
+++ b/controllers/web/package/showWithRemote.js
@@ -0,0 +1,97 @@
+'use strict';
+
+const debug = require('debug')('cnpmjs.org:controllers:web:package:showWithRemote');
+const moment = require('moment');
+const gravatar = require('gravatar');
+const giturl = require('giturl');
+const urllib = require('../../../common/urllib');
+const config = require('../../../config');
+const renderMarkdown = require('../../../common/markdown').render;
+
+module.exports = function* showWithRemote(ctx, next) {
+  const params = ctx.params;
+  const fullname = params.name || params[0];
+  const versionOrTag = params.version || params[1] || 'latest';
+  debug('display %s with %j', fullname, params);
+
+  const url = `${config.webDataRemoteRegistry}/${fullname}`;
+  const result = yield urllib.request(url, {
+    dataType: 'json',
+    timeout: 20000,
+    followRedirect: true,
+    gzip: true,
+  });
+  if (result.status !== 200) {
+    return yield next;
+  }
+  const manifest = result.data;
+
+  const distTags = manifest['dist-tags'] || {};
+  const realVersion = distTags[versionOrTag] || versionOrTag;
+  const versionsMap = manifest.versions || {};
+  const pkg = versionsMap[realVersion];
+  if (!pkg) {
+    return yield next;
+  }
+
+  const maintainers = manifest.maintainers;
+  if (maintainers) {
+    for (const maintainer of maintainers) {
+      if (maintainer.email) {
+        maintainer.gravatar = gravatar.url(maintainer.email, {s: '50', d: 'retro'}, true);
+      }
+    }
+    pkg.maintainers = maintainers;
+  }
+
+  const timeMap = manifest.time || {};
+  
+  pkg.readme = manifest.readme || '';
+  if (typeof pkg.readme !== 'string') {
+    pkg.readme = 'readme is not string: ' + JSON.stringify(pkg.readme);
+  } else {
+    pkg.readme = renderMarkdown(pkg.readme);
+  }
+  
+  pkg.fromNow = moment(new Date(timeMap[pkg.version])).fromNow();
+  // [ {tag, version, fromNow} ]
+  const tags = [];
+  for (const tag in distTags) {
+    const version = distTags[tag];
+    const time = timeMap[version];
+    if (time) {
+      const fromNow = moment(new Date(time)).fromNow();
+      tags.push({ tag, version, fromNow });
+    }
+  }
+  pkg.tags = tags;
+  // [ {version, deprecated, fromNow} ]
+  const versions = [];
+  for (const version in versionsMap) {
+    const item = versionsMap[version];
+    versions.push({
+      version,
+      deprecated: item.deprecated,
+      fromNow: moment(new Date(timeMap[version])).fromNow(),
+    });
+  }
+  pkg.versions = versions;
+
+  pkg.registryUrl = '//' + config.registryHost + '/' + pkg.name;
+  pkg.registryPackageUrl = '//' + config.registryHost + '/' + pkg.name + '/' + pkg.version;
+
+  if (pkg.repository === 'undefined') {
+    pkg.repository = null;
+  }
+  if (pkg.repository && pkg.repository.url) {
+    if (!pkg.repository.weburl) {
+      pkg.repository.weburl = /^https?:\/\//.test(pkg.repository.url) ? pkg.repository.url : (giturl.parse(pkg.repository.url) || pkg.repository.url);
+    }
+  }
+
+  yield ctx.render('package', {
+    title: 'Package - ' + manifest.name,
+    package: pkg,
+    download: null,
+  });
+};
--- a/controllers/web/show_scope_sync.js
+++ b/controllers/web/show_scope_sync.js
@@ -0,0 +1,23 @@
+'use strict';
+var config = require('../../config');
+var npmService = require('../../services/npm');
+
+module.exports = function* showScopeSync () {
+  var scope = this.params.scope;
+  var scopeConfig = (config.syncScopeConfig || []).find(function (item) {
+    return item.scope === scope
+  })
+
+  if (!scopeConfig) {
+    return this.redirect('/');
+  }
+
+  var packages = yield npmService.getScopePackagesShort(scope, scopeConfig.sourceCnpmWeb)
+
+  yield this.render('scope_sync', {
+    packages: packages,
+    scope: scopeConfig.scope,
+    sourceCnpmRegistry: scopeConfig.sourceCnpmRegistry,
+    title: 'Sync Scope Packages',
+  });
+};
--- a/controllers/web/show_sync.js
+++ b/controllers/web/show_sync.js
@@ -1,19 +1,6 @@
-/**!
- * cnpmjs.org - controllers/web/show_sync.js
- *
- * Copyright(c) cnpmjs.org and other contributors.
- * MIT Licensed
- *
- * Authors:
- *  dead_horse <dead_horse@qq.com> (http://deadhorse.me)
- *  fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
- */
-
 'use strict';

-/**
- * Module dependencies.
- */
+var config = require('../../config');

 module.exports = function* showSync() {
  var name = this.params.name || this.params[0] || this.query.name;
@@ -26,9 +13,11 @@ module.exports = function* showSync() {
    name = splits[1];
    type = splits[0];
  }
+  var syncTaskUrl = config.enableWebDataRemoteRegistry ? `${config.webDataRemoteRegistry}/${name}/sync` : null;
  yield this.render('sync', {
    type: type,
    name: name,
    title: 'Sync ' + type + ' - ' + name,
+    syncTaskUrl,
  });
 };
--- a/dispatch.js
+++ b/dispatch.js
@@ -7,20 +7,21 @@ var cfork = require('cfork');
 var config = require('./config');
 var workerPath = path.join(__dirname, 'worker.js');
 var syncPath = path.join(__dirname, 'sync');
+var scopeSyncPath = path.join(__dirname, 'sync/sync_scope');

 console.log('Starting cnpmjs.org ...\ncluster: %s\nadmins: %j\nscopes: %j\nsourceNpmRegistry: %s\nsyncModel: %s',
  config.enableCluster, config.admins, config.scopes, config.sourceNpmRegistry, config.syncModel);

 if (config.enableCluster) {
  forkWorker();
-  if (config.syncModel !== 'none') {
-    forkSyncer();
-  }
+  config.syncModel !== 'none' && forkSyncer();
+  // sync assign private scope package
+  config.syncScope && forkScopeSyncer();
 } else {
  require(workerPath);
-  if (config.syncModel !== 'none') {
-    require(syncPath);
-  }
+  config.syncModel !== 'none' && require(syncPath);
+  // sync assign private scope package
+  config.syncScope && require(scopeSyncPath);
 }

 function forkWorker() {
@@ -52,3 +53,15 @@ function forkSyncer() {
    setTimeout(forkSyncer, 1000);
  });
 }
+
+function forkScopeSyncer() {
+  var syncer = childProcess.fork(scopeSyncPath);
+  syncer.on('exit', function (code, signal) {
+    var err = new Error(util.format('syncer %s died (code: %s, signal: %s, stdout: %s, stderr: %s)',
+      syncer.pid, code, signal, syncer.stdout, syncer.stderr));
+    err.name = 'SyncerWorkerDiedError';
+    console.error('[%s] [master:%s] syncer exit: %s: %s',
+      Date(), process.pid, err.name, err.message);
+    setTimeout(forkScopeSyncer, 1000);
+  });
+}
--- a/docs/db.sql
+++ b/docs/db.sql
@@ -82,8 +82,8 @@ CREATE TABLE IF NOT EXISTS `module` (
 `author` varchar(100) NOT NULL COMMENT 'module author',
 `name` varchar(214) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'module name',
 `version` varchar(30) NOT NULL COMMENT 'module version',
- `description` longtext COMMENT 'module description',
- `package` longtext CHARACTER SET utf8 COLLATE utf8_general_ci COMMENT 'package.json',
+ `description` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci COMMENT 'module description',
+ `package` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci COMMENT 'package.json',
 `dist_shasum` varchar(100) DEFAULT NULL COMMENT 'module dist SHASUM',
 `dist_tarball` varchar(2048) DEFAULT NULL COMMENT 'module dist tarball',
 `dist_size` int(10) unsigned NOT NULL DEFAULT '0' COMMENT 'module dist size',
@@ -92,7 +92,8 @@ CREATE TABLE IF NOT EXISTS `module` (
 UNIQUE KEY `uk_name` (`name`,`version`),
 KEY `idx_gmt_modified` (`gmt_modified`),
 KEY `idx_publish_time` (`publish_time`),
- KEY `idx_author` (`author`)
+ KEY `idx_author` (`author`),
+ KEY `idx_name_gmt_modified` (`name`,`gmt_modified`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='module info';
 -- ALTER TABLE `module` ADD `description` longtext;
 -- ALTER TABLE `module` ADD `publish_time` bigint(20) unsigned, ADD KEY `publish_time` (`publish_time`);
@@ -318,3 +319,28 @@ CREATE TABLE IF NOT EXISTS `dist_file` (
 -- ALTER TABLE `dist_file`
 --   CHANGE `name` `name` varchar(214) NOT NULL COMMENT 'file name',
 --   CHANGE `parent` `parent` varchar(214) NOT NULL COMMENT 'parent dir' DEFAULT '/';
+
+CREATE TABLE IF NOT EXISTS `token` (
+ `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'primary key',
+ `gmt_create` datetime NOT NULL COMMENT 'create time',
+ `gmt_modified` datetime NOT NULL COMMENT 'modified time',
+ `token` varchar(100) NOT NULL COMMENT 'token',
+ `user_id` varchar(100) NOT NULL COMMENT 'user name',
+ `readonly` tinyint NOT NULL DEFAULT 0 COMMENT 'readonly or not, 1: true, other: false',
+ `token_key` varchar(200) NOT NULL COMMENT 'token sha512 hash',
+ `cidr_whitelist` varchar(500) NOT NULL COMMENT 'ip list, ["127.0.0.1"]',
+ PRIMARY KEY (`id`),
+ UNIQUE KEY `uk_token` (`token`),
+ KEY `idx_user` (`user_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='token info';
+
+CREATE TABLE IF NOT EXISTS `package_version_blocklist` (
+  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'primary key',
+  `gmt_create` datetime(3) NOT NULL COMMENT 'create time',
+  `gmt_modified` datetime(3) NOT NULL COMMENT 'modified time',
+  `name` varchar(214) NOT NULL COMMENT 'package name',
+  `version` varchar(30) NOT NULL COMMENT 'package version, "*" meaning all versions',
+  `reason` longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NULL COMMENT 'block reason',
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `uk_name_version` (`name`, `version`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='package version block list';
--- a/docs/dockerize/config.js
+++ b/docs/dockerize/config.js
@@ -7,7 +7,7 @@ var fs = require('fs');
 var os = require('os');

 var version = require('../package.json').version;
-
+var Nfs = require('fs-cnpm');
 var root = path.dirname(__dirname);
 var dataDir = process.env.CNPM_DATA_DIR ;

@@ -86,12 +86,9 @@ var config = {
  customReadmeFile: '', // you can use your custom readme file instead the cnpm one
  customFooter: '', // you can add copyright and site total script html here
  npmClientName: 'cnpm', // use `${name} install package`
-  packagePageContributorSearch: true, // package page contributor link to search, default is true

  // max handle number of package.json `dependencies` property
  maxDependencies: 200,
-  // backup filepath prefix
-  backupFilePrefix: '/cnpm/backup/',

  /**
   * database config
@@ -128,7 +125,7 @@ var config = {
  },

  // package tarball store in local filesystem by default
-  nfs: require('fs-cnpm')({
+  nfs: new Nfs({
    dir: path.join(dataDir, 'nfs')
  }),
  // if set true, will 302 redirect to `nfs.url(dist.key)`
@@ -168,7 +165,7 @@ var config = {
  // sync source, upstream registry
  // If you want to directly sync from official npm's registry
  // please drop them an email first
-  sourceNpmRegistry: 'https://registry.npm.taobao.org',
+  sourceNpmRegistry: 'https://registry.npmmirror.com',

  // upstream registry is base on cnpm/cnpmjs.org or not
  // if your upstream is official npm registry, please turn it off
@@ -229,6 +226,7 @@ var config = {
  // global hook function: function* (envelope) {}
  // envelope format please see https://github.com/npm/registry/blob/master/docs/hooks/hooks-payload.md#payload
  globalHook: null,
+  accelerateHostMap: {},
 };

 if (process.env.NODE_ENV !== 'test') {
--- a/docs/network.puml
+++ b/docs/network.puml
@@ -1,6 +1,6 @@
@startuml

-title cnpmjs.org, npm.taobao.org Network
+title cnpmjs.org, npmmirror.com Network

 node "China User" {
  [cnpm cli]
@@ -11,8 +11,8 @@ node "OSS: aliyuncs.com" {
 }

 node "SLB: 114.55.80.225 Hangzhou" {
-  [npm.taobao.org]
-  [registry.npm.taobao.org]
+  [npmmirror.com]
+  [registry.npmmirror.com]
 }

 node "npmtaobao3: 121.41.*" {
@@ -38,7 +38,7 @@ node "cnpm6: 47.88.189.193 Singapore" {
 }

 node "Aliyun CDN" {
-  [cdn.npm.taobao.org]
+  [oss.npmmirror.com]
 }

 node "qiniu CDN" {
@@ -59,17 +59,17 @@ node "npmjs.com" {
  [www.npmjs.com]
 }

-[cnpm cli] -down-> [registry.npm.taobao.org]: Read, Write
-[cnpm cli] -down-> [cdn.npm.taobao.org]: Read tgz
-[cnpm cli] -down-> [npm.taobao.org]: "Read /mirrors"
+[cnpm cli] -down-> [registry.npmmirror.com]: Read, Write
+[cnpm cli] -down-> [oss.npmmirror.com]: Read tgz
+[cnpm cli] -down-> [npmmirror.com]: "Read /mirrors"

-[registry.npm.taobao.org] -down-> [nginx 5]
+[registry.npmmirror.com] -down-> [nginx 5]
 [nginx 5] -down-> [registry 5]
-[npm.taobao.org] -down-> [nginx 5]
+[npmmirror.com] -down-> [nginx 5]
 [nginx 5] -down-> [web 5]
-[registry.npm.taobao.org] -down-> [nginx 6]
+[registry.npmmirror.com] -down-> [nginx 6]
 [nginx 6] -down-> [registry 6]
-[npm.taobao.org] -down-> [nginx 6]
+[npmmirror.com] -down-> [nginx 6]
 [nginx 6] -down-> [web 6]

 [registry 5] -down-> [rds2860*.mysql.rds.aliyuncs.com]: Read, Write
@@ -92,7 +92,7 @@ node "npmjs.com" {
 [syncer 7] -down-> [cnpmjs.up.qiniu.com]: Write
 [syncer 7] -down-> [registry.npmjs.com]: Read

-[cdn.npm.taobao.org] -down-> [tnpm-hz.oss-cn-hangzhou]: Read
+[oss.npmmirror.com] -down-> [tnpm-hz.oss-cn-hangzhou]: Read
 [dn-cnpm.qbox.me] -down-> [cnpmjs.up.qiniu.com]: Read

@enduml
--- a/docs/registry-api.md
+++ b/docs/registry-api.md
@@ -50,7 +50,7 @@ Status: 4xx

 ## Authentication

-There is only one way to authenticate through the API.
+There are two ways to authenticate through the API.

 ## Basic Authentication

@@ -58,6 +58,12 @@ There is only one way to authenticate through the API.
 $ curl -u "username:password" https://registry.npmjs.org
 ```

+## Bearer Authentication
+
+```bash
+$ curl -H "Authorization: Bearer ${UUId}" https://registry.npmjs.org
+```
+
 ## Failed login limit

 ```bash
@@ -903,7 +909,8 @@ Status: 201 Created
 {
  "ok": true,
  "id": "org.couchdb.user:fengmk2",
-  "rev": "32-984ee97e01aea166dcab6d1517c730e3"
+  "rev": "32-984ee97e01aea166dcab6d1517c730e3",
+  "token": "85d32fad-bd43-4dd7-9451-4f7d907313a2"
 }
 ```

@@ -956,3 +963,76 @@ Status: 201 Created
 ```

 ## Search
+
+## Token
+
+- [Create token](/docs/registry-api.md#create-token)
+- [List token](/docs/registry-api.md#list-token)
+- [Delete token](/docs/registry-api.md#delete-token)
+
+### Create token
+
+* Authentication required.
+
+```
+POST /-/npm/v1/tokens
+```
+
+#### Input
+```json
+{
+  "password": "123",
+  "readonly": false,
+  "cidr_whitelist": [
+    "127.0.0.1"
+  ]
+}
+```
+
+#### Response 200
+```json
+HTTP/1.1 200 OK
+
+{
+  "token": "85d32fad-bd43-4dd7-9451-4f7d907313a2",
+  "key": "d06309a210570ef71cd9c7bd4849e7e96eeaa841976e63326436f6fd320dc4bbd452710e4e0fedc2efc2ea4a793b7159e95e9596e85e00dee26adc3f8afbb97f",
+  "cidr_whitelist": [ "127.0.0.1" ],
+  "created": "2015-01-04T08:28:51.378Z",
+  "updated": "2015-01-04T08:28:51.378Z",
+  "readonly": false
+}
+```
+
+### List token
+* Authentication required.
+
+```
+GET /-/npm/v1/tokens
+```
+
+### Input
+perPage=10&page=0
+
+#### Response 200
+```json
+{
+  "objects": [{
+    "token": "85d32f...7313a2",
+    "key": "d06309a210570ef71cd9c7bd4849e7e96eeaa841976e63326436f6fd320dc4bbd452710e4e0fedc2efc2ea4a793b7159e95e9596e85e00dee26adc3f8afbb97f",
+    "cidr_whitelist": [ "127.0.0.1" ],
+    "created": "2015-01-04T08:28:51.378Z",
+    "updated": "2015-01-04T08:28:51.378Z",
+    "readonly": false
+  }]
+}
+```
+
+### Delete token
+
+* Authentication required.
+
+```
+GET /-/npm/v1/tokens/token/:UUID
+```
+
+#### Response 204
--- a/docs/web/readme.md
+++ b/docs/web/readme.md
@@ -7,7 +7,8 @@ So `cnpm` is meaning: **Company npm**.
 - Our public registry: [r.cnpmjs.org](https://r.cnpmjs.org), syncing from [registry.npmjs.com](https://registry.npmjs.com)
 - [cnpmjs.org](/) version: <span id="app-version"></span>
 - [Node.js](https://nodejs.org) version: <span id="node-version"></span>
- For developers in China, please visit [the China mirror](https://npm.taobao.org). 中国用户请访问[国内镜像站点](https://npm.taobao.org)。
+- For developers in China, please visit [the China mirror](https://npmmirror.com). 中国用户请访问[国内镜像站点](https://npmmirror.com)。
+- Use the private npm service provided by Alibaba Cloud DevOps which build with cnpm. [https://packages.aliyun.com/](https://packages.aliyun.com/?channel=pd_cnpm_github)

 <div class="ant-table">
 <table class="downloads">
@@ -80,21 +81,21 @@ Badge URL: `https://cnpmjs.org/badge/d/cnpmjs.org.svg` ![cnpmjs.org-download-bad
 use our npm client [cnpm](https://github.com/cnpm/cnpm)(More suitable with cnpmjs.org and gzip support), you can get our client through npm:

 ```bash
-$ npm install -g cnpm --registry=https://registry.npm.taobao.org
+$ npm install -g cnpm --registry=https://registry.npmmirror.com
 ```

 Or you can alias NPM to use it:

 ```bash
-alias cnpm="npm --registry=https://registry.npm.taobao.org \
+alias cnpm="npm --registry=https://registry.npmmirror.com \
 --cache=$HOME/.npm/.cache/cnpm \
--disturl=https://npm.taobao.org/mirrors/node \
+--disturl=https://npmmirror.com/mirrors/node \
 --userconfig=$HOME/.cnpmrc"

 #Or alias it in .bashrc or .zshrc
-$ echo '\n#alias for cnpm\nalias cnpm="npm --registry=https://registry.npm.taobao.org \
+$ echo '\n#alias for cnpm\nalias cnpm="npm --registry=https://registry.npmmirror.com \
  --cache=$HOME/.npm/.cache/cnpm \
-  --disturl=https://npm.taobao.org/mirrors/node \
+  --disturl=https://npmmirror.com/mirrors/node \
  --userconfig=$HOME/.cnpmrc"' >> ~/.zshrc && source ~/.zshrc
 ```

@@ -117,7 +118,7 @@ $ cnpm sync connect
 sync package on web: [sync/connect](/sync/connect)

 ```bash
-$ open http://registry.npm.taobao.org/sync/connect
+$ open http://registry.npmmirror.com/sync/connect
 ```

 ### publish / unpublish
@@ -145,11 +146,11 @@ $ cnpm info cnpm

 Release [History](/history).

-## npmjs.org, cnpmjs.org and npm.taobao.org relation
+## npmjs.org, cnpmjs.org and npmmirror.com relation

 ![npm&cnpm](https://cloud.githubusercontent.com/assets/543405/21505401/fd0b6220-cca1-11e6-86ed-599cc81bb03b.png)

 ## Sponsors

- [![阿里云](https://static.aliyun.com/images/www-summerwind/logo.gif)](http://click.aliyun.com/m/4288/) (2016.2 - now)
+- [![阿里云](https://static.aliyun.com/images/www-summerwind/logo.gif)](http://click.aliyun.com/m/4288/) [![阿里云云效](https://img.alicdn.com/tfs/TB116yt3fb2gK0jSZK9XXaEgFXa-106-20.png)](https://devops.aliyun.com/?channel=pd_cnpm_github) (2016.2 - now)
 - [![UCloud云计算](https://www.ucloud.cn/static/style/images/about/logo.png)](http://www.ucloud.cn?sem=sdk-CNPMJS) (2015.3 - 2016.3)
--- a/index.js
+++ b/index.js
@@ -1,17 +1,5 @@
-/**!
- * Copyright(c) cnpmjs.org and other contributors.
- * MIT Licensed
- *
- * Authors:
- *  dead_horse <dead_horse@qq.com> (http://deadhorse.me)
- */
-
 'use strict';

-/**
- * Module dependencies.
- */
-
 var config = require('./config');

 exports.loadConfig = config.loadConfig;
--- a/lib/common.js
+++ b/lib/common.js
@@ -2,13 +2,18 @@

 var crypto = require('crypto');
 var path = require('path');
-var config = require('../config');
+var utility = require('utility');
 var util = require('util');
+var config = require('../config');
+var BASIC_PREFIX = /basic /i;
+var BEARER_PREFIX = /bearer /i;

-exports.getTarballFilepath = function (filename) {
+exports.getTarballFilepath = function (packageName, packageVersion, filename) {
  // ensure download file path unique
  // TODO: not only .tgz, and also other extname
-  var name = filename.replace(/\.tgz$/, '.' + crypto.randomBytes(16).toString('hex') + '.tgz');
+  var name = filename.replace(/\.tgz$/, '.' + crypto.randomBytes(16).toString('hex'));
+  // use filename string md5 instead, fix "ENAMETOOLONG: name too long" error
+  name = packageName.replace(/\//g, '-').replace(/\@/g, '') + '-' + packageVersion.substring(0, 20) + '.' + utility.md5(name) + '.tgz';
  return path.join(config.uploadDir, name);
 };

@@ -21,6 +26,46 @@ exports.getCDNKey = function (name, filename) {
  return '/' + name + '/-/' + filename;
 };

+exports.getUnpublishFileKey = function (name) {
+  return `/${name}/sync/unpublish/unpublish-package.json`;
+};
+
+exports.getPackageFileCDNKey = function (name, version) {
+  return `/${name}/sync/packages/package-${version}.json`;
+};
+
+exports.getDistTagCDNKey = function (name, tag) {
+  return `/${name}/sync/tags/tag-${tag}.json`;
+};
+
+exports.getSyncTagDir = function (name) {
+  return `${name}/sync/tags/`;
+};
+
+exports.getSyncPackageDir = function (name) {
+  return `${name}/sync/packages/`;
+};
+
+const TAG_NAME_REG = /^tag-(.+)\.json$/;
+exports.getTagNameFromFileName = function (fileName) {
+  const res = fileName.match(TAG_NAME_REG);
+  return res && res[1];
+};
+
+exports.isBackupTagFile = function (fileName) {
+  return TAG_NAME_REG.test(fileName);
+};
+
+const PACKAGE_NAME_REG = /^package-(.+)\.json$/;
+exports.getVersionFromFileName = function (fileName) {
+  const res = fileName.match(PACKAGE_NAME_REG);
+  return res && res[1];
+};
+
+exports.isBackupPkgFile = function (fileName) {
+  return PACKAGE_NAME_REG.test(fileName);
+};
+
 exports.setDownloadURL = function (pkg, ctx, host) {
  if (pkg.dist) {
    host = host || config.registryHost || ctx.host;
@@ -28,10 +73,6 @@ exports.setDownloadURL = function (pkg, ctx, host) {
    pkg.dist.tarball = util.format('%s://%s/%s/download/%s-%s.tgz',
      protocol,
      host, pkg.name, pkg.name, pkg.version);
-    if (ctx.querystring) {
-      var backupUrl = pkg.dist.tarball;
-      pkg.dist.tarball += '?' + ctx.querystring + '&other_urls=' + encodeURIComponent(backupUrl);
-    }
  }
 };

@@ -56,6 +97,9 @@ exports.isMaintainer = function (user, maintainers) {
 exports.isLocalModule = function (mods) {
  for (var i = 0; i < mods.length; i++) {
    var r = mods[i];
+    if (config.privatePackages.includes(r.name)) {
+      return true;
+    }
    if (r.package && r.package._publish_on_cnpm) {
      return true;
    }
@@ -64,8 +108,39 @@ exports.isLocalModule = function (mods) {
 };

 exports.isPrivateScopedPackage = function (name) {
+  if (!name) {
+    return false;
+  }
+
  if (name[0] !== '@') {
    return false;
  }
  return config.scopes.indexOf(name.split('/')[0]) >= 0;
 };
+
+var AuthorizeType = exports.AuthorizeType = {
+  BASIC: 'BASIC',
+  BEARER: 'BEARER',
+};
+
+exports.getAuthorizeType = function (ctx) {
+  var authorization = (ctx.get('authorization') || '').trim();
+  if (BASIC_PREFIX.test(authorization)) {
+    return AuthorizeType.BASIC;
+  } else if (BEARER_PREFIX.test(authorization)) {
+    return AuthorizeType.BEARER;
+  }
+};
+
+exports.isSyncWorkerRequest = function (ctx) {
+  // sync request will contain this query params
+  let isSyncWorkerRequest = ctx.query.cache === '0';
+  if (!isSyncWorkerRequest) {
+    const ua = ctx.headers['user-agent'] || '';
+    // old sync client will request with these user-agent
+    if (ua.indexOf('npm_service.cnpmjs.org/') !== -1) {
+      isSyncWorkerRequest = true;
+    }
+  }
+  return isSyncWorkerRequest;
+};
--- a/middleware/auth.js
+++ b/middleware/auth.js
@@ -2,7 +2,9 @@

 var debug = require('debug')('cnpmjs.org:middleware:auth');
 var UserService = require('../services/user');
+var TokenService = require('../services/token');
 var config = require('../config');
+var common = require('../lib/common');

 /**
 * Parse the request authorization
@@ -13,25 +15,23 @@ module.exports = function () {
  return function* auth(next) {
    this.user = {};

-    var authorization = (this.get('authorization') || '').split(' ')[1] || '';
-    authorization = authorization.trim();
+    var authorization = (this.get('authorization') || '').trim();
    debug('%s %s with %j', this.method, this.url, authorization);
    if (!authorization) {
      return yield unauthorized.call(this, next);
    }

-    authorization = Buffer.from(authorization, 'base64').toString();
-    var pos = authorization.indexOf(':');
-    if (pos === -1) {
-       return yield unauthorized.call(this, next);
-    }
-
-    var username = authorization.slice(0, pos);
-    var password = authorization.slice(pos + 1);
-
    var row;
    try {
-      row = yield UserService.auth(username, password);
+      var authorizeType = common.getAuthorizeType(this);
+
+      if (authorizeType === common.AuthorizeType.BASIC) {
+        row = yield basicAuth(authorization);
+      } else if (authorizeType === common.AuthorizeType.BEARER) {
+        row = yield bearerAuth(authorization, this.method, this.ip);
+      } else {
+        return yield unauthorized.call(this, next);
+      }
    } catch (err) {
      // do not response error here
      // many request do not need login
@@ -51,6 +51,30 @@ module.exports = function () {
  };
 };

+function* basicAuth(authorization) {
+  authorization = authorization.split(' ')[1];
+  authorization = Buffer.from(authorization, 'base64').toString();
+
+  var pos = authorization.indexOf(':');
+  if (pos === -1) {
+    return null;
+  }
+
+  var username = authorization.slice(0, pos);
+  var password = authorization.slice(pos + 1);
+
+  return yield UserService.auth(username, password);
+}
+
+function* bearerAuth(authorization, method, ip) {
+  var token = authorization.split(' ')[1];
+  var isReadOperation = method === 'HEAD' || method === 'GET';
+  return yield TokenService.validateToken(token, {
+    isReadOperation: isReadOperation,
+    accessIp: ip,
+  });
+}
+
 function* unauthorized(next) {
  if (!config.alwaysAuth || this.method !== 'GET') {
    return yield next;
--- a/middleware/login.js
+++ b/middleware/login.js
@@ -3,6 +3,11 @@
 var http = require('http');

 module.exports = function *login(next) {
+  if (this.path === '/-/ping' && this.query.write !== 'true') {
+    yield next;
+    return;
+  }
+
  if (this.user.error) {
    var status = this.user.error.status;
    this.status = http.STATUS_CODES[status]
--- a/middleware/sync_by_install.js
+++ b/middleware/sync_by_install.js
@@ -1,17 +1,5 @@
-/**
- * Copyright(c) cnpm and other contributors.
- * MIT Licensed
- *
- * Authors:
- *  dead_horse <dead_horse@qq.com> (http://deadhorse.me)
- */
-
 'use strict';

-/**
- * Module dependencies.
- */
-
 var config = require('../config');

 /**
--- a/middleware/web_not_found.js
+++ b/middleware/web_not_found.js
@@ -23,7 +23,15 @@ module.exports = function* notFound(next) {
  }

  // package not found
-  m = /\/package\/([\w\-\_\.]+)\/?$/.exec(this.url);
+  m = /^\/package\/([\w\-\_\.]+)\/?$/.exec(this.path);
+  if (!m) {
+    // scoped packages
+    m = /^\/package\/(@[\w\-\.]+\/[\w\-\.]+)$/.exec(this.path);
+    // maybe encode url: /package/%40foo%2Fawdawda
+    if (!m && this.path.startsWith('/package/%40')) {
+      m = /^\/package\/(@[\w\-\.]+\/[\w\-\.]+)$/.exec(decodeURIComponent(this.path));
+    }
+  }
  var name = null;
  var title = '404: Page Not Found';
  if (m) {
--- a/models/block_package_version.js
+++ b/models/block_package_version.js
@@ -0,0 +1,29 @@
+'use strict';
+
+module.exports = function (sequelize, DataTypes) {
+  return sequelize.define('BlockPackageVersion', {
+    name: {
+      type: DataTypes.STRING(214),
+      allowNull: false,
+      comment: 'package name'
+    },
+    version: {
+      type: DataTypes.STRING(30),
+      allowNull: false,
+      comment: 'package version'
+    },
+    reason: {
+      type: DataTypes.LONGTEXT,
+      comment: 'block reason',
+    },
+  }, {
+    tableName: 'package_version_blocklist',
+    comment: 'package version block list',
+    indexes: [
+      {
+        unique: true,
+        fields: ['name', 'version'],
+      },
+    ],
+  });
+};
--- a/models/download_total.js
+++ b/models/download_total.js
@@ -1,19 +1,5 @@
-/**!
- * cnpmjs.org - models/download_total.js
- *
- * Copyright(c) fengmk2 and other contributors.
- * MIT Licensed
- *
- * Authors:
- *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
- */
-
 'use strict';

-/**
- * Module dependencies.
- */
-
 // CREATE TABLE IF NOT EXISTS `downloads` (
 //  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'primary key',
 //  `gmt_create` datetime NOT NULL COMMENT 'create time',
--- a/models/index.js
+++ b/models/index.js
@@ -10,6 +10,7 @@ function load(name) {

 var _ModuleAbbreviated = config.enableAbbreviatedMetadata ? load('module_abbreviated') : null;
 var _PackageReadme = config.enableAbbreviatedMetadata ? load('package_readme') : null;
+var _BlockPackageVersion = config.enableBlockPackageVersion ? load('block_package_version') : null;

 module.exports = {
  sequelize: sequelize,
@@ -26,6 +27,7 @@ module.exports = {
  User: load('user'),
  Total: load('total'),
  DownloadTotal: load('download_total'),
+  Token: load('token'),

  query: function* (sql, args) {
    var options = { replacements: args };
@@ -59,4 +61,14 @@ module.exports = {
    }
    return _PackageReadme;
  },
+
+  get BlockPackageVersion() {
+    if (!config.enableBlockPackageVersion) {
+      return null;
+    }
+    if (!_BlockPackageVersion) {
+      _BlockPackageVersion = load('block_package_version');
+    }
+    return _BlockPackageVersion;
+  }
 };
--- a/models/module.js
+++ b/models/module.js
@@ -1,19 +1,5 @@
-/**!
- * cnpmjs.org - models/module.js
- *
- * Copyright(c) fengmk2 and other contributors.
- * MIT Licensed
- *
- * Authors:
- *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
- */
-
 'use strict';

-/**
- * Module dependencies.
- */
-
 /*
 CREATE TABLE IF NOT EXISTS `module` (
 `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'primary key',
--- a/models/token.js
+++ b/models/token.js
@@ -0,0 +1,117 @@
+'use strict';
+
+/*
+CREATE TABLE IF NOT EXISTS `token` (
+ `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT COMMENT 'primary key',
+ `gmt_create` datetime NOT NULL COMMENT 'create time',
+ `gmt_modified` datetime NOT NULL COMMENT 'modified time',
+ `token` varchar(100) NOT NULL COMMENT 'token',
+ `user_id` varchar(100) NOT NULL COMMENT 'user name',
+ `readonly` tinyint NOT NULL DEFAULT 0 COMMENT 'readonly or not, 1: true, other: false',
+ `token_key` varchar(200) NOT NULL COMMENT 'token sha512 hash',
+ `cidr_whitelist` varchar(500) NOT NULL COMMENT 'ip list, ["127.0.0.1"]',
+ PRIMARY KEY (`id`),
+ UNIQUE KEY `uk_token` (`token`),
+ KEY `idx_user_id` (`user_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='token info';
+ */
+
+module.exports = function (sequelize, DataTypes) {
+  return sequelize.define('Token', {
+    token: {
+      type: DataTypes.STRING(100),
+      allowNull: false,
+      comment: 'token',
+    },
+    userId: {
+      field: 'user_id',
+      type: DataTypes.STRING(100),
+      allowNull: false,
+      comment: 'user name'
+    },
+    readonly: {
+      type: DataTypes.BOOLEAN,
+      allowNull: false,
+      defaultValue: false,
+      comment: 'readonly or not, 1: true, other: false',
+    },
+    key: {
+      field: 'token_key',
+      type: DataTypes.STRING(256),
+      allowNull: false,
+      comment: 'token sha512 hash',
+    },
+    cidrWhitelist: {
+      field: 'cidr_whitelist',
+      type: DataTypes.STRING(500),
+      allowNull: false,
+      comment: 'ip list, ["127.0.0.1"]',
+      get: function () {
+        try {
+          return JSON.parse(this.getDataValue('cidrWhitelist'));
+        } catch (_) {
+          return [];
+        }
+      },
+      set: function (val) {
+        try {
+          var stringifyVal = JSON.stringify(val);
+          this.setDataValue('cidrWhitelist', stringifyVal);
+        } catch (_) {
+          // ...
+        }
+      }
+    },
+  }, {
+    tableName: 'token',
+    comment: 'token info',
+    indexes: [
+      {
+        unique: true,
+        fields: [ 'token' ],
+      },
+      {
+        fields: [ 'user_id' ],
+      }
+    ],
+    classMethods: {
+      findByToken: function* (token) {
+        return yield this.find({ where: { token: token } });
+      },
+      add: function* (tokenObj) {
+        var row = this.build(tokenObj);
+        return yield row.save();
+      },
+      listByUser: function* (userId, offset, limit) {
+        return yield this.findAll({
+          where: {
+            userId: userId,
+          },
+          limit: limit,
+          offset: offset,
+          order: 'id asc',
+        });
+      },
+      deleteByKeyOrToken: function* (userId, keyOrToken) {
+        const self = this;
+        yield sequelize.transaction(function (t) {
+          return self.destroy({
+            where: {
+              userId: userId,
+              $or: [
+                { key: { like: keyOrToken + '%' } },
+                { token: keyOrToken },
+              ],
+            },
+            transaction: t,
+          }).then(function (deleteRows) {
+            // Key like query should not match more than 1 row
+            if (deleteRows > 1) {
+              throw new Error(`Token ID "${keyOrToken}" was ambiguous`);
+            }
+          });
+        });
+      },
+    },
+  });
+};
--- a/models/total.js
+++ b/models/total.js
@@ -1,19 +1,5 @@
-/**!
- * cnpmjs.org - models/total.js
- *
- * Copyright(c) fengmk2 and other contributors.
- * MIT Licensed
- *
- * Authors:
- *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
- */
-
 'use strict';

-/**
- * Module dependencies.
- */
-
 // CREATE TABLE IF NOT EXISTS `total` (
 //  `name` varchar(214) NOT NULL COMMENT 'total name',
 //  `gmt_modified` datetime NOT NULL COMMENT 'modified time',
--- a/package.json
+++ b/package.json
@@ -1,15 +1,17 @@
 {
  "name": "cnpmjs.org",
-  "version": "3.0.0-rc.29",
+  "version": "3.0.0-rc.66",
  "description": "Private npm registry and web for Enterprise, base on MySQL and Simple Store Service",
  "main": "index.js",
  "scripts": {
+    "contributor": "git-contributor",
    "dev": "DEBUG=cnpm* node dispatch.js",
-    "test": "make jshint && make test",
+    "test": "make test",
    "test-local": "make test",
    "start": "./bin/nodejsctl start && cp History.md docs/web/history.md",
    "status": "./bin/nodejsctl status",
-    "stop": "./bin/nodejsctl stop"
+    "stop": "./bin/nodejsctl stop",
+    "ci": "make test-travis-mysql"
  },
  "bin": {
    "cnpmjs.org": "bin/cli.js"
@@ -28,7 +30,7 @@
    "copy-to": "^2.0.1",
    "debug": "^3.0.0",
    "error-formater": "^1.0.3",
-    "fs-cnpm": "^1.2.0",
+    "fs-cnpm": "^2.1.0",
    "giturl": "^1.0.0",
    "graceful": "^1.0.1",
    "gravatar": "^1.6.0",
@@ -36,6 +38,7 @@
    "humanize-ms": "^1.2.1",
    "humanize-number": "~0.0.2",
    "ioredis": "^4.6.2",
+    "ip-regex": "^4.1.0",
    "is-type-of": "^1.2.0",
    "kcors": "^1.2.1",
    "koa": "^1.2.0",
@@ -51,6 +54,7 @@
    "koa-rewrite": "^1.1.2",
    "koa-rt": "^1.0.0",
    "koa-safe-jsonp": "^0.3.1",
+    "lodash": "^4.17.21",
    "markdown-it": "^8.3.2",
    "mime": "^1.3.6",
    "mini-logger": "^1.1.3",
@@ -63,17 +67,19 @@
    "rimraf": "^2.6.2",
    "semver": "^5.4.1",
    "sequelize": "^3.23.4",
+    "ssri": "^8.0.1",
    "thunkify-wrap": "^1.0.4",
    "treekill": "^1.0.0",
    "tunnel-agent": "^0.6.0",
    "urllib": "^2.24.0",
    "utility": "^1.12.0",
+    "uuid": "^8.3.0",
    "xss": "^0.3.3"
  },
  "devDependencies": {
    "autod": "*",
    "chunkstream": "*",
-    "contributors": "*",
+    "git-contributor": "^1.0.10",
    "intelli-espower-loader": "^1.0.1",
    "istanbul": "*",
    "jshint": "*",
@@ -111,9 +117,17 @@
  "engines": {
    "node": ">= 8.0.0"
  },
-  "author": [
-    "fengmk2 <fengmk2@gmail.com> (http://fengmk2.com)",
-    "dead_horse <dead_horse@qq.com> (http://deadhorse.me)"
-  ],
+  "ci": {
+    "type": "github",
+    "os": {
+      "github": "linux, macos"
+    },
+    "npminstall": true,
+    "version": "10, 12",
+    "command": {
+      "github": "ci"
+    },
+    "services": "mysql"
+  },
  "license": "MIT"
 }
--- a/routes/registry.js
+++ b/routes/registry.js
@@ -11,8 +11,10 @@ var unpublishable = require('../middleware/unpublishable');
 var showTotal = require('../controllers/total');

 var listAll = require('../controllers/registry/package/list_all');
+var listAllPackageVersions = require('../controllers/registry/package/list_versions');
 var listShorts = require('../controllers/registry/package/list_shorts');
 var listSince = require('../controllers/registry/package/list_since');
+var changes = require('../controllers/registry/package/changes');
 var listAllVersions = require('../controllers/registry/package/list');
 var listDependents = require('../controllers/registry/package/list_dependents');
 var getOneVersion = require('../controllers/registry/package/show');
@@ -28,6 +30,12 @@ var listPackagesByUser = require('../controllers/registry/package/list_by_user')
 var addUser = require('../controllers/registry/user/add');
 var showUser = require('../controllers/registry/user/show');
 var updateUser = require('../controllers/registry/user/update');
+var whoami = require('../controllers/registry/user/whoami');
+var ping = require('../controllers/registry/user/ping');
+
+var createToken = require('../controllers/registry/token/create');
+var delToken = require('../controllers/registry/token/del');
+var listToken = require('../controllers/registry/token/list');

 var sync = require('../controllers/sync');
 var userPackage = require('../controllers/registry/user_package');
@@ -43,14 +51,19 @@ function routes(app) {
  }

  app.get('/', jsonp, showTotal);
-
  // before /:name/:version
  // get all modules, for npm search
  app.get('/-/all', listAll);
+  app.get('/-/all/changes', changes);
  app.get('/-/all/since', listSince);
  // get all module names, for auto completion
  app.get('/-/short', listShorts);

+  app.get('/-/allversions', listAllPackageVersions);
+
+  app.get('/-/whoami', login, whoami);
+  app.get('/-/ping', login, ping);
+
  // module
  // scope package: params: [$name]
  app.get(/^\/(@[\w\-\.]+\/[^\/]+)$/, syncByInstall, listAllVersions);
@@ -76,8 +89,10 @@ function routes(app) {

  // need limit by ip
  app.get(/^\/(@[\w\-\.]+\/[\w\-\.]+)\/download\/(@[\w\-\.]+\/[\w\-\.]+)$/, limit, downloadPackage);
+  app.get(/^\/(@[\w\-\.]+\/[\w\-\.]+)\/download\/([\w\-\.]+)$/, limit, downloadPackage);
  app.get('/:name/download/:filename', limit, downloadPackage);
  app.get(/^\/(@[\w\-\.]+\/[\w\-\.]+)\/\-\/(@[\w\-\.]+\/[\w\-\.]+)$/, limit, downloadPackage);
+  app.get(/^\/(@[\w\-\.]+\/[\w\-\.]+)\/\-\/([\w\-\.]+)$/, limit, downloadPackage);
  app.get('/:name/-/:filename', limit, downloadPackage);

  // delete tarball and remove one version
@@ -99,6 +114,11 @@ function routes(app) {
  app.get('/-/user/org.couchdb.user::name', showUser);
  app.put('/-/user/org.couchdb.user::name/-rev/:rev', login, updateUser);

+  // token api
+  app.get('/-/npm/v1/tokens', login, listToken);
+  app.post('/-/npm/v1/tokens', login, createToken);
+  app.delete('/-/npm/v1/tokens/token/:UUID', login, delToken);
+
  // list all packages of user
  app.get('/-/by-user/:user', userPackage.list);
  app.get('/-/users/:user/packages', listPackagesByUser);
--- a/routes/web.js
+++ b/routes/web.js
@@ -5,6 +5,7 @@ var searchPackage = require('../controllers/web/package/search');
 var searchRange = require('../controllers/web/package/search_range');
 var listPrivates = require('../controllers/web/package/list_privates');
 var showSync = require('../controllers/web/show_sync');
+var showScopeSync = require('../controllers/web/show_scope_sync');
 var showUser = require('../controllers/web/user/show');
 var sync = require('../controllers/sync');
 var showTotal = require('../controllers/total');
@@ -35,6 +36,9 @@ function routes(app) {
  app.put(/\/sync\/(@[\w\-\.]+\/[\w\-\.]+)$/, sync.sync);
  app.put('/sync/:name', sync.sync);

+  app.get('/scopeSync/:scope', showScopeSync);
+  app.put('/scopeSync/:scope', sync.scopeSync);
+
  app.get(/\/sync\/(@[\w\-\.]+\/[\w\-\.]+)\/log\/(\d+)$/, sync.getSyncLog);
  app.get('/sync/:name/log/:id', sync.getSyncLog);

--- a/servers/registry.js
+++ b/servers/registry.js
@@ -16,6 +16,7 @@ var block = require('../middleware/block');
 var auth = require('../middleware/auth');
 var staticCache = require('../middleware/static');
 var notFound = require('../middleware/registry_not_found');
+var models = require('../models');
 var cors = require('kcors');
 var proxyToNpm = require('../middleware/proxy_to_npm');
 var maxrequests = require('koa-maxrequests');
@@ -52,6 +53,7 @@ app.use(notFound);
 app.use(conditional());
 app.use(etag());

+app.models = models;
 for (const middleware of config.customRegistryMiddlewares) {
  app.use(middleware(app));
 }
--- a/servers/web.js
+++ b/servers/web.js
@@ -17,6 +17,7 @@ var auth = require('../middleware/auth');
 var proxyToNpm = require('../middleware/proxy_to_npm');
 var routes = require('../routes/web');
 var config = require('../config');
+var models = require('../models');
 var jsonp = require('koa-safe-jsonp');
 var path = require('path');
 var http = require('http');
@@ -42,6 +43,12 @@ if (config.pagemock) {
  }));
 }

+// add app.models, let middleware can access models ref
+app.models = models;
+for (const mw of config.customWebMiddlewares) {
+  app.use(mw(app));
+}
+
 app.use(opensearch);
 app.keys = ['todokey', config.sessionSecret];
 app.proxy = true;
@@ -67,7 +74,8 @@ var footer = config.customFooter || fs.readFileSync(path.join(viewDir, 'footer.h
 var layout = fs.readFileSync(path.join(viewDir, 'layout.html'), 'utf8')
  .replace('{{footer}}', footer)
  .replace('{{logoURL}}', config.logoURL)
-  .replace('{{adBanner}}', config.adBanner || '');
+  .replace('{{adBanner}}', config.adBanner || '')
+  .replace('{{customHeader}}', config.customHeader || '');
 fs.writeFileSync(layoutFile, layout);

 // custom web readme home page support
--- a/services/blocklist.js
+++ b/services/blocklist.js
@@ -0,0 +1,28 @@
+'use strict';
+
+const BlockPackageVersion = require('../models').BlockPackageVersion;
+
+exports.blockPackageVersion = function* (name, version, reason) {
+  const row = yield BlockPackageVersion.findOne({ where: { name, version } });
+  if (row) {
+    row.reason = reason;
+    yield row.save();
+  } else {
+    yield BlockPackageVersion.create({ name, version, reason });
+  }
+};
+
+exports.findBlockPackageVersions = function* (name) {
+  if (!BlockPackageVersion) {
+    return null;
+  }
+  const rows = yield BlockPackageVersion.findAll({ where: { name } });
+  if (rows.length === 0) {
+    return null;
+  }
+  const blocks = {};
+  for (const row of rows) {
+    blocks[row.version] = row;
+  }
+  return blocks;
+};
--- a/services/bug_version.js
+++ b/services/bug_version.js
@@ -0,0 +1,50 @@
+'use strict';
+
+const config = require('../config');
+const packageService = require('./package');
+
+// replace bug version and set deprecated property for cli tooltip
+exports.hotfix = function* (rows) {
+  if (!config.enableBugVersion) {
+    return;
+  }
+  let row = rows[0];
+  if (!row) {
+    return;
+  }
+  // https://github.com/cnpm/bug-versions/blob/master/package.json#L118
+  // "config": {
+  //   "bug-versions": {
+  //     "gifsicle": {
+  //       "5.3.0": {
+  //         "version": "5.2.1",
+  //         "reason": "https://github.com/imagemin/gifsicle-bin/issues/133"
+  //       }
+  //     },
+  const moduleRow = yield packageService.getLatestModule('bug-versions');
+  if (!moduleRow) {
+    return;
+  }
+  const bugVersions = moduleRow.package.config && moduleRow.package.config['bug-versions'];
+  const bugs = bugVersions && bugVersions[row.package.name];
+  if (!bugs) {
+    return;
+  }
+
+  const existsVerionsMap = {};
+  for (row of rows) {
+    existsVerionsMap[row.package.version] = row.package;
+  }
+
+  for (row of rows) {
+    const bug = bugs[row.package.version];
+    if (bug && bug.version && existsVerionsMap[bug.version]) {
+      const packageJSON = JSON.parse(JSON.stringify(existsVerionsMap[bug.version]));
+      const hotfixDeprecated = `[WARNING] Use ${bug.version} instead of ${row.package.version}, reason: ${bug.reason}`;
+      packageJSON.deprecated = row.package.deprecated ? `${row.package.deprecated} (${hotfixDeprecated})` : hotfixDeprecated;
+      // don't change version
+      packageJSON.version = row.package.version;
+      Object.assign(row.package, packageJSON);
+    }
+  }
+};
--- a/services/common.js
+++ b/services/common.js
@@ -14,3 +14,10 @@ exports.isPrivatePackage = function (name) {
  }
  return false;
 };
+
+exports.CHANGE_TYPE = {
+  PACKAGE_TAG_ADDED: 'PACKAGE_TAG_ADDED',
+  PACKAGE_VERSION_ADDED: 'PACKAGE_VERSION_ADDED',
+  PACKAGE_UNPUBLISHED: 'PACKAGE_UNPUBLISHED',
+  PACKAGE_VERSION_BLOCKED: 'PACKAGE_VERSION_BLOCKED'
+};
--- a/services/npm.js
+++ b/services/npm.js
@@ -153,7 +153,7 @@ exports.getAllToday = function* (timeout) {
 };

 exports.getShort = function* (timeout) {
-  const registry = config.sourceNpmRegistryIsCNpm ? config.sourceNpmRegistry : 'https://r.cnpmjs.org';
+  const registry = config.sourceNpmRegistryIsCNpm ? config.sourceNpmRegistry : 'https://registry.npmmirror.com';
  var r = yield request('/-/short', {
    timeout: timeout || 300000,
    // registry.npmjs.org/-/short is 404 now therefore have a fallback
@@ -198,3 +198,53 @@ exports.getPopular = function* (top, timeout) {
    return r[0];
  });
 };
+
+exports.getChangesUpdateSeq = function* () {
+  const registry = config.sourceNpmRegistryIsCNpm ? config.sourceNpmRegistry : 'https://registry.npmmirror.com';
+  const r = yield request('/', {
+    timeout: 30000,
+    registry: registry,
+  });
+  const data = r.data || {};
+  if (r.status !== 200) {
+    if (data.code && data.message) {
+      const url = registry + '/';
+      const err = new Error(data.message + ', url: ' + url);
+      err.name = data.code;
+      err.url = url;
+      throw err;
+    }
+  }
+  return data.update_seq || 0;
+};
+
+exports.listChanges = function* (updateSeq) {
+  const registry = config.sourceNpmRegistryIsCNpm ? config.sourceNpmRegistry : 'https://registry.npmmirror.com';
+  const changesUrl = `/_changes?since=${updateSeq}`;
+  const r = yield request(changesUrl, {
+    timeout: 30000,
+    registry: registry,
+  });
+  const data = r.data || {};
+  if (r.status !== 200) {
+    if (data.code && data.message) {
+      const url = registry + changesUrl;
+      const err = new Error(data.message + ', url: ' + url);
+      err.name = data.code;
+      err.url = url;
+      throw err;
+    }
+  }
+  // {"results":[{"seq":1988653,"type":"PACKAGE_VERSION_ADDED","id":"dsr-package-mercy-magot-thorp-sward","changes":[{"version":"1.0.1"}]},
+  return data.results || [];
+};
+
+exports.getScopePackagesShort = function* (scope, registry) {
+  var response = yield request('/browse/keyword/' + scope, {
+    timeout: 3000,
+    registry: registry,
+    dataType: 'text'
+  });
+  var res = response.data.match(/class="package-name">(\S*)<\/a>/g)
+  return res ? res.map(a => a.match(/class="package-name">(\S*)<\/a>/)[1]).filter(name => name.indexOf(`${scope}/`) === 0) : []
+};
--- a/services/package.js
+++ b/services/package.js
@@ -3,7 +3,10 @@
 var semver = require('semver');
 var models = require('../models');
 var common = require('./common');
+var libCommon = require('../lib/common');
 var config = require('../config');
+var { ensureSinceIsDate } = require('../controllers/utils');
+var { BlockPackageVersion } = require('../models');
 var Tag = models.Tag;
 var User = models.User;
 var Module = models.Module;
@@ -14,6 +17,8 @@ var ModuleDependency = models.ModuleDependency;
 var ModuleUnpublished = models.ModuleUnpublished;
 var NpmModuleMaintainer = models.NpmModuleMaintainer;

+var CHANGE_TYPE = common.CHANGE_TYPE;
+
 // module
 var _parseRow = function (row) {
  if (row.package.indexOf('%7B%22') === 0) {
@@ -152,27 +157,19 @@ exports.listModulesByUser = function* (username) {
 exports.listModuleNamesByUser = function* (username) {
  var sql = 'SELECT distinct(name) AS name FROM module WHERE author=?;';
  var rows = yield models.query(sql, [username]);
-  var map = {};
  var names = rows.map(function (r) {
    return r.name;
  });

  // find from npm module maintainer table
  var moduleNames = yield NpmModuleMaintainer.listModuleNamesByUser(username);
-  moduleNames.forEach(function (name) {
-    if (!map[name]) {
-      names.push(name);
-    }
-  });
-
  // find from private module maintainer table
-  moduleNames = yield PrivateModuleMaintainer.listModuleNamesByUser(username);
-  moduleNames.forEach(function (name) {
-    if (!map[name]) {
-      names.push(name);
-    }
-  });
-  return names;
+  var privateModuleNames = yield PrivateModuleMaintainer.listModuleNamesByUser(username);
+  return Array.from(new Set([
+    ...names,
+    ...moduleNames,
+    ...privateModuleNames,
+  ]));
 };

 exports.listPublicModulesByUser = function* (username) {
@@ -205,6 +202,84 @@ exports.listPublicModuleNamesByUser = function* (username) {
  return names;
 };

+exports.listModelSince = function(Model, attributes, mapper) {
+
+  return function*(since, limit) {
+
+    var start = ensureSinceIsDate(since);
+    var findCondition = {
+      attributes: attributes,
+      where: {
+        gmt_modified: {
+          gte: start,
+          // 添加延时，防止同一时间多个数据未同步
+          lte: new Date(Date.now() - config.changesDelay || 5000),
+        },
+      },
+      order: [
+        ["gmt_modified", "ASC"],
+        ["id", "ASC"],
+      ],
+    };
+    if (limit) {
+      findCondition.limit = limit;
+    }
+    var rows = yield Model.findAll(findCondition);
+    return rows.map(mapper);
+  }
+}
+
+exports.listTagSince = this.listModelSince(
+  Tag,
+  ['id', 'name', 'tag', 'gmt_modified'],
+  function (row) {
+    return {
+      type: CHANGE_TYPE.PACKAGE_TAG_ADDED,
+      id: row.name,
+      changes: [{tag: row.tag}],
+      gmt_modified: row.gmt_modified,
+    };
+  }
+);
+
+exports.listVersionSince = this.listModelSince(
+  Module,
+  ['id', 'name', 'version', 'gmt_modified'],
+  function (row) {
+    return {
+      type: CHANGE_TYPE.PACKAGE_VERSION_ADDED,
+      id: row.name,
+      changes: [{version: row.version}],
+      gmt_modified: row.gmt_modified,
+    };
+  }
+);
+
+exports.listUnpublishedModuleSince = this.listModelSince(
+  ModuleUnpublished,
+  ['id', 'name', 'gmt_modified'],
+  function(row) {
+    return {
+      type: CHANGE_TYPE.PACKAGE_UNPUBLISHED,
+      id: row.name,
+      gmt_modified: row.gmt_modified,
+    };
+  }
+);
+
+exports.listBlockVersionSince = this.listModelSince(
+  BlockPackageVersion,
+  ['id', 'name', 'version', 'gmt_modified'],
+  function(row) {
+    return {
+      type: CHANGE_TYPE.PACKAGE_VERSION_BLOCKED,
+      id: row.name,
+      gmt_modified: row.gmt_modified,
+    };
+  }
+);
+
+
 // start must be a date or timestamp
 exports.listPublicModuleNamesSince = function* listPublicModuleNamesSince(start) {
  if (!(start instanceof Date)) {
@@ -251,16 +326,12 @@ exports.listModulesByName = function* (moduleName, attributes) {
 };

 exports.getModuleLastModified = function* (name) {
-  var mod = yield Module.find({
+  var gmt_modified = yield Module.max('gmt_modified', {
    where: {
      name: name,
    },
-    order: [
-      ['gmt_modified', 'DESC']
-    ],
-    attributes: [ 'gmt_modified' ]
  });
-  return mod && mod.gmt_modified || null;
+  return gmt_modified;
 };

 // module:update
@@ -345,24 +416,35 @@ exports.listModuleAbbreviatedsByName = function* (name) {
  return rows;
 };

+exports.findAllModuleAbbreviateds = function* (where, order, limit, offset) {
+  const params = {
+    where,
+    order,
+    limit,
+    offset,
+    attributes: [ 'name', 'version', 'publish_time', 'gmt_modified'  ],
+  };
+  const rows = yield models.ModuleAbbreviated.findAll(params);
+  return rows;
+};
+
 // https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md#abbreviated-version-object
-exports.saveModuleAbbreviated = function* (mod) {
-  var pkg = JSON.stringify({
-    name: mod.package.name,
-    version: mod.package.version,
-    deprecated: mod.package.deprecated,
-    dependencies: mod.package.dependencies,
-    optionalDependencies: mod.package.optionalDependencies,
-    devDependencies: mod.package.devDependencies,
-    bundleDependencies: mod.package.bundleDependencies,
-    peerDependencies: mod.package.peerDependencies,
-    bin: mod.package.bin,
-    directories: mod.package.directories,
-    dist: mod.package.dist,
-    engines: mod.package.engines,
-    _hasShrinkwrap: mod.package._hasShrinkwrap,
-    _publish_on_cnpm: mod.package._publish_on_cnpm,
-  });
+exports.saveModuleAbbreviated = function* (mod, remoteAbbreviatedVersion) {
+  // try to use remoteAbbreviatedVersion first
+  var pkg;
+  if (remoteAbbreviatedVersion) {
+    pkg = Object.assign({}, remoteAbbreviatedVersion, {
+      // override remote tarball
+      dist: Object.assign({}, remoteAbbreviatedVersion.dist, mod.package.dist, {
+        noattachment: undefined,
+      }),
+    });
+  } else {
+    pkg = Object.assign({}, mod.package, {
+      // ignore readme force
+      readme: undefined,
+    });
+  }
  var publish_time = mod.publish_time || Date.now();
  var item = yield models.ModuleAbbreviated.findByNameAndVersion(mod.name, mod.version);
  if (!item) {
@@ -372,7 +454,7 @@ exports.saveModuleAbbreviated = function* (mod) {
    });
  }
  item.publish_time = publish_time;
-  item.package = pkg;
+  item.package = JSON.stringify(pkg);

  if (item.changed()) {
    item = yield item.save();
@@ -408,7 +490,7 @@ exports.updateModulePackageFields = function* (id, fields) {
 };

 exports.updateModuleAbbreviatedPackage = function* (item) {
-  // item => { id, name, version, _hasShrinkwrap }
+  // item => { id, name, version, _hasShrinkwrap, os, cpu, peerDependenciesMeta, workspaces }
  var mod = yield models.ModuleAbbreviated.findByNameAndVersion(item.name, item.version);
  if (!mod) {
    return null;
@@ -857,3 +939,45 @@ exports.saveUnpublishedModule = function* (name, pkg) {
 exports.getUnpublishedModule = function* (name) {
  return yield ModuleUnpublished.findByName(name);
 };
+
+exports.showPackage = function* (name, tag, ctx) {
+  if (tag === '*') {
+    tag = 'latest';
+  }
+  if (tag === '*') {
+    tag = 'latest';
+  }
+  var version = semver.valid(tag);
+  var range = semver.validRange(tag);
+  var mod;
+  if (version) {
+    mod = yield exports.getModule(name, version);
+  } else if (range) {
+    mod = yield exports.getModuleByRange(name, range);
+  } else {
+    mod = yield exports.getModuleByTag(name, tag);
+  }
+
+  if (mod) {
+    libCommon.setDownloadURL(mod.package, ctx || {});
+    mod.package._cnpm_publish_time = mod.publish_time;
+    mod.package.publish_time = mod.package.publish_time || mod.publish_time;
+    var rs = yield [
+      exports.listMaintainers(name),
+      exports.listModuleTags(name),
+    ];
+    var maintainers = rs[0];
+    if (maintainers.length > 0) {
+      mod.package.maintainers = maintainers;
+    }
+    var tags = rs[1];
+    var distTags = {};
+    for (var i = 0; i < tags.length; i++) {
+      var t = tags[i];
+      distTags[t.tag] = t.version;
+    }
+    // show tags for npminstall faster download
+    mod.package['dist-tags'] = distTags;
+    return mod;
+  }
+};
--- a/services/token.js
+++ b/services/token.js
@@ -0,0 +1,121 @@
+'use strict';
+
+var Token = require('../models').Token;
+var UserService = require('./user');
+var uuid = require('uuid');
+var crypto = require('crypto');
+var DEFAULT_TOKEN_OPTIONS = {
+  readonly: false,
+  cidrWhitelist: [],
+};
+var DEFAULT_LIST_TOKEN_OPTIONS = {
+  perPage: 10,
+  page: 0,
+};
+
+/**
+ * 1. check the token exits
+ * 1. check readOnly
+ * 1. check cidr white list
+ *
+ * @param {string} token -
+ * @param {object} options -
+ * @param {string} options.isReadOperation -
+ * @param {string} options.accessIp -
+ */
+exports.validateToken = function* (token, options) {
+  var row = yield Token.findByToken(token);
+  if (!row) {
+    return null;
+  }
+
+  var name = row.userId;
+  var tokenObj = convertToken(row);
+  // write operation and readonly token
+  // validate fail
+  if (!options.isReadOperation && tokenObj.readonly) {
+    return null;
+  }
+
+  // has a cidr whitelist and access ip not in list
+  // validate fail
+  var cidrWhitelist = tokenObj.cidr_whitelist;
+  if (cidrWhitelist.length && !cidrWhitelist.includes(options.accessIp)) {
+    return null;
+  }
+
+  return yield UserService.get(name);
+};
+
+/**
+ * create token for user
+ * @param {string} userId -
+ * @param {object} [options] -
+ * @param {object} [options.readonly] - default is false
+ * @param {object} [options.cidrWhitelist] - default is []
+ */
+exports.createToken = function* (userId, options) {
+  options = Object.assign({}, DEFAULT_TOKEN_OPTIONS, options);
+  var token = uuid.v4();
+  var key = createTokenKey(token);
+  var tokenObj = {
+    token: token,
+    userId: userId,
+    readonly: options.readonly,
+    key: key,
+    cidrWhitelist: options.cidrWhitelist,
+  };
+  var row = yield Token.add(tokenObj);
+  return convertToken(row, { redacte: false });
+};
+
+/**
+ * list token for user
+ * @param {string} userId -
+ * @param {object} [options] -
+ * @param {object} [options.perPage] - default is 10
+ * @param {object} [options.page] - default is 0
+ */
+exports.listToken = function* (userId, options) {
+  options = Object.assign({}, DEFAULT_LIST_TOKEN_OPTIONS, options);
+  var rows = yield Token.listByUser(userId, options.perPage * options.page, options.perPage);
+  return rows.map(function(row) {
+    return convertToken(row);
+  });
+};
+
+/**
+ * delete token for user
+ * @param {string} userId -
+ * @param {string} keyOrToken - the key prefix or full token
+ */
+exports.deleteToken = function* (userId, keyOrToken) {
+  yield Token.deleteByKeyOrToken(userId, keyOrToken);
+};
+
+function convertToken(row, options) {
+  options = options || {};
+  var token = row.token;
+  if (options.redacte !== false) {
+    token = redacteToken(token);
+  }
+  return {
+    token: token,
+    key: row.key,
+    cidr_whitelist: row.cidrWhitelist,
+    created: row.gmt_create,
+    updated: row.gmt_create,
+    readonly: row.readonly,
+  };
+}
+
+function redacteToken(token) {
+  if (!token) {
+    return null;
+  }
+  return `${token.substr(0, 6)}...${token.substr(-6)}`;
+}
+
+function createTokenKey(token) {
+  return crypto.createHash('sha512').update(token).digest('hex');
+}
--- a/services/total.js
+++ b/services/total.js
@@ -13,18 +13,29 @@ if (config.database.dialect === 'postgres') {
 }

 exports.get = function* () {
+  var rs;
  // var DB_SIZE_SQL = 'SELECT TABLE_NAME AS name, data_length, index_length \
  //   FROM information_schema.tables WHERE TABLE_SCHEMA = ? \
  //   GROUP BY TABLE_NAME \
  //   ORDER BY data_length DESC \
  //   LIMIT 0, 200';
-  var rs = yield [
-    // models.query(DB_SIZE_SQL, [config.db]),
-    models.queryOne(TOTAL_MODULE_SQL),
-    models.queryOne(TOTAL_VERSION_SQL),
-    models.queryOne(TOTAL_USER_SQL),
-    exports.getTotalInfo(),
-  ];
+  if (config.enableTotalCount) {
+    rs = yield [
+      // models.query(DB_SIZE_SQL, [config.db]),
+      models.queryOne(TOTAL_MODULE_SQL),
+      models.queryOne(TOTAL_VERSION_SQL),
+      models.queryOne(TOTAL_USER_SQL),
+      exports.getTotalInfo(),
+    ];
+  } else {
+    rs = yield [
+      models.queryOne(TOTAL_USER_SQL),
+      exports.getTotalInfo(),
+    ];
+    // set total modules and versions to zero
+    rs.unshift({ count: 0 });
+    rs.unshift({ count: 0 });
+  }

  // var sizes = rs[0];
  var mc = rs[0];
--- a/sync/sync_exist.js
+++ b/sync/sync_exist.js
@@ -34,35 +34,38 @@ module.exports = function* sync() {
    throw new Error('can not found total info');
  }

-  var allPackages;
-  if (!info.last_exist_sync_time) {
-    var pkgs = yield npmService.getShort();
-    debug('First time sync all packages from official registry, got %d packages', pkgs.length);
-    if (info.last_sync_module) {
-      // start from last success
-      var lastIndex = pkgs.indexOf(info.last_sync_module);
-      if (lastIndex > 0) {
-        pkgs = pkgs.slice(lastIndex);
-        debug('recover from %d: %s', lastIndex, info.last_sync_module);
-      }
-    }
-    allPackages = pkgs;
-  } else {
-    debug('sync new module from last exist sync time: %s', info.last_exist_sync_time);
-    var result = yield npmService.fetchUpdatesSince(info.last_exist_sync_time);
-    allPackages = result.names;
-    syncTime = result.lastModified;
+  var lastSeq = info.last_exist_sync_time;
+  if (lastSeq && lastSeq > 132897820073) {
+    // ignore exists timestamp
+    lastSeq = null;
  }
-
-  var packages = intersection(existPackages, allPackages);
-  if (!packages.length) {
+  if (!lastSeq) {
+    lastSeq = yield npmService.getChangesUpdateSeq();
+  }
+  if (!lastSeq) {
    debug('no packages need be sync');
    return {
      successes: [],
      fails: []
    };
  }
+
+  var updatesPackages = [];
+  var changes = yield npmService.listChanges(lastSeq);
+  changes.forEach(change => {
+    updatesPackages.push(change.id);
+    lastSeq = change.seq;
+  });
+  var packages = intersection(existPackages, updatesPackages);
  debug('Total %d packages to sync, top 10: %j', packages.length, packages.slice(0, 10));
+  if (!packages.length) {
+    yield totalService.setLastExistSyncTime(lastSeq);
+    debug('no packages need be sync, lastSeq: %s, changes: %s', lastSeq, changes.length);
+    return {
+      successes: [],
+      fails: []
+    };
+  }

  var worker = new SyncModuleWorker({
    username: 'admin',
@@ -75,10 +78,10 @@ module.exports = function* sync() {
  var end = thunkify.event(worker);
  yield end();

-  debug('All packages sync done, successes %d, fails %d',
-    worker.successes.length, worker.fails.length);
+  debug('All packages sync done, successes %d, fails %d, lastSeq: %s, changes: %s',
+    worker.successes.length, worker.fails.length, lastSeq, changes.length);

-  yield totalService.setLastExistSyncTime(syncTime);
+  yield totalService.setLastExistSyncTime(lastSeq);
  return {
    successes: worker.successes,
    fails: worker.fails
--- a/sync/sync_scope.js
+++ b/sync/sync_scope.js
@@ -0,0 +1,89 @@
+'use strict';
+
+var thunkify = require('thunkify-wrap');
+const co = require('co');
+const ms = require('humanize-ms');
+var config = require('../config');
+var npmService = require('../services/npm');
+var SyncModuleWorker = require('../controllers/sync_module_worker');
+var logger = require('../common/logger');
+
+
+let syncing = false;
+const syncFn = co.wrap(function*() {
+  if (syncing) { return; }
+  syncing = true;
+  logger.syncInfo('Start syncing scope modules...');
+  let data;
+  let error;
+  try {
+    data = yield sync();
+  } catch (err) {
+    error = err;
+    error.message += ' (sync package error)';
+    logger.syncError(error);
+  }
+
+  if (data) {
+    logger.syncInfo(data);
+  }
+  if (!config.debug) {
+    sendMailToAdmin(error, data, new Date());
+  }
+  syncing = false;
+});
+
+syncFn().catch(onerror);
+setInterval(() => syncFn().catch(onerror), ms(config.syncScopeInterval));
+
+function onerror(err) {
+  logger.error('====================== scope sync error ========================');
+  logger.error(err);
+}
+
+function* getOtherCnpmDefineScopePackages(scopes) {
+  var arr = []
+  for (var i = 0; i < scopes.length; i++) {
+    var packageList = yield npmService.getScopePackagesShort(scopes[i].scope, scopes[i].sourceCnpmWeb)
+    arr = arr.concat(packageList)
+  }
+  return arr
+}
+
+function* sync() {
+  var scopeConfig = config.syncScopeConfig
+  if (!scopeConfig || scopeConfig.length === 0) {
+    process.exit(0);
+  }
+  var packages = yield getOtherCnpmDefineScopePackages(scopeConfig);
+
+  if (!packages.length) {
+    return;
+  }
+  logger.syncInfo('Total %d scope packages to sync: %j', packages.length, packages);
+
+  var worker = new SyncModuleWorker({
+    username: 'admin',
+    name: packages,
+    noDep: true,
+    syncUpstreamFirst: false,
+    publish: true,
+    concurrency: config.syncConcurrency,
+    syncPrivatePackage: scopeConfig.reduce((arr, cur) => {
+      arr[cur.scope] = cur.sourceCnpmRegistry
+      return arr
+    }, {})
+  });
+  worker.start();
+  var end = thunkify.event(worker);
+  yield end();
+
+  logger.syncInfo('scope packages sync done, successes %d, fails %d, updates %d',
+      worker.successes.length, worker.fails.length, worker.updates.length);
+
+  return {
+    successes: worker.successes,
+    fails: worker.fails,
+    updates: worker.updates,
+  };
+};
--- a/test/common/urllib.test.js
+++ b/test/common/urllib.test.js
@@ -0,0 +1,42 @@
+'use strict';
+
+const assert = require('assert');
+const mm = require('mm');
+const urllib = require('../../common/urllib');
+const config = require('../../config');
+
+describe('test/common/urllib.test.js', () => {
+  describe('accelerate request', () => {
+    beforeEach(() => {
+      mm(config, 'accelerateHostMap', {
+        'www.alipay.com': 'www.antgroup.com',
+        'www.google.com': 'www.google.com'
+      });
+    });
+
+    describe('direct', () => {
+      it('should work', function* () {
+        const res = yield urllib.request('https://www.alipay.com', {
+          followRedirect: true,
+          timeout: 30000,
+        });
+        assert.deepStrictEqual(res.res.requestUrls, [
+          'https://www.antgroup.com/',
+        ]);
+      });
+    });
+
+    describe.skip('redirect', () => {
+      it('should work', function* () {
+        const res = yield urllib.request('https://google.com', {
+          followRedirect: true,
+          timeout: 30000,
+        });
+        assert.deepStrictEqual(res.res.requestUrls, [
+          'https://google.com/',
+          'https://www.google.com/',
+        ]);
+      });
+    });
+  });
+});
--- a/test/controllers/registry/package/changes.test.js
+++ b/test/controllers/registry/package/changes.test.js
@@ -0,0 +1,100 @@
+'use strict';
+
+var should = require('should');
+var request = require('supertest');
+var mm = require('mm');
+var config = require('../../../../config');
+var app = require('../../../../servers/registry');
+var utils = require('../../../utils');
+var CHANGE_TYPE = require('../../../../services/common').CHANGE_TYPE;
+
+describe('test/controllers/registry/package/changes.test.js', function () {
+  afterEach(mm.restore);
+
+  var since;
+  before(function (done) {
+    mm(config, 'changesDelay', 0);
+    setTimeout(() => {
+      since = Date.now();
+      var pkg = utils.getPackage('@cnpmtest/test_changes', '0.0.1', utils.admin, 'alpha');
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(201, function() {
+        setTimeout(function() {
+          pkg = utils.getPackage('@cnpmtest/test_changes_gogo', '0.0.2', utils.admin, 'beta');
+          request(app)
+          .put('/' + pkg.name)
+          .set('authorization', utils.adminAuth)
+          .send(pkg)
+          .expect(201, done);
+        }, 2000);
+      });
+    }, 1000);
+  });
+
+  describe('GET /-/all/changes', function () {
+    it('should 200', function (done) {
+      request(app)
+        .get("/-/all/changes?since=" + since)
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          res.body.results.should.be.an.Array();
+
+          res.body.results
+            .filter(function (item) {
+              return item.type === CHANGE_TYPE.PACKAGE_VERSION_ADDED;
+            })
+            .length.should.equal(2);
+          res.body.results
+            .filter(function (item) {
+              return item.type === CHANGE_TYPE.PACKAGE_VERSION_ADDED;
+            })
+            .length.should.equal(2);
+          done();
+        });
+    });
+
+    it('changes delay should work', function(done) {
+      mm(config, 'changesDelay', 10000);
+      request(app)
+        .get("/-/all/changes?since=" + since)
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          res.body.results.should.be.an.Array();
+          res.body.results
+            .filter(function (item) {
+              return item.type === CHANGE_TYPE.PACKAGE_VERSION_ADDED;
+            })
+            .length.should.equal(0);
+          done();
+        });
+    })
+
+    it('since should work', function (done) {
+      var now = Date.now();
+      request(app)
+        .get("/-/all/changes?since=" + now + 5000)
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          res.body.results.should.be.an.Array();
+          res.body.results.length.should.equal(0);
+          done();
+        });
+    });
+
+    it('limit should work', function (done) {
+      mm(config, 'changesDelay', 0);
+      request(app)
+      .get('/-/all/changes?limit=1&since=' + since)
+      .expect(200, function (err, res) {
+        should.not.exist(err);
+        res.body.results.should.be.an.Array();
+        res.body.results.length.should.equal(1);
+        done();
+      });
+    });
+
+  });
+});
--- a/test/controllers/registry/package/dist_tag.test.js
+++ b/test/controllers/registry/package/dist_tag.test.js
@@ -1,5 +1,6 @@
 'use strict';

+var assert = require('assert');
 var request = require('supertest');
 var mm = require('mm');
 var pedding = require('pedding');
@@ -117,6 +118,27 @@ describe('test/controllers/registry/package/dist_tag.test.js', function () {
        .expect(201, done);
      });
    });
+
+    it('should fire globalHook', function (done) {
+      done = pedding(2, done);
+      mm(config, 'globalHook', function* (envelope) {
+        assert(envelope.version === '1.0.1');
+        assert(envelope.name === '@cnpmtest/dist_tag_test_module_set');
+        assert(envelope.type === 'package');
+        assert(envelope.event === 'package:dist-tag');
+        assert(envelope.tag === 'exists');
+        done();
+      })
+      request(app)
+        .put('/-/package/@cnpmtest/dist_tag_test_module_set/dist-tags/exists')
+        .set('authorization', utils.otherUserAuth)
+        .set('content-type', 'application/json')
+        .send(JSON.stringify('1.0.1'))
+        .expect({
+          ok: 'dist-tags updated'
+        })
+        .expect(201, done);
+    });
  });

  describe('destroy()', function () {
@@ -178,6 +200,25 @@ describe('test/controllers/registry/package/dist_tag.test.js', function () {
      })
      .expect(200, done);
    });
+
+    it('should fire globalHook', function (done) {
+      done = pedding(2, done);
+      mm(config, 'globalHook', function* (envelope) {
+        assert(envelope.name === '@cnpmtest/dist_tag_test_module_destroy');
+        assert(envelope.type === 'package');
+        assert(envelope.event === 'package:dist-tag:rm');
+        assert(envelope.tag === 'next');
+        done();
+      })
+      request(app)
+        .delete('/-/package/@cnpmtest/dist_tag_test_module_destroy/dist-tags/next')
+        .set('authorization', utils.otherUserAuth)
+        .set('content-type', 'application/json')
+        .expect({
+          ok: 'dist-tags updated'
+        })
+        .expect(200, done);
+    });
  });

  describe('save()', function () {
@@ -243,6 +284,39 @@ describe('test/controllers/registry/package/dist_tag.test.js', function () {
        }, done);
      });
    });
+
+    it('should fire globalHook', function (done) {
+      done = pedding(3, done);
+      mm(config, 'globalHook', function* (envelope) {
+        if (envelope.tag === 'latest') {
+          assert(envelope.version === '1.0.1');
+          assert(envelope.name === '@cnpmtest/dist_tag_test_module_save');
+          assert(envelope.type === 'package');
+          assert(envelope.event === 'package:dist-tag');
+          assert(envelope.tag === 'latest');
+          done();
+        }
+        if (envelope.tag === 'new') {
+          assert(envelope.version === '1.0.1');
+          assert(envelope.name === '@cnpmtest/dist_tag_test_module_save');
+          assert(envelope.type === 'package');
+          assert(envelope.event === 'package:dist-tag');
+          assert(envelope.tag === 'new');
+          done();
+        }
+      })
+      request(app)
+        .put('/-/package/@cnpmtest/dist_tag_test_module_save/dist-tags')
+        .set('authorization', utils.otherUserAuth)
+        .send({
+          latest: '1.0.1',
+          new: '1.0.1'
+        })
+        .expect({
+          ok: 'dist-tags updated'
+        })
+        .expect(201, done);
+    });
  });

  describe('update()', function () {
--- a/test/controllers/registry/package/download.test.js
+++ b/test/controllers/registry/package/download.test.js
@@ -25,12 +25,24 @@ describe('test/controllers/registry/package/download.test.js', function () {
      .expect(200, done);
    });

+    it('should download a file with 200', function (done) {
+      request(app)
+        .get('/@cnpmtest/download-test-module/download/download-test-module-1.0.0.tgz')
+        .expect(200, done);
+    });
+
    it('should alias /:name/-/:filename to /:name/download/:filename', function (done) {
      request(app)
      .get('/@cnpmtest/download-test-module/-/@cnpmtest/download-test-module-1.0.0.tgz')
      .expect(200, done);
    });

+    it('should alias /:name/-/:filename to /:name/download/:filename', function (done) {
+      request(app)
+        .get('/@cnpmtest/download-test-module/-/download-test-module-1.0.0.tgz')
+        .expect(200, done);
+    });
+
    it('should 404 when package not exists', function (done) {
      request(app)
      .get('/@cnpmtest/download-test-module-not-exists/download/@cnpmtest/download-test-module-not-exists-1.0.0.tgz')
--- a/test/controllers/registry/package/list.test.js
+++ b/test/controllers/registry/package/list.test.js
@@ -6,6 +6,7 @@ var request = require('supertest');
 var mm = require('mm');
 var pedding = require('pedding');
 var packageService = require('../../../../services/package');
+var blocklistService = require('../../../../services/blocklist');
 var app = require('../../../../servers/registry');
 var utils = require('../../../utils');
 var config = require('../../../../config');
@@ -20,7 +21,10 @@ describe('test/controllers/registry/package/list.test.js', () => {
    var pkg = utils.getPackage('@cnpmtest/testmodule-list-1', '0.0.1', utils.otherUser);
    pkg.versions['0.0.1'].dependencies = {
      bytetest: '~0.0.1',
-      mocha: '~1.0.0'
+      mocha: '~1.0.0',
+    };
+    pkg.versions['0.0.1'].scripts = {
+      install: 'node -v',
    };
    request(app)
    .put('/' + pkg.name)
@@ -41,6 +45,337 @@ describe('test/controllers/registry/package/list.test.js', () => {
    });
  });

+  describe('config.enableBugVersion = true / false', () => {
+    before(done => {
+      mm(config, 'syncModel', 'all');
+      mm(config, 'enableAbbreviatedMetadata', true);
+      utils.sync('base62', done);
+    });
+
+    before(function* () {
+      let pkg = utils.getPackage('bug-versions', '1.0.0', utils.admin);
+      const packageJSON = pkg.versions['1.0.0'];
+      packageJSON.config = {};
+      packageJSON.config['bug-versions'] = {
+        "base62": {
+          "1.2.5": {
+            "version": "1.2.1",
+            "reason": "ignore post-install script https://github.com/andrew/base62.js/commits/master"
+          }
+        },
+        "request": {
+          "2.84.0": {
+            "version": "2.85.0",
+            "reason": "https://github.com/cnpm/bug-versions/issues/3"
+          }
+        },
+        "@cnpmtest/testmodule-list-bugversion": {
+          "4.14.0": {
+            "version": "4.13.2",
+            "reason": "https://github.com/ali-sdk/ali-oss/pull/382"
+          },
+          "4.14.1": {
+            "version": "4.13.2",
+            "reason": "https://github.com/ali-sdk/ali-oss/pull/382"
+          },
+          "4.14.2": {
+            "version": "1.0.0",
+            "reason": "https://github.com/ali-sdk/ali-oss/pull/382"
+          }
+        }
+      };
+      yield request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.adminAuth)
+        .send(pkg)
+        .expect(201);
+
+      pkg = utils.getPackage('@cnpmtest/testmodule-list-bugversion', '4.14.0', utils.otherUser);
+      pkg.versions['4.14.0'].deprecated = 'mock deprecated exists here';
+      yield request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(201);
+      pkg = utils.getPackage('@cnpmtest/testmodule-list-bugversion', '4.14.1', utils.otherUser);
+      yield request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(201);
+      pkg = utils.getPackage('@cnpmtest/testmodule-list-bugversion', '4.14.2', utils.otherUser);
+      yield request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(201);
+      pkg = utils.getPackage('@cnpmtest/testmodule-list-bugversion', '4.13.2', utils.otherUser);
+      yield request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(201);
+    });
+
+    it('should replace base62\'s bug version 1.2.5 to 1.2.1', function* () {
+      mm(config, 'syncModel', 'all');
+      mm(config, 'enableAbbreviatedMetadata', true);
+      mm(config, 'enableBugVersion', true);
+      mm(config.nfs, 'url', function* (key) {
+        return 'http://foo.test.com' + key;
+      });
+      mm(config, 'downloadRedirectToNFS', true);
+      // https://github.com/cnpm/bug-versions/blob/master/package.json#L201
+      let res = yield request(app)
+        .get('/base62')
+        .expect(200);
+      let data = res.body;
+      assert(data.versions['1.2.5']);
+      assert(data.versions['1.2.1']);
+      assert(data.versions['1.2.5']);
+      assert(data.versions['1.2.1']);
+      assert(data.versions['1.2.5'].version === '1.2.5');
+      assert(data.versions['1.2.5'].deprecated === '[WARNING] Use 1.2.1 instead of 1.2.5, reason: ignore post-install script https://github.com/andrew/base62.js/commits/master');
+      assert(data.versions['1.2.5'].dist.tarball.endsWith('/base62-1.2.1.tgz'));
+      // assert(!data.versions['1.2.1'].deprecated);
+
+      res = yield request(app)
+        .get('/base62')
+        .set('Accept', 'application/vnd.npm.install-v1+json')
+        .expect(200);
+      data = res.body;
+      assert(data.versions['1.2.5']);
+      assert(data.versions['1.2.1']);
+      assert(data.versions['1.2.5'].version === '1.2.5');
+      assert(data.versions['1.2.5'].deprecated);
+      assert(data.versions['1.2.5'].dist.tarball.endsWith('/base62-1.2.1.tgz'));
+      // assert(!data.versions['1.2.1'].deprecated);
+
+      // ignore when sync worker request
+      res = yield request(app)
+        .get('/base62?cache=0')
+        .set('Accept', 'application/vnd.npm.install-v1+json')
+        .expect(200);
+      data = res.body;
+      assert(data.versions['1.2.5']);
+      assert(data.versions['1.2.1']);
+      assert(data.versions['1.2.5'].version === '1.2.5');
+      assert(data.versions['1.2.5'].dist.tarball.endsWith('/base62-1.2.5.tgz'));
+      // assert(!data.versions['1.2.5'].deprecated);
+      res = yield request(app)
+        .get('/base62?cache=0')
+        .expect(200);
+      data = res.body;
+      assert(data.versions['1.2.5']);
+      assert(data.versions['1.2.1']);
+      assert(data.versions['1.2.5'].version === '1.2.5');
+      assert(data.versions['1.2.5'].dist.tarball.endsWith('/base62-1.2.5.tgz'));
+      // assert(!data.versions['1.2.5'].deprecated);
+
+      // dont change download url
+      yield request(app)
+        .get('/base62/download/base62-1.2.5.tgz')
+        .expect('location', 'http://foo.test.com/base62/-/base62-1.2.5.tgz')
+        .expect(302);
+
+      // ignore when enableBugVersion = false
+      mm(config, 'enableBugVersion', false);
+      res = yield request(app)
+        .get('/base62')
+        .set('Accept', 'application/vnd.npm.install-v1+json')
+        .expect(200);
+      data = res.body;
+      assert(data.versions['1.2.5']);
+      assert(data.versions['1.2.1']);
+      assert(data.versions['1.2.5'].version === '1.2.5');
+      assert(data.versions['1.2.5'].dist.tarball.endsWith('/base62-1.2.5.tgz'));
+      // assert(!data.versions['1.2.5'].deprecated);
+
+      yield request(app)
+        .get('/base62/download/base62-1.2.5.tgz')
+        .expect('location', 'http://foo.test.com/base62/-/base62-1.2.5.tgz')
+        .expect(302);
+    });
+
+    it('should replace @cnpmtest/testmodule-list-bugversion bug versions', function* () {
+      mm(config, 'enableBugVersion', true);
+      mm(config, 'enableAbbreviatedMetadata', true);
+      mm(config.nfs, 'url', function* (key) {
+        return 'http://foo.test.com' + key;
+      });
+      mm(config, 'downloadRedirectToNFS', true);
+      // https://github.com/cnpm/bug-versions/blob/master/package.json#L201
+      let res = yield request(app)
+        .get('/@cnpmtest/testmodule-list-bugversion')
+        .expect(200);
+      let data = res.body;
+      assert(data.versions['4.14.0']);
+      assert(data.versions['4.14.1']);
+      assert(data.versions['4.14.2']);
+      assert(data.versions['4.13.2']);
+      assert(data.versions['4.14.0'].version === '4.14.0');
+      assert(data.versions['4.14.1'].version === '4.14.1');
+      assert(data.versions['4.14.0'].deprecated === 'mock deprecated exists here ([WARNING] Use 4.13.2 instead of 4.14.0, reason: https://github.com/ali-sdk/ali-oss/pull/382)');
+      assert(data.versions['4.14.1'].deprecated === '[WARNING] Use 4.13.2 instead of 4.14.1, reason: https://github.com/ali-sdk/ali-oss/pull/382');
+      assert(data.versions['4.14.0'].dist.tarball.endsWith('/@cnpmtest/testmodule-list-bugversion-4.13.2.tgz'));
+      assert(data.versions['4.14.1'].dist.tarball.endsWith('/@cnpmtest/testmodule-list-bugversion-4.13.2.tgz'));
+      assert(data.versions['4.14.2'].dist.tarball.endsWith('/@cnpmtest/testmodule-list-bugversion-4.14.2.tgz'));
+      // 4.14.2 replace bug version 1.0.0 dont exists, dont replace
+      assert(!data.versions['4.14.2'].deprecated);
+      assert(!data.versions['4.13.2'].deprecated);
+
+      // dont change download url
+      yield request(app)
+        .get('/@cnpmtest/testmodule-list-bugversion/download/@cnpmtest/testmodule-list-bugversion-4.14.0.tgz')
+        .expect('location', 'http://foo.test.com/@cnpmtest/testmodule-list-bugversion/-/@cnpmtest/testmodule-list-bugversion-4.14.0.tgz')
+        .expect(302);
+
+      res = yield request(app)
+        .get('/@cnpmtest/testmodule-list-bugversion')
+        .set('Accept', 'application/vnd.npm.install-v1+json')
+        .expect(200);
+      data = res.body;
+      assert(data.versions['4.14.0']);
+      assert(data.versions['4.14.1']);
+      assert(data.versions['4.14.2']);
+      assert(data.versions['4.13.2']);
+      assert(data.versions['4.14.0'].version === '4.14.0');
+      assert(data.versions['4.14.1'].version === '4.14.1');
+      assert(data.versions['4.14.0'].deprecated === 'mock deprecated exists here ([WARNING] Use 4.13.2 instead of 4.14.0, reason: https://github.com/ali-sdk/ali-oss/pull/382)');
+      assert(data.versions['4.14.1'].deprecated === '[WARNING] Use 4.13.2 instead of 4.14.1, reason: https://github.com/ali-sdk/ali-oss/pull/382');
+      assert(data.versions['4.14.0'].dist.tarball.endsWith('/@cnpmtest/testmodule-list-bugversion-4.13.2.tgz'));
+      assert(data.versions['4.14.1'].dist.tarball.endsWith('/@cnpmtest/testmodule-list-bugversion-4.13.2.tgz'));
+      assert(data.versions['4.14.2'].dist.tarball.endsWith('/@cnpmtest/testmodule-list-bugversion-4.14.2.tgz'));
+      // 4.14.2 replace bug version 1.0.0 dont exists, dont replace
+      assert(!data.versions['4.14.2'].deprecated);
+      assert(!data.versions['4.13.2'].deprecated);
+
+      // ignore when sync worker request
+      res = yield request(app)
+        .get('/@cnpmtest/testmodule-list-bugversion?cache=0')
+        .expect(200);
+      data = res.body;
+      assert(data.versions['4.14.0']);
+      assert(data.versions['4.14.1']);
+      assert(data.versions['4.14.2']);
+      assert(data.versions['4.13.2']);
+      assert(data.versions['4.14.0'].version === '4.14.0');
+      assert(data.versions['4.14.1'].version === '4.14.1');
+      assert(data.versions['4.14.0'].deprecated === 'mock deprecated exists here');
+      assert(!data.versions['4.14.1'].deprecated);
+      assert(!data.versions['4.14.2'].deprecated);
+      assert(!data.versions['4.13.2'].deprecated);
+      res = yield request(app)
+        .get('/@cnpmtest/testmodule-list-bugversion?cache=0')
+        .set('Accept', 'application/vnd.npm.install-v1+json')
+        .expect(200);
+      data = res.body;
+      assert(data.versions['4.14.0']);
+      assert(data.versions['4.14.1']);
+      assert(data.versions['4.14.2']);
+      assert(data.versions['4.13.2']);
+      assert(data.versions['4.14.0'].version === '4.14.0');
+      assert(data.versions['4.14.1'].version === '4.14.1');
+      assert(data.versions['4.14.0'].deprecated === 'mock deprecated exists here');
+      assert(!data.versions['4.14.1'].deprecated);
+      assert(!data.versions['4.14.2'].deprecated);
+      assert(!data.versions['4.13.2'].deprecated);
+
+      // ignore when enableBugVersion = false
+      mm(config, 'enableBugVersion', false);
+      res = yield request(app)
+        .get('/@cnpmtest/testmodule-list-bugversion')
+        .expect(200);
+      data = res.body;
+      assert(data.versions['4.14.0']);
+      assert(data.versions['4.14.1']);
+      assert(data.versions['4.14.2']);
+      assert(data.versions['4.13.2']);
+      assert(data.versions['4.14.0'].version === '4.14.0');
+      assert(data.versions['4.14.1'].version === '4.14.1');
+      assert(data.versions['4.14.0'].deprecated === 'mock deprecated exists here');
+      assert(!data.versions['4.14.1'].deprecated);
+      assert(!data.versions['4.14.2'].deprecated);
+      assert(!data.versions['4.13.2'].deprecated);
+
+      res = yield request(app)
+        .get('/@cnpmtest/testmodule-list-bugversion')
+        .set('Accept', 'application/vnd.npm.install-v1+json')
+        .expect(200);
+      data = res.body;
+      assert(data.versions['4.14.0']);
+      assert(data.versions['4.14.1']);
+      assert(data.versions['4.14.2']);
+      assert(data.versions['4.13.2']);
+      assert(data.versions['4.14.0'].version === '4.14.0');
+      assert(data.versions['4.14.1'].version === '4.14.1');
+      assert(data.versions['4.14.0'].deprecated === 'mock deprecated exists here');
+      assert(data.versions['4.14.0'].dist.tarball.endsWith('/@cnpmtest/testmodule-list-bugversion-4.14.0.tgz'));
+      assert(data.versions['4.14.1'].dist.tarball.endsWith('/@cnpmtest/testmodule-list-bugversion-4.14.1.tgz'));
+      assert(data.versions['4.14.2'].dist.tarball.endsWith('/@cnpmtest/testmodule-list-bugversion-4.14.2.tgz'));
+      assert(!data.versions['4.14.1'].deprecated);
+      assert(!data.versions['4.14.2'].deprecated);
+      assert(!data.versions['4.13.2'].deprecated);
+    });
+  });
+
+  describe('block versions', () => {
+    before(function* () {
+      var pkg = utils.getPackage('@cnpmtest/testmodule-list-block', '0.0.1', utils.otherUser);
+      pkg.versions['0.0.1'].dependencies = {
+        bytetest: '~0.0.1',
+        mocha: '~1.0.0',
+      };
+      pkg.versions['0.0.1'].scripts = {
+        install: 'node -v',
+      };
+      yield request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(201);
+      
+      pkg = utils.getPackage('@cnpmtest/testmodule-list-block', '1.0.0', utils.otherUser);
+      pkg.versions['1.0.0'].dependencies = {
+        bytetest: '~0.0.1',
+        mocha: '~1.0.0'
+      };
+      yield request(app)
+        .put('/' + pkg.name)
+        .set('authorization', utils.otherUserAuth)
+        .send(pkg)
+        .expect(201);
+    });
+
+    it('should block one version and all versions', function* () {
+      yield blocklistService.blockPackageVersion('@cnpmtest/testmodule-list-block', '0.0.1', 'unittest');
+      let res = yield request(app)
+        .get('/@cnpmtest/testmodule-list-block')
+        .expect(200);
+      let data = res.body;
+      assert(Object.keys(data.versions).length === 1);
+      assert(data.versions['1.0.0']);
+      assert(!data.versions['0.0.1']);
+
+      res = yield request(app)
+        .get('/@cnpmtest/testmodule-list-block')
+        .set('Accept', 'application/vnd.npm.install-v1+json')
+        .expect(200);
+      data = res.body;
+      assert(Object.keys(data.versions).length === 1);
+      assert(data.versions['1.0.0']);
+      assert(!data.versions['0.0.1']);
+
+      yield blocklistService.blockPackageVersion('@cnpmtest/testmodule-list-block', '*', 'unittest');
+      res = yield request(app)
+        .get('/@cnpmtest/testmodule-list-block')
+        .expect(451);
+      data = res.body;
+      console.log(data);
+      assert(data.error === '[block] package was blocked, reason: unittest');
+    });
+  });
+
  it('should use costomized registry middleware', done => {
    request(app)
    .get('/@cnpmtest/testmodule-list-1')
@@ -49,6 +384,7 @@ describe('test/controllers/registry/package/list.test.js', () => {
      var data = res.body;
      data.name.should.equal('@cnpmtest/testmodule-list-1');
      assert(res.headers['x-custom-middleware'] === 'true');
+      assert(res.headers['x-custom-app-models'] === 'true');
      done();
    });
  });
@@ -229,6 +565,29 @@ describe('test/controllers/registry/package/list.test.js', () => {
    }, done);
  });

+  it('should config.formatCustomFullPackageInfoAndVersions work', async () => {
+    mm(config, 'formatCustomFullPackageInfoAndVersions', (ctx, info) => {
+      console.log('%s %s, query: %j', ctx.method, ctx.url, ctx.query);
+      info.description = '';
+      info.readme = '';
+      for (const version in info.versions) {
+        const item = info.versions[version];
+        item.description = '';
+        item.readme = '';
+      }
+      return info;
+    });
+    const res = await request(app)
+      .get('/@cnpmtest/testmodule-list-1?a=123123');
+    assert(res.status === 200);
+    assert(res.body.description === '');
+    assert(res.body.readme === '');
+    const firstVersion = Object.keys(res.body.versions)[0];
+    assert(firstVersion);
+    assert(res.body.versions[firstVersion].description === '');
+    assert(res.body.versions[firstVersion].readme === '');
+  });
+
  describe.skip('unpublished', () => {
    before(done => {
      mm(config, 'syncModel', 'all');
@@ -319,7 +678,7 @@ describe('test/controllers/registry/package/list.test.js', () => {
          assert(Object.keys(data.versions).length > 0);
          for (const v in data.versions) {
            const pkg = data.versions[v];
-            assert('_hasShrinkwrap' in pkg);
+            // assert('_hasShrinkwrap' in pkg);
            assert(pkg.publish_time && typeof pkg.publish_time === 'number');
            assert(pkg._publish_on_cnpm === undefined);
          }
@@ -327,6 +686,23 @@ describe('test/controllers/registry/package/list.test.js', () => {
        });
    });

+    it('should return abbreviated meta on private package and has hasInstallScript field', () => {
+      mm(config, 'enableAbbreviatedMetadata', true);
+      return request(app)
+        .get('/@cnpmtest/testmodule-list-1')
+        .set('Accept', 'application/vnd.npm.install-v1+json')
+        .expect(200)
+        .expect(res => {
+          const data = res.body;
+          // console.log(JSON.stringify(data, null, 2));
+          assert(data.name === '@cnpmtest/testmodule-list-1');
+          assert(data.modified);
+          assert(data['dist-tags'].latest);
+          assert(data.versions['0.0.1'].hasInstallScript === true);
+          assert(data.versions['0.0.1'].scripts === undefined);
+        });
+    });
+
    it('should return abbreviated meta with cache-control', () => {
      mm(config, 'registryCacheControlHeader', 'max-age=0, s-maxage=10, must-revalidate');
      mm(config, 'syncModel', 'all');
@@ -344,7 +720,7 @@ describe('test/controllers/registry/package/list.test.js', () => {
          assert(Object.keys(data.versions).length > 0);
          for (const v in data.versions) {
            const pkg = data.versions[v];
-            assert('_hasShrinkwrap' in pkg);
+            // assert('_hasShrinkwrap' in pkg);
            assert(pkg.publish_time && typeof pkg.publish_time === 'number');
            assert(pkg._publish_on_cnpm === undefined);
          }
@@ -382,7 +758,7 @@ describe('test/controllers/registry/package/list.test.js', () => {
          assert(Object.keys(data.versions).length > 0);
          for (const v in data.versions) {
            const pkg = data.versions[v];
-            assert('_hasShrinkwrap' in pkg);
+            // assert('_hasShrinkwrap' in pkg);
            assert(pkg.publish_time && typeof pkg.publish_time === 'number');
            assert(pkg._publish_on_cnpm === undefined);
          }
@@ -407,10 +783,10 @@ describe('test/controllers/registry/package/list.test.js', () => {
          assert(Object.keys(data.versions).length > 0);
          for (const v in data.versions) {
            const pkg = data.versions[v];
-            assert('_hasShrinkwrap' in pkg);
+            // assert('_hasShrinkwrap' in pkg);
            assert(pkg.publish_time && typeof pkg.publish_time === 'number');
            assert(pkg._publish_on_cnpm === undefined);
-            assert(pkg.dist.tarball.includes('.tgz?bucket=foo-us1&admin=1&other_urls=http'));
+            assert(pkg.dist.tarball.endsWith('.tgz'));
          }
          assert(/^W\/"\w{32}"$/.test(res.headers.etag));
        });
--- a/test/controllers/registry/package/list_by_user.test.js
+++ b/test/controllers/registry/package/list_by_user.test.js
@@ -46,14 +46,14 @@ describe('test/controllers/registry/package/list_by_user.test.js', function () {
        map['@cnpmtest/list_by_user_module1'].should.be.an.Object();
        map['@cnpmtest/list_by_user_module1'].should.eql({
          name: '@cnpmtest/list_by_user_module1',
-          description: '',
+          description: 'mk2testmodule version description here',
          version: '1.0.1',
        });

        map['@cnpmtest/list_by_user_module2'].should.be.an.Object();
        map['@cnpmtest/list_by_user_module2'].should.eql({
          name: '@cnpmtest/list_by_user_module2',
-          description: '',
+          description: 'mk2testmodule version description here',
          version: '2.0.0',
        });
      })
--- a/test/controllers/registry/package/list_versions.test.js
+++ b/test/controllers/registry/package/list_versions.test.js
@@ -0,0 +1,43 @@
+'use strict';
+
+const should = require('should');
+const request = require('supertest');
+const mm = require('mm');
+const moment = require('moment');
+const config = require('../../../../config');
+const app = require('../../../../servers/registry');
+const utils = require('../../../utils');
+
+describe('test/controllers/registry/package/list_versions.test.js', function () {
+  afterEach(mm.restore);
+
+  before(function (done) {
+    utils.sync('pedding', done);
+  });
+
+  describe('GET /-/allversions', function () {
+    it('should get 200', function (done) {
+      mm(config, 'syncModel', 'all');
+      request(app)
+      .get('/-/allversions?date=' + moment().format('YYYY-MM-DD'))
+      .expect(200, function (err, res) {
+        should.not.exist(err);
+        console.log(res.body);
+        const rows = res.body;
+        rows.length.should.above(0);
+        done();
+      });
+    });
+
+    it('should get 404', function (done) {
+      mm(config, 'syncModel', 'all');
+      request(app)
+      .get('/-/allversions?date=notadsfwe')
+      .expect(400, function (err, res) {
+        should.not.exist(err);
+        res.body.reason.should.equal('[query_parse_error] Invalid value for `date`, should be `YYYY-MM-DD` format.');
+        done();
+      });
+    });
+  });
+});
--- a/test/controllers/registry/package/remove.test.js
+++ b/test/controllers/registry/package/remove.test.js
@@ -65,6 +65,32 @@ describe('test/controllers/registry/package/remove.test.js', function () {
    });
  });

+  it('should not remove nfs', function (done) {
+    let called = false;
+    mm(config, 'unpublishRemoveTarball', false);
+    mm(nfs, 'remove', function* () {
+      called = true;
+    });
+
+    var pkg = utils.getPackage('@cnpmtest/testmodule-remove-2', '3.0.0', utils.otherUser);
+    request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.otherUserAuth)
+      .send(pkg)
+      .expect(201, function() {
+        request(app)
+          .del('/@cnpmtest/testmodule-remove-2/-rev/1')
+          .set('authorization', utils.adminAuth)
+          .expect(200, function (err) {
+            called.should.equal(false);
+            should.not.exist(err);
+            request(app)
+              .get('/@cnpmtest/testmodule-remove-2')
+              .expect(404, done);
+          });
+      });
+  });
+
  describe('mock error', function () {
    beforeEach(function (done) {
      var pkg = utils.getPackage('@cnpmtest/testmodule-remove-mock-1', '2.0.0', utils.admin);
--- a/test/controllers/registry/package/remove_version.test.js
+++ b/test/controllers/registry/package/remove_version.test.js
@@ -7,6 +7,7 @@ var app = require('../../../../servers/registry');
 var utils = require('../../../utils');
 var packageService = require('../../../../services/package');
 var nfs = require('../../../../common/nfs');
+var config = require('../../../../config');

 describe('test/controllers/registry/package/remove_version.test.js', function () {
  afterEach(mm.restore);
@@ -78,6 +79,32 @@ describe('test/controllers/registry/package/remove_version.test.js', function ()
    .expect(200, done);
  });

+  it('should not remove nfs', function (done) {
+    let called = false;
+    mm(config, 'unpublishRemoveTarball', false);
+    mm(nfs, 'remove', function* () {
+      called = true;
+    });
+
+    var pkg = utils.getPackage('@cnpmtest/testmodule-remove_version-2', '3.0.0', utils.otherUser);
+    request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.otherUserAuth)
+      .send(pkg)
+      .expect(201, function() {
+        request(app)
+          .del('/@cnpmtest/testmodule-remove_version-2/download/@cnpmtest/testmodule-remove_version-2-3.0.0.tgz/-rev/1')
+          .set('authorization', utils.adminAuth)
+          .expect(200, function (err) {
+            called.should.equal(false);
+            should.not.exist(err);
+            request(app)
+              .get('/@cnpmtest/testmodule-remove-2')
+              .expect(404, done);
+          });
+      });
+  });
+
  describe('mock error', function () {
    before(function (done) {
      var pkg = utils.getPackage('@cnpmtest/testmodule-remove_version-1', '0.0.2', utils.otherUser);
--- a/test/controllers/registry/package/save.test.js
+++ b/test/controllers/registry/package/save.test.js
@@ -6,17 +6,18 @@ var request = require('supertest');
 var pedding = require('pedding');
 var mm = require('mm');
 var packageService = require('../../../../services/package');
+var tokenService = require('../../../../services/token');
 var app = require('../../../../servers/registry');
 var config = require('../../../../config');
 var utils = require('../../../utils');

-describe('test/controllers/registry/package/save.test.js', function () {
+describe('test/controllers/registry/package/save.test.js', () => {
  afterEach(mm.restore);

  describe('no @scoped package', function () {
    beforeEach(function () {
      mm(config, 'syncModel', 'all');
-      mm(config, 'privatePackages', ['testmodule-new-1', 'testmodule-new-2', 'testmodule-no-latest']);
+      mm(config, 'privatePackages', ['testmodule-new-1', 'testmodule-new-2', 'testmodule-no-latest', 'testmodule-new-4']);
    });

    before(function (done) {
@@ -45,22 +46,112 @@ describe('test/controllers/registry/package/save.test.js', function () {
      });
    });

-    it('should publish new version package and save dependencies', function (done) {
+    it('should publish new version package and save dependencies', done => {
      request(app)
      .get('/testmodule-new-1')
      .expect(200, function (err, res) {
-        should.not.exist(err);
+        assert(!err);
        var data = res.body;
-        data.name.should.equal('testmodule-new-1');
-        Object.keys(data.versions).should.eql(['0.0.1']);
-        data.versions['0.0.1'].dependencies.should.eql({
+        assert(data.name === 'testmodule-new-1');
+        assert.deepStrictEqual(Object.keys(data.versions), ['0.0.1']);
+        assert.deepStrictEqual(data.versions['0.0.1'].dependencies, {
          'bytetest-1': '~0.0.1',
          mocha: '~1.0.0'
        });
+        // should has integrity with sha512
+        assert(data.versions['0.0.1'].dist.integrity === 'sha512-n+4CQg0Rp1Qo0p9a0R5E5io67T9iD3Lcgg6exmpmt0s8kd4XcOoHu2kiu6U7xd69cGq0efkNGWUBP229ObfRSA==');
+        assert(data.versions['0.0.1'].dist.shasum === 'fa475605f88bab9b1127833633ca3ae0a477224c');
        done();
      });
    });

+    it('should publish error on shasum invaild', done => {
+      mm(config, 'privatePackages', ['testmodule-new-1']);
+      var pkg = utils.getPackage('testmodule-new-1', '0.0.88', utils.admin);
+      pkg.versions['0.0.88'].dependencies = {
+        'bytetest-1': '~0.0.1',
+        mocha: '~1.0.0'
+      };
+      pkg.versions['0.0.88'].dist.shasum = 'fa475605f88bab9b1127833633ca3ae0a47wrong';
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(400, function (err, res) {
+        assert(!err);
+        assert(res.body.error === '[invalid] dist.shasum invalid');
+        assert(res.body.reason === '[invalid] dist.shasum invalid');
+        done();
+      });
+    });
+
+    it('should publish error on integrity invaild', done => {
+      mm(config, 'privatePackages', ['testmodule-new-1']);
+      var pkg = utils.getPackage('testmodule-new-1', '0.0.88', utils.admin);
+      pkg.versions['0.0.88'].dependencies = {
+        'bytetest-1': '~0.0.1',
+        mocha: '~1.0.0'
+      };
+      pkg.versions['0.0.88'].dist.integrity = 'sha512-n+4CQg0Rp1Qo0p9a0R5E5io67T9iD3Lcgg6exmpmt0s8kd4XcOoHu2kiu6U7xd69cGq0efkNGWUBP229ObfBBB==';
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(400, function (err, res) {
+        assert(!err);
+        assert(res.body.error === '[invalid] dist.integrity invalid');
+        assert(res.body.reason === '[invalid] dist.integrity invalid');
+        done();
+      });
+    });
+
+    it('should publish success with integrity and shasum', done => {
+      mm(config, 'privatePackages', ['testmodule-new-1']);
+      var pkg = utils.getPackage('testmodule-new-1', '0.0.88', utils.admin);
+      pkg.versions['0.0.88'].dependencies = {
+        'bytetest-1': '~0.0.1',
+        mocha: '~1.0.0'
+      };
+      pkg.versions['0.0.88'].dist.integrity = 'sha512-n+4CQg0Rp1Qo0p9a0R5E5io67T9iD3Lcgg6exmpmt0s8kd4XcOoHu2kiu6U7xd69cGq0efkNGWUBP229ObfRSA==';
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(201, done);
+    });
+
+    it('should publish success with integrity and without shasum', done => {
+      mm(config, 'privatePackages', ['testmodule-new-1']);
+      var pkg = utils.getPackage('testmodule-new-1', '0.0.881', utils.admin);
+      pkg.versions['0.0.881'].dependencies = {
+        'bytetest-1': '~0.0.1',
+        mocha: '~1.0.0'
+      };
+      pkg.versions['0.0.881'].dist.integrity = 'sha512-n+4CQg0Rp1Qo0p9a0R5E5io67T9iD3Lcgg6exmpmt0s8kd4XcOoHu2kiu6U7xd69cGq0efkNGWUBP229ObfRSA==';
+      delete pkg.versions['0.0.881'].dist;
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(201, done);
+    });
+
+    it('should publish success without integrity and without shasum', done => {
+      mm(config, 'privatePackages', ['testmodule-new-1']);
+      var pkg = utils.getPackage('testmodule-new-1', '0.0.882', utils.admin);
+      pkg.versions['0.0.882'].dependencies = {
+        'bytetest-1': '~0.0.1',
+        mocha: '~1.0.0'
+      };
+      delete pkg.versions['0.0.882'].dist.integrity;
+      delete pkg.versions['0.0.882'].dist;
+      request(app)
+      .put('/' + pkg.name)
+      .set('authorization', utils.adminAuth)
+      .send(pkg)
+      .expect(201, done);
+    });
+
    it('should publish new package and fire globalHook', done => {
      done = pedding(done, 2);
      mm(config, 'globalHook', function* (envelope) {
@@ -172,6 +263,20 @@ describe('test/controllers/registry/package/save.test.js', function () {
      .expect(400, done);
    });

+    it('should publish use token', function* () {
+      var token = yield tokenService.createToken(utils.admin);
+
+      var pkg = utils.getPackageWithToken('testmodule-new-3', '0.0.1', utils.admin);
+
+      yield request(app)
+        .put('/' + pkg.name)
+        .set('authorization', 'Bearer ' + token.token)
+        .send(pkg)
+        .expect(201);
+
+      yield tokenService.deleteToken(utils.admin, token.token);
+    });
+
    it('should 400 when dist-tags missing', function (done) {
      var pkg = utils.getPackage('testmodule-new-1', '0.0.1', utils.admin);
      delete pkg['dist-tags'];
@@ -200,6 +305,27 @@ describe('test/controllers/registry/package/save.test.js', function () {
      .expect(403, done);
    });

+    it('should publish when maintainers dont contain current user in token mode', function* () {
+      var token = yield tokenService.createToken(utils.admin);
+
+      var pkg = utils.getPackage('testmodule-new-4', '0.0.1', utils.admin);
+      pkg.versions['0.0.1'].maintainers[0].name += '-testuser';
+
+      yield request(app)
+        .put('/' + pkg.name)
+        .set('authorization', 'Bearer ' + token.token)
+        .send(pkg)
+        .expect(201);
+
+      yield tokenService.deleteToken(utils.admin, token.token);
+
+      var maintainers = yield packageService.listMaintainers(pkg.name);
+      maintainers.should.eql([{
+        name: 'cnpmjstest10',
+        email: 'fengmk2@gmail.com',
+      }]);
+    });
+
    it('should 400 when attachments missing', function (done) {
      var pkg = utils.getPackage('testmodule-new-1', '0.0.1', utils.admin);
      delete pkg._attachments;
--- a/test/controllers/registry/package/show.test.js
+++ b/test/controllers/registry/package/show.test.js
@@ -1,5 +1,6 @@
 'use strict';

+var assert = require('assert');
 var should = require('should');
 var request = require('supertest');
 var mm = require('mm');
@@ -141,7 +142,7 @@ describe('test/controllers/registry/package/show.test.js', function () {
    });
  });

-  it('should return other_urls on query exists', function (done) {
+  it('should ignore query', function (done) {
    request(app)
    .get('/@cnpmtest/testmodule-show/latest?bucket=us1')
    .expect(200, function (err, res) {
@@ -152,7 +153,7 @@ describe('test/controllers/registry/package/show.test.js', function () {
      data['dist-tags'].should.eql({
        latest: '1.1.0',
      });
-      data.dist.tarball.should.equal('http://r.cnpmjs.org/@cnpmtest/testmodule-show/download/@cnpmtest/testmodule-show-1.1.0.tgz?bucket=us1&other_urls=http%3A%2F%2Fr.cnpmjs.org%2F%40cnpmtest%2Ftestmodule-show%2Fdownload%2F%40cnpmtest%2Ftestmodule-show-1.1.0.tgz');
+      data.dist.tarball.should.equal('http://r.cnpmjs.org/@cnpmtest/testmodule-show/download/@cnpmtest/testmodule-show-1.1.0.tgz');
      done();
    });
  });
@@ -184,6 +185,20 @@ describe('test/controllers/registry/package/show.test.js', function () {
    .expect(404, done);
  });

+  it('should config.formatCustomOnePackageVersion work', async () => {
+    mm(config, 'formatCustomOnePackageVersion', (ctx, packageVersion) => {
+      console.log('%s %s, query: %j', ctx.method, ctx.url, ctx.query);
+      packageVersion.description = '';
+      packageVersion.readme = '';
+      return packageVersion;
+    });
+    const res = await request(app)
+      .get('/@cnpmtest/testmodule-show/0.0.1?b=123123');
+    assert(res.status === 200);
+    assert(res.body.description === '');
+    assert(res.body.readme === '');
+  });
+
  describe('show sync package', function () {
    before(function (done) {
      utils.sync('baidu', done);
--- a/test/controllers/registry/package/update.test.js
+++ b/test/controllers/registry/package/update.test.js
@@ -1,5 +1,6 @@
 'use strict';

+var assert = require('assert');
 var should = require('should');
 var request = require('supertest');
 var mm = require('mm');
@@ -119,6 +120,13 @@ describe('test/controllers/registry/package/update.test.js', function () {
    });

    it('should add again new maintainers', function (done) {
+      done = pedding(done, 2);
+      mm(config, 'globalHook', function* (envelope) {
+        assert(envelope.name === '@cnpmtest/testmodule-update-1');
+        assert(envelope.type === 'package');
+        assert(envelope.event === 'package:owner');
+        done();
+      });
      request(app)
      .put('/@cnpmtest/testmodule-update-1/-rev/1')
      .send({
@@ -171,6 +179,14 @@ describe('test/controllers/registry/package/update.test.js', function () {
    });

    it('should rm maintainers', function (done) {
+      done = pedding(done, 2);
+      mm(config, 'globalHook', function* (envelope) {
+        assert(envelope.name === '@cnpmtest/testmodule-update-1');
+        assert(envelope.type === 'package');
+        assert(envelope.event === 'package:owner-rm');
+        done();
+      });
+
      request(app)
      .put('/@cnpmtest/testmodule-update-1/-rev/1')
      .send({
--- a/test/controllers/registry/token/create.test.js
+++ b/test/controllers/registry/token/create.test.js
@@ -0,0 +1,104 @@
+'use strict';
+
+var should = require('should');
+var request = require('supertest');
+var app = require('../../../../servers/registry');
+var tokenService = require('../../../../services/token');
+var TestUtil = require('../../../utils');
+var create = require('../../../../controllers/registry/token/create');
+
+describe('test/controllers/registry/token/create.test.js', function () {
+  describe('POST /-/npm/v1/tokens', function () {
+    var token;
+
+    beforeEach(function* () {
+      token = yield tokenService.createToken(TestUtil.admin);
+    });
+
+    afterEach(function* () {
+      yield tokenService.deleteToken(TestUtil.admin, token.token);
+    });
+
+    it('should work', function (done) {
+      request(app)
+        .post('/-/npm/v1/tokens')
+        .set('authorization', 'Bearer ' + token.token)
+        .send({
+          password: TestUtil.admin,
+          readonly: true,
+          cidr_whitelist: [ '127.0.0.1' ],
+        })
+        .expect(201, function (err, res) {
+          should.not.exist(err);
+          res.body.should.have.keys('token', 'key', 'cidr_whitelist', 'readonly', 'created', 'updated');
+          res.body.readonly.should.equal(true);
+          res.body.cidr_whitelist.should.deepEqual([ '127.0.0.1' ]);
+          done();
+        });
+    });
+
+    describe('password is wrong', function () {
+      it('should 401', function (done) {
+        request(app)
+          .post('/-/npm/v1/tokens')
+          .set('authorization', 'Bearer ' + token.token)
+          .send({
+            password: 'wrong password',
+            readonly: true,
+            cidr_whitelist: [ '127.0.0.1' ],
+          })
+          .expect(401, done);
+      });
+    });
+
+    describe('client error', function () {
+      it('should check readonly', function (done) {
+        request(app)
+          .post('/-/npm/v1/tokens')
+          .set('authorization', 'Bearer ' + token.token)
+          .send({
+            password: TestUtil.admin,
+            readonly: 'true',
+            cidr_whitelist: [ '127.0.0.1' ],
+          })
+          .expect(400, done);
+      });
+
+      it('should check cird', function (done) {
+        request(app)
+          .post('/-/npm/v1/tokens')
+          .set('authorization', 'Bearer ' + token.token)
+          .send({
+            password: TestUtil.admin,
+            readonly: true,
+            cidr_whitelist: [ 'xxx.0.0.1' ],
+          })
+          .expect(400, done);
+      });
+    });
+  });
+
+  describe('inject tokenService', () => {
+    it('should work', function* () {
+      const ctx = {
+        request: {
+          body: {
+            readonly: false,
+            cidr_whitelist: [],
+            password: TestUtil.admin,
+          },
+        },
+        user: {
+          name: TestUtil.admin,
+        },
+        tokenService: {
+          createToken(userId) {
+            return `${userId}:token`
+          }
+        },
+      };
+      yield Reflect.apply(create, ctx, []);
+      ctx.body.should.equal(`${TestUtil.admin}:token`);
+    });
+  });
+});
--- a/test/controllers/registry/token/del.test.js
+++ b/test/controllers/registry/token/del.test.js
@@ -0,0 +1,24 @@
+'use strict';
+
+var should = require('should');
+var app = require('../../../../servers/registry');
+var request = require('supertest');
+var tokenService = require('../../../../services/token');
+var TestUtil = require('../../../utils');
+
+describe('test/controllers/registry/token/del.test.js', function () {
+  describe('DELETE /-/npm/v1/tokens', function () {
+    var token;
+
+    beforeEach(function* () {
+      token = yield tokenService.createToken(TestUtil.admin);
+    });
+
+    it('should work', function (done) {
+      request(app)
+        .delete(`/-/npm/v1/tokens/token/${token.token}`)
+        .set('authorization', 'Bearer ' + token.token)
+        .expect(204, done);
+    });
+  });
+});
--- a/test/controllers/registry/token/list.test.js
+++ b/test/controllers/registry/token/list.test.js
@@ -0,0 +1,62 @@
+'use strict';
+
+var should = require('should');
+var app = require('../../../../servers/registry');
+var request = require('supertest');
+var tokenService = require('../../../../services/token');
+var TestUtil = require('../../../utils');
+
+describe('test/controllers/registry/token/list.test.js', function () {
+  describe('GET /-/npm/v1/tokens', function () {
+    var token;
+
+    beforeEach(function* () {
+      token = yield tokenService.createToken(TestUtil.admin);
+    });
+
+    afterEach(function* () {
+      yield tokenService.deleteToken(TestUtil.admin, token.token);
+    });
+
+    it('should work', function (done) {
+      request(app)
+        .get(`/-/npm/v1/tokens`)
+        .set('authorization', 'Bearer ' + token.token)
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          should.exist(res.body.objects);
+          done();
+        });
+    });
+
+    describe('client error', function () {
+      it('should check perPage is number', function (done) {
+        request(app)
+          .get(`/-/npm/v1/tokens?perPage=xxx`)
+          .set('authorization', 'Bearer ' + token.token)
+          .expect(400, done);
+      });
+
+      it('should check perPage in boundary', function (done) {
+        request(app)
+          .get(`/-/npm/v1/tokens?perPage=999999999`)
+          .set('authorization', 'Bearer ' + token.token)
+          .expect(400, done);
+      });
+
+      it('should check page is number', function (done) {
+        request(app)
+          .get(`/-/npm/v1/tokens?page=xxx`)
+          .set('authorization', 'Bearer ' + token.token)
+          .expect(400, done);
+      });
+
+      it('should check page gt 0', function (done) {
+        request(app)
+          .get(`/-/npm/v1/tokens?page=-4`)
+          .set('authorization', 'Bearer ' + token.token)
+          .expect(400, done);
+      });
+    });
+  });
+});
--- a/test/controllers/registry/user/add.test.js
+++ b/test/controllers/registry/user/add.test.js
@@ -127,7 +127,7 @@ describe('test/controllers/registry/user/add.test.js', function () {
      })
      .expect(201, function (err, res) {
        should.not.exist(err);
-        res.body.should.have.keys('ok', 'id', 'rev');
+        res.body.should.have.keys('ok', 'id', 'rev', 'token');
        res.body.id.should.equal('org.couchdb.user:cnpmjstest11111');
        res.body.rev.should.match(/\d+\-cnpmjstest11111/);
        res.body.ok.should.equal(true);
--- a/test/controllers/registry/user/ping.test.js
+++ b/test/controllers/registry/user/ping.test.js
@@ -0,0 +1,78 @@
+'use strict';
+
+var should = require('should');
+var request = require('supertest');
+var mm = require('mm');
+var app = require('../../../../servers/registry');
+var config = require('../../../../config');
+var tokenService = require('../../../../services/token');
+var TestUtil = require('../../../utils');
+
+describe('test/controllers/registry/user/ping.test.js', function () {
+  afterEach(mm.restore);
+
+  describe('/-/ping', function () {
+    var token;
+
+    beforeEach(function* () {
+      mm(config, 'syncModel', 'all');
+      token = yield tokenService.createToken(TestUtil.admin);
+    });
+
+    afterEach(function* () {
+      yield tokenService.deleteToken(TestUtil.admin, token.token);
+    });
+
+    describe('with write', function () {
+      describe('has login', function () {
+        it('should work', function (done) {
+          request(app)
+            .get('/-/ping?write=true')
+            .set('authorization', 'Bearer ' + token.token)
+            .expect(200, function (err) {
+              should.not.exist(err);
+              done();
+            });
+        });
+      });
+
+      describe('has not login', function () {
+        it('should work', function (done) {
+          request(app)
+            .get('/-/ping?write=true')
+            .set('authorization', 'Bearer mock_token')
+            .expect(401, function (err) {
+              should.not.exist(err);
+              done();
+            });
+        });
+      });
+    });
+
+    describe('with not write', function () {
+      describe('has login', function () {
+        it('should work', function (done) {
+          request(app)
+            .get('/-/ping')
+            .set('authorization', 'Bearer ' + token.token)
+            .expect(200, function (err) {
+              should.not.exist(err);
+              done();
+            });
+        });
+      });
+
+      describe('has not login', function () {
+        it('should work', function (done) {
+          request(app)
+            .get('/-/ping')
+            .set('authorization', 'Bearer ' + token.token)
+            .expect(200, function (err) {
+              should.not.exist(err);
+              done();
+            });
+        });
+      });
+    });
+  });
+});
--- a/test/controllers/registry/user/show.test.js
+++ b/test/controllers/registry/user/show.test.js
@@ -31,7 +31,7 @@ describe('test/controllers/registry/user/show.test.js, GET /-/user/org.couchdb.u
    });
  });

-  it('should return npm user info', function (done) {
+  it.skip('should return npm user info', function (done) {
    request(app)
    .get('/-/user/org.couchdb.user:fengmk2')
    .expect(200, function (err, res) {
@@ -57,7 +57,7 @@ describe('test/controllers/registry/user/show.test.js, GET /-/user/org.couchdb.u
      mm(config, 'customUserService', true);
    });

-    it('should show npm user', function (done) {
+    it.skip('should show npm user', function (done) {
      request(app)
      .get('/-/user/org.couchdb.user:fengmk2')
      .expect(200, function (err, res) {
--- a/test/controllers/registry/user/whoami.test.js
+++ b/test/controllers/registry/user/whoami.test.js
@@ -0,0 +1,37 @@
+'use strict';
+
+var should = require('should');
+var request = require('supertest');
+var mm = require('mm');
+var app = require('../../../../servers/registry');
+var config = require('../../../../config');
+var tokenService = require('../../../../services/token');
+var TestUtil = require('../../../utils');
+
+describe('test/controllers/registry/user/whoami.test.js', function () {
+  afterEach(mm.restore);
+
+  describe('/-/whoami', function () {
+    var token;
+
+    beforeEach(function* () {
+      mm(config, 'syncModel', 'all');
+      token = yield tokenService.createToken(TestUtil.admin);
+    });
+
+    afterEach(function* () {
+      yield tokenService.deleteToken(TestUtil.admin, token.token);
+    });
+
+    it('should work', function (done) {
+      request(app)
+        .get('/-/whoami')
+        .set('authorization', 'Bearer ' + token.token)
+        .expect(200, function (err, res) {
+          should.not.exist(err);
+          res.body.username.should.eql(TestUtil.admin);
+          done();
+        });
+    });
+  });
+});
--- a/test/controllers/registry/user_package.test.js
+++ b/test/controllers/registry/user_package.test.js
@@ -49,8 +49,8 @@ describe('test/controllers/registry/user_package.test.js', function () {
        should.not.exist(err);
        res.body.fengmk2.should.be.an.Array();
        res.body.fengmk2.should.containEql('pedding');
-        res.body['dead-horse'].should.be.an.Array();
-        res.body['dead-horse'].should.containEql('pedding');
+        // res.body['dead-horse'].should.be.an.Array();
+        // res.body['dead-horse'].should.containEql('pedding');
        done();
      });

@@ -60,8 +60,8 @@ describe('test/controllers/registry/user_package.test.js', function () {
        should.not.exist(err);
        res.body.fengmk2.should.be.an.Array();
        res.body.fengmk2.should.containEql('pedding');
-        res.body['dead-horse'].should.be.an.Array();
-        res.body['dead-horse'].should.containEql('pedding');
+        // res.body['dead-horse'].should.be.an.Array();
+        // res.body['dead-horse'].should.containEql('pedding');
        done();
      });
    });
--- a/test/controllers/sync_module_worker.test.js
+++ b/test/controllers/sync_module_worker.test.js
@@ -1,13 +1,16 @@
 'use strict';

 var assert = require('assert');
+var awaitEvent = require('await-event');
 var should = require('should');
 var mm = require('mm');
 var thunkify = require('thunkify-wrap');
 var request = require('supertest');
 var urllib = require('urllib');
 var urlparse = require('url').parse;
+var fs = require('mz/fs');
 var config = require('../../config');
+var common = require('../../lib/common');
 var SyncModuleWorker = require('../../controllers/sync_module_worker');
 var logService = require('../../services/module_log');
 var packageService = require('../../services/package');
@@ -143,6 +146,185 @@ describe('test/controllers/sync_module_worker.test.js', () => {
    yield end();
  });

+  it('should sync mk2test-module-cnpmsync add os, cpu success', function* () {
+    mm(config, 'enableAbbreviatedMetadata', true);
+    mm(config, 'sourceNpmRegistry', 'https://registry.npmjs.com');
+    var log = yield logService.create({
+      name: 'mk2test-module-cnpmsync',
+      username: 'fengmk2',
+    });
+    log.id.should.above(0);
+    var worker = new SyncModuleWorker({
+      logId: log.id,
+      name: 'mk2test-module-cnpmsync',
+      username: 'fengmk2',
+      noDep: true,
+    });
+    worker.start();
+    var end = thunkify.event(worker, 'end');
+    yield end();
+
+    let pkg;
+    let pkgV2;
+    let pkgV3;
+    let lastResHeaders;
+    function checkResult() {
+      return function (done) {
+        request(app)
+        .get('/mk2test-module-cnpmsync')
+        .set('accept', 'application/vnd.npm.install-v1+json')
+        .expect(function (res) {
+          lastResHeaders = res.headers;
+          pkg = res.body.versions['1.0.0'];
+          assert(pkg.os[0] === 'linux');
+          assert(pkg.cpu[0] === 'x64');
+          assert(!pkg.peerDependenciesMeta);
+          pkgV2 = res.body.versions['2.0.0'];
+          assert(pkgV2.os[0] === 'linux');
+          assert(pkgV2.cpu[0] === 'x64');
+          assert(pkgV2.peerDependenciesMeta);
+          pkgV3 = res.body.versions['3.0.0'];
+          assert(!pkgV3.os);
+          assert(!pkgV3.cpu);
+          assert(pkgV3.peerDependenciesMeta);
+        })
+        .expect(200, done);
+      };
+    }
+    yield checkResult();
+    const oldEtag = lastResHeaders.etag;
+    // check etag keep same again
+    yield checkResult();
+    assert(oldEtag == lastResHeaders.etag);
+
+    // modify result
+    yield packageService.updateModuleAbbreviatedPackage({
+      name: pkg.name,
+      version: pkg.version,
+      os: undefined,
+      cpu: undefined,
+      peerDependenciesMeta: undefined,
+    });
+
+    yield packageService.updateModuleAbbreviatedPackage({
+      name: pkgV2.name,
+      version: pkgV2.version,
+      os: undefined,
+      cpu: undefined,
+      peerDependenciesMeta: undefined,
+    });
+    yield packageService.updateModuleAbbreviatedPackage({
+      name: pkgV3.name,
+      version: pkgV3.version,
+      peerDependenciesMeta: undefined,
+    });
+
+    function checkModifiyResult() {
+      return function (done) {
+        request(app)
+        .get('/mk2test-module-cnpmsync')
+        .set('accept', 'application/vnd.npm.install-v1+json')
+        .expect(function (res) {
+          // console.log(JSON.stringify(res.body, null, 2));
+          assert(!res.body.versions['1.0.0'].os);
+          assert(!res.body.versions['1.0.0'].cpu);
+          assert(!res.body.versions['2.0.0'].peerDependenciesMeta);
+          assert(!res.body.versions['3.0.0'].peerDependenciesMeta);
+        })
+        .expect(200, done);
+      };
+    }
+    yield checkModifiyResult();
+
+    // sync again
+    worker = new SyncModuleWorker({
+      logId: log.id,
+      name: 'mk2test-module-cnpmsync',
+      username: 'fengmk2',
+      noDep: true,
+    });
+    worker.start();
+    end = thunkify.event(worker, 'end');
+    yield end();
+
+    // check again still work
+    yield checkResult();
+    const newEtag = lastResHeaders.etag;
+    assert(newEtag !== oldEtag);
+
+    // check etag keep same again
+    yield checkResult();
+    assert(newEtag == lastResHeaders.etag);
+  });
+
+  it('should sync mk2test-module-cnpmsync-issue-1667 with remoteAbbreviatedVersion success', function* () {
+    mm(config, 'enableAbbreviatedMetadata', true);
+    mm(config, 'sourceNpmRegistry', 'https://registry.npmjs.com');
+    var log = yield logService.create({
+      name: 'mk2test-module-cnpmsync-issue-1667',
+      username: 'fengmk2',
+    });
+    log.id.should.above(0);
+    var worker = new SyncModuleWorker({
+      logId: log.id,
+      name: 'mk2test-module-cnpmsync-issue-1667',
+      username: 'fengmk2',
+      noDep: true,
+    });
+    worker.start();
+    var end = thunkify.event(worker, 'end');
+    yield end();
+
+    let pkg;
+    let pkgV2;
+    let pkgV3;
+    let lastResHeaders;
+    function checkResult() {
+      return function (done) {
+        request(app)
+        .get('/mk2test-module-cnpmsync-issue-1667')
+        .set('accept', 'application/vnd.npm.install-v1+json')
+        .expect(function (res) {
+          lastResHeaders = res.headers;
+          console.log('%j', res.body);
+          pkg = res.body.versions['3.0.0'];
+          assert(pkg.hasInstallScript === true);
+          // no scripts
+          assert(!pkg.scripts);
+          assert(pkg.dist.key === '/mk2test-module-cnpmsync-issue-1667/-/mk2test-module-cnpmsync-issue-1667-3.0.0.tgz');
+          assert(!('noattachment' in pkg.dist));
+        })
+        .expect(200, done);
+      };
+    }
+    yield checkResult();
+
+    function checkFullResult() {
+      return function (done) {
+        request(app)
+        .get('/mk2test-module-cnpmsync-issue-1667')
+        .set('accept', 'application/json')
+        .expect(function (res) {
+          lastResHeaders = res.headers;
+          console.log('%j', res.body);
+          pkg = res.body.versions['3.0.0'];
+          assert(pkg.hasInstallScript === true);
+          // has scripts
+          assert(pkg.scripts);
+          // console.log(pkg.dist);
+          assert(pkg.dist.key === '/mk2test-module-cnpmsync-issue-1667/-/mk2test-module-cnpmsync-issue-1667-3.0.0.tgz');
+          assert(pkg.dist.integrity === 'sha512-pwnnZyjvr29UxwFAIx7xHvVCkFpGVAYgaFllr/m5AZoD1CR2uHHPw16ISEO/A2rZ0WM3UoAghwd5bAZ4pYzD2Q==');
+          assert(pkg.dist.shasum === 'c31af371a6cdc10dd5b9ad26625a4c863249198d');
+          assert(pkg.dist.fileCount === 2);
+          assert(pkg.dist.unpackedSize === 232);
+          assert(pkg.dist.size === 271);
+        })
+        .expect(200, done);
+      };
+    }
+    yield checkFullResult();
+  });
+
  it('should sync upstream first', function* () {
    mm(config, 'sourceNpmRegistryIsCNpm', true);
    var log = yield logService.create({
@@ -307,7 +489,7 @@ describe('test/controllers/sync_module_worker.test.js', () => {
    console.log('get %d rows', rows.length);
    rows.forEach(row => {
      assert(row.package.deprecated);
-      assert(row.package._hasShrinkwrap === false);
+      // assert(row.package._hasShrinkwrap === false);
    });

    // mock deprecated missing
@@ -455,4 +637,353 @@ describe('test/controllers/sync_module_worker.test.js', () => {
      });
    });
  });
+
+  describe('save backup files', function () {
+    const pkgName = 'backup-test';
+
+    beforeEach(() => {
+      mm(config, 'syncBackupFiles', true);
+    });
+
+    describe('package not exists', () => {
+      const mockPackageJson = {
+        name: pkgName,
+        version: '1.0.0',
+        description: 'foo',
+      };
+
+      beforeEach(() => {
+        mm(packageService, 'listModulesByName', function* () {
+          return [
+            { name: pkgName, version: '1.0.0' },
+          ];
+        });
+        mm(packageService, 'showPackage', function* () {
+          return { package: mockPackageJson };
+        });
+      });
+
+      afterEach(function* () {
+        yield config.nfs.remove(common.getPackageFileCDNKey(pkgName, '1.0.0'));
+      });
+
+      it('should upload new file', function* () {
+        var worker = new SyncModuleWorker({
+          name: pkgName,
+          username: 'fengmk2',
+        });
+        yield worker._saveBackupFiles();
+
+        const cdnKey = common.getPackageFileCDNKey(pkgName, '1.0.0');
+        const filePath = '/tmp/tnpm-1.0.0.json';
+        yield config.nfs.download(cdnKey, filePath);
+        const fileContent = yield fs.readFile(filePath, 'utf8');
+        const packageJson = JSON.parse(fileContent);
+        assert.deepStrictEqual(packageJson, mockPackageJson);
+      });
+    });
+
+    describe('new dist tag', () => {
+      beforeEach(() => {
+        mm(packageService, 'listModulesByName', function* () {
+          return [];
+        });
+        mm(packageService, 'listModuleTags', function* () {
+          return [
+            { tag: 'latest', version: '1.0.0' },
+          ];
+        });
+      });
+
+      afterEach(function* () {
+        yield config.nfs.remove(common.getDistTagCDNKey(pkgName, 'latest'));
+      });
+
+      it('should create dist-tag file', function* () {
+        var worker = new SyncModuleWorker({
+          name: pkgName,
+          username: 'fengmk2',
+        });
+        yield worker._saveBackupFiles();
+
+        const cdnKey = common.getDistTagCDNKey(pkgName, 'latest');
+        const filePath = '/tmp/tnpm-dist-tag.json';
+        yield config.nfs.download(cdnKey, filePath);
+        const fileContent = yield fs.readFile(filePath, 'utf8');
+        assert(fileContent === '1.0.0');
+      });
+    });
+
+    describe('remove dist tag', () => {
+      beforeEach(function* () {
+        mm(packageService, 'listModulesByName', function* () {
+          return [];
+        });
+        mm(packageService, 'listModuleTags', function* () {
+          return [];
+        });
+        const cdnKey = common.getDistTagCDNKey(pkgName, 'latest');
+        const filePath = '/tmp/tnpm-dist-tag.json';
+        yield fs.writeFile(filePath, '1.0.0');
+        yield config.nfs.upload(filePath, {
+          key: cdnKey,
+        });
+      });
+
+      it('should delete', function* () {
+        var worker = new SyncModuleWorker({
+          name: pkgName,
+          username: 'fengmk2',
+        });
+        yield worker._saveBackupFiles();
+
+        const cdnKey = common.getDistTagCDNKey(pkgName, 'latest');
+        let err;
+        try {
+          const filePath = '/tmp/tnpm-dist-tag.json';
+          yield config.nfs.download(cdnKey, filePath);
+        } catch (e) {
+          err = e;
+        }
+        assert(/ENOENT/.test(err));
+      });
+    });
+
+    describe('update dist tag', () => {
+      beforeEach(function* () {
+        mm(packageService, 'listModulesByName', function* () {
+          return [];
+        });
+        mm(packageService, 'listModuleTags', function* () {
+          return [
+            { tag: 'latest', version: '1.0.1' },
+          ];
+        });
+        const cdnKey = common.getDistTagCDNKey(pkgName, 'latest');
+        const filePath = '/tmp/tnpm-dist-tag.json';
+        yield fs.writeFile(filePath, '1.0.0');
+        yield config.nfs.upload(filePath, {
+          key: cdnKey,
+        });
+      });
+
+      afterEach(function* () {
+        yield config.nfs.remove(common.getDistTagCDNKey(pkgName, 'latest'));
+      });
+
+      it('should update dist-tag file', function* () {
+        var worker = new SyncModuleWorker({
+          name: pkgName,
+          username: 'fengmk2',
+        });
+        yield worker._saveBackupFiles();
+
+        const cdnKey = common.getDistTagCDNKey(pkgName, 'latest');
+        const filePath = '/tmp/tnpm-dist-tag.json';
+        yield config.nfs.download(cdnKey, filePath);
+        const fileContent = yield fs.readFile(filePath, 'utf8');
+        assert(fileContent === '1.0.1');
+      });
+    });
+
+    describe.skip('package unpublished', () => {
+      it('should sync unpublished info', function* () {
+        var worker = new SyncModuleWorker({
+          name: ['afp'],
+          username: 'fengmk2'
+        });
+
+        worker.start();
+        yield awaitEvent(worker, 'end');
+
+        const cdnKey = common.getUnpublishFileKey('afp');
+        const filePath = '/tmp/unpublish-package.json';
+        yield config.nfs.download(cdnKey, filePath);
+        const fileContent = yield fs.readFile(filePath, 'utf8');
+        assert(fileContent);
+      });
+    });
+  });
+
+  describe('sync from backup files', function () {
+    const pkgName = 'sync-from-backup-files';
+    const publishTime100 = Date.now() - 1000 * 60;
+    const publishTime101 = Date.now();
+
+    afterEach(function* () {
+      try {
+        yield config.nfs.remove(common.getDistTagCDNKey(pkgName, 'latest'));
+        yield config.nfs.remove(common.getDistTagCDNKey(pkgName, 'beta'));
+        yield config.nfs.remove(common.getPackageFileCDNKey(pkgName, '1.0.1'));
+        yield config.nfs.remove(common.getPackageFileCDNKey(pkgName, '1.0.0'));
+      } catch (_) {
+        // ...
+      }
+    });
+
+    beforeEach(function* () {
+      mm(config, 'syncBackupFiles', true);
+
+      const packageFileCDNKey100 = common.getPackageFileCDNKey(pkgName, '1.0.0');
+      const packageFilePath = '/tmp/tnpm-package.json';
+      yield fs.writeFile(packageFilePath, JSON.stringify({
+        name: pkgName,
+        version: '1.0.0',
+        publish_time: publishTime100,
+        description: 'mock desc',
+        maintainers: [],
+        author: {},
+        repository: {},
+        readme: 'mock readme',
+        readmeFilename: 'README.md',
+        homepage: 'mock home page',
+        bugs: {},
+        license: 'MIT',
+      }));
+      yield config.nfs.upload(packageFilePath, {
+        key: packageFileCDNKey100,
+      });
+
+      const packageFileCDNKey101 = common.getPackageFileCDNKey(pkgName, '1.0.1');
+      yield fs.writeFile(packageFilePath, JSON.stringify({
+        name: pkgName,
+        version: '1.0.1',
+        publish_time: publishTime101,
+        description: 'mock desc 101',
+        maintainers: [],
+        author: {},
+        repository: {},
+        readme: 'mock readme 101',
+        readmeFilename: 'README.md',
+        homepage: 'mock home page 101',
+        bugs: {},
+        license: 'MIT',
+      }));
+      yield config.nfs.upload(packageFilePath, {
+        key: packageFileCDNKey101,
+      });
+
+      const distTagCDNKey = common.getDistTagCDNKey(pkgName, 'latest');
+      const distTagFilePath = '/tmp/tnpm-dist-tag.json';
+      yield fs.writeFile(distTagFilePath, '1.0.0');
+      yield config.nfs.upload(distTagFilePath, {
+        key: distTagCDNKey,
+      });
+
+      const distTagCDNKeyBeta = common.getDistTagCDNKey(pkgName, 'beta');
+      yield fs.writeFile(distTagFilePath, '1.0.1');
+      yield config.nfs.upload(distTagFilePath, {
+        key: distTagCDNKeyBeta,
+      });
+    });
+
+    it('should create pkg', function (done) {
+      var worker = new SyncModuleWorker({
+        name: pkgName,
+        username: 'fengmk2',
+        syncFromBackupFile: true,
+      });
+      var syncPkg;
+      mm(worker, '_sync', function* (name, pkg) {
+        syncPkg = pkg;
+        return [ '1.0.0' ];
+      })
+      worker.start();
+      worker.on('end', function () {
+        assert.deepStrictEqual(worker.successes, [
+          pkgName,
+        ]);
+
+        assert.deepStrictEqual(syncPkg, {
+          name: pkgName,
+          'dist-tags': { beta: '1.0.1', latest: '1.0.0' },
+          versions: {
+            '1.0.0': {
+              name: pkgName,
+              version: '1.0.0',
+              publish_time: publishTime100,
+              description: 'mock desc',
+              maintainers: [],
+              author: {},
+              repository: {},
+              readme: 'mock readme',
+              readmeFilename: 'README.md',
+              homepage: 'mock home page',
+              bugs: {},
+              license: 'MIT'
+            },
+            '1.0.1': {
+              name: pkgName,
+              version: '1.0.1',
+              publish_time: publishTime101,
+              description: 'mock desc 101',
+              maintainers: [],
+              author: {},
+              repository: {},
+              readme: 'mock readme 101',
+              readmeFilename: 'README.md',
+              homepage: 'mock home page 101',
+              bugs: {},
+              license: 'MIT'
+            }
+          },
+          time: {
+            modified: new Date(publishTime101),
+            created: new Date(publishTime100),
+            '1.0.0': new Date(publishTime100),
+            '1.0.1': new Date(publishTime101),
+          },
+          description: 'mock desc 101',
+          maintainers: [],
+          author: {},
+          repository: {},
+          readme: 'mock readme 101',
+          readmeFilename: 'README.md',
+          homepage: 'mock home page 101',
+          bugs: {},
+          license: 'MIT'
+        });
+        done();
+      });
+    });
+
+    describe('unpublish', () => {
+      before(function* () {
+        const filePath = '/tmp/unpublish-package.json';
+        const cdnKey = common.getUnpublishFileKey('afp');
+        yield fs.writeFile(filePath, JSON.stringify({
+          name: 'xinglie',
+          time: '2017-02-21T13:10:22.892Z',
+          tags: { latest: '0.0.1' },
+          maintainers:[{
+            name: 'xinglie',
+            email: 'kooboy_li@163.com'
+          }],
+          versions:["0.0.1"]
+        }));
+        yield config.nfs.upload(filePath, {
+          key: cdnKey,
+        });
+      });
+
+      it('should unpublished pkg', function* () {
+        const worker = new SyncModuleWorker({
+          name: ['afp'],
+          username: 'fengmk2',
+          syncFromBackupFile: true,
+        });
+        let unpublishPkg;
+        mm(worker, '_unpublished', function(pkg) {
+          unpublishPkg = pkg;
+          return Promise.resolve();
+        });
+
+        worker.start();
+        yield awaitEvent(worker, 'end');
+
+        assert(unpublishPkg === 'afp');
+      });
+    });
+
+  });
 });
--- a/test/controllers/web/package/search.test.js
+++ b/test/controllers/web/package/search.test.js
@@ -41,8 +41,8 @@ describe('test/controllers/web/package/search.test.js', function () {
      .expect(200)
      .expect({
        keyword: '@cnpmtest/testmodule-web-search',
-        match: { name: '@cnpmtest/testmodule-web-search', description: '' },
-        packages: [ { name: '@cnpmtest/testmodule-web-search', description: '' } ],
+        match: { name: '@cnpmtest/testmodule-web-search', description: 'mk2testmodule version description here' },
+        packages: [ { name: '@cnpmtest/testmodule-web-search', description: 'mk2testmodule version description here' } ],
        keywords: []
      })
      .expect('content-type', 'application/json; charset=utf-8', done);
@@ -52,18 +52,17 @@ describe('test/controllers/web/package/search.test.js', function () {
      request(app)
      .get('/browse/keyword/@cnpmtest/testmodule-web-search?type=json&callback=foo')
      .expect(200)
-      .expect('/**/ typeof foo === \'function\' && foo({"keyword":"@cnpmtest/testmodule-web-search","match":{"name":"@cnpmtest/testmodule-web-search","description":""},"packages":[{"name":"@cnpmtest/testmodule-web-search","description":""}],"keywords":[]});')
+      .expect('/**/ typeof foo === \'function\' && foo({"keyword":"@cnpmtest/testmodule-web-search","match":{"name":"@cnpmtest/testmodule-web-search","description":"mk2testmodule version description here"},"packages":[{"name":"@cnpmtest/testmodule-web-search","description":"mk2testmodule version description here"}],"keywords":[]});')
      .expect('content-type', 'application/javascript; charset=utf-8', done);
    });

    it('should list no match ok', function (done) {
      request(app)
-      .get('/browse/keyword/notexistpackage')
-      .expect(200)
-      .expect(/Can not found package match notexistpackage/, done);
+        .get('/browse/keyword/notexistpackage')
+        .expect(200)
+        .expect(/Can not found package match notexistpackage/, done);
    });

-
    describe('GET /browse/keyword/:word searchlist', function () {

      before(function (done) {
@@ -87,8 +86,8 @@ describe('test/controllers/web/package/search.test.js', function () {
          .expect({
            keyword: '@cnpmtest/testmodule-web-searc',
            match: null,
-            packages: [ { name: '@cnpmtest/testmodule-web-search', description: '' },
-            { name: '@cnpmtest/testmodule-web-search_a', description: '' }],
+            packages: [ { name: '@cnpmtest/testmodule-web-search', description: 'mk2testmodule version description here' },
+            { name: '@cnpmtest/testmodule-web-search_a', description: 'mk2testmodule version description here' }],
            keywords: []
          })
          .expect('content-type', 'application/json; charset=utf-8', done);
@@ -101,7 +100,7 @@ describe('test/controllers/web/package/search.test.js', function () {
          .expect({
            keyword: '@cnpmtest/testmodule-web-searc',
            match: null,
-            packages: [ { name: '@cnpmtest/testmodule-web-search', description: '' }],
+            packages: [ { name: '@cnpmtest/testmodule-web-search', description: 'mk2testmodule version description here' }],
            keywords: []
          })
          .expect('content-type', 'application/json; charset=utf-8', done);
--- a/test/controllers/web/package/show.test.js
+++ b/test/controllers/web/package/show.test.js
@@ -1,11 +1,13 @@
 'use strict';

 var should = require('should');
+var assert = require('assert');
 var request = require('supertest');
 var mm = require('mm');
 var config = require('../../../../config');
 var app = require('../../../../servers/web');
 var registry = require('../../../../servers/registry');
+var blocklistService = require('../../../../services/blocklist');
 var utils = require('../../../utils');

 describe('test/controllers/web/package/show.test.js', () => {
@@ -55,6 +57,41 @@ describe('test/controllers/web/package/show.test.js', () => {
      });
    });

+    it('should get block package', function* () {
+      var pkg = utils.getPackage('@cnpmtest/testmodule-web-show-block', '0.0.1', utils.admin);
+      pkg.versions['0.0.1'].dependencies = {
+        bytetest: '~0.0.1',
+        mocha: '~1.0.0',
+        'testmodule-web-show': '0.0.1'
+      };
+      yield request(registry)
+        .put('/' + pkg.name)
+        .set('authorization', utils.adminAuth)
+        .send(pkg)
+        .expect(201);
+      
+      yield blocklistService.blockPackageVersion('@cnpmtest/testmodule-web-show-block', '0.0.1', 'unittest');
+      let res = yield request(app)
+        .get('/package/@cnpmtest/testmodule-web-show-block')
+        .expect(451)
+        .expect('content-type', 'text/plain; charset=utf-8');
+      assert(res.text === '[block] package@0.0.1 was blocked, reason: unittest');
+
+      yield blocklistService.blockPackageVersion('@cnpmtest/testmodule-web-show-block', '0.0.1', 'unittest');
+      res = yield request(app)
+        .get('/package/@cnpmtest/testmodule-web-show-block/0.0.1')
+        .expect(451)
+        .expect('content-type', 'text/plain; charset=utf-8');
+      assert(res.text === '[block] package@0.0.1 was blocked, reason: unittest');
+
+      yield blocklistService.blockPackageVersion('@cnpmtest/testmodule-web-show-block', '*', 'block all');
+      res = yield request(app)
+        .get('/package/@cnpmtest/testmodule-web-show-block')
+        .expect(451)
+        .expect('content-type', 'text/plain; charset=utf-8');
+      assert(res.text === '[block] package@0.0.1 was blocked, reason: block all');
+    });
+
    it('should get scoped package', function (done) {
      request(app)
      .get('/package/@cnpmtest/testmodule-web-show')
@@ -76,6 +113,36 @@ describe('test/controllers/web/package/show.test.js', () => {
      .get('/package/@cnpmtest/not-exist-module')
      .expect(404, done);
    });
+
+    it('should get 404 show sync button on scoped package', done => {
+      mm(config, 'syncModel', 'all');
+      request(app)
+        .get('/package/@cnpmtest/testmodule-repo-short-https-404')
+        .expect(404)
+        .expect('content-type', 'text/html; charset=utf-8')
+        .expect(/>SYNC<\/a> from official npm registry/)
+        .expect(/Can not found package match @cnpmtest\/testmodule-repo-short-https-404/, done);
+    });
+
+    it('should get 404 show sync button on scoped package with encode url', done => {
+      mm(config, 'syncModel', 'all');
+      request(app)
+        .get('/package/%40foo%2Fawdawda')
+        .expect(404)
+        .expect('content-type', 'text/html; charset=utf-8')
+        .expect(/>SYNC<\/a> from official npm registry/)
+        .expect(/Can not found package match @foo\/awdawda/, done);
+    });
+
+    it('should get 404 show sync button on non-scoped package', done => {
+      mm(config, 'syncModel', 'all');
+      request(app)
+        .get('/package/testmodule-repo-short-https-404')
+        .expect(404)
+        .expect('content-type', 'text/html; charset=utf-8')
+        .expect(/>SYNC<\/a> from official npm registry/)
+        .expect(/Can not found package match testmodule-repo-short-https-404/, done);
+    });
  });

  describe('GET /package/:name/:version', function () {
--- a/test/controllers/web/user/show.test.js
+++ b/test/controllers/web/user/show.test.js
@@ -81,6 +81,8 @@ describe('controllers/web/user/show.test.js', function () {

          // he.enclde('fengmk2@gmail.com') ↓
          assert(res.text.includes('&#x66;&#x65;&#x6E;&#x67;&#x6D;&#x6B;&#x32;&#x40;&#x67;&#x6D;&#x61;&#x69;&#x6C;&#x2E;&#x63;&#x6F;&#x6D;'));
+          assert(res.headers['x-custom-web-middleware'] === 'true');
+          assert(res.headers['x-custom-web-app-models'] === 'true');
          done()
        });
    });
--- a/test/fixtures/package_and_tgz.json
+++ b/test/fixtures/package_and_tgz.json
@@ -1 +1,53 @@
-{"_id":"mk2testmodule","name":"mk2testmodule","description":"","dist-tags":{"latest":"0.0.1"},"versions":{"0.0.1":{"name":"mk2testmodule","version":"0.0.1","description":"","main":"index.js","scripts":{"test":"echo \"Error: no test specified\" && exit 1"},"author":"","license":"ISC","readme":"ERROR: No README data found!","_id":"mk2testmodule@0.0.1","dist":{"shasum":"fa475605f88bab9b1127833633ca3ae0a477224c","tarball":"http://127.0.0.1:7001/mk2testmodule/-/mk2testmodule-0.0.1.tgz"},"_from":".","_npmVersion":"1.4.3","_npmUser":{"name":"fengmk2","email":"fengmk2@gmail.com"},"maintainers":[{"name":"fengmk2","email":"fengmk2@gmail.com"}]}},"readme":"ERROR: No README data found!","maintainers":[{"name":"fengmk2","email":"fengmk2@gmail.com"}],"_attachments":{"mk2testmodule-0.0.1.tgz":{"content_type":"application/octet-stream","data":"H4sIAAAAAAAAA+2SsWrDMBCGPfspDg2ZinOyEgeylg6Zu2YR8rVRHEtGkkOg5N0jWaFdujVQAv6W4/7/dHcSGqTq5Ccthxyro7emeDCI2KxWkOKmaaaIdc4TouZQ8FqgwI3AdVMgF8ijho9e5DdGH6SLq/y1T74LfMcn4asEYEb2xLbA+q4O5ENv2/FE7CVZZ3JeW5NcrLDiWW3JK6eHcHey2Es9Zdq0dIkfKau50EcjjYpCmpDKSB0s7Nmbc9ZtwVhIBviBlP7Q1O4ZLBZAFx2As3jyOnWTYzhY9zPzpBUZPy2/e39l5bX87wedmZmZeRJuheTX2wAIAAA=","length":251}}}
+{
+  "_id": "mk2testmodule",
+  "name": "mk2testmodule",
+  "description": "mk2testmodule description here",
+  "dist-tags": {
+    "latest": "0.0.1"
+  },
+  "versions": {
+    "0.0.1": {
+      "name": "mk2testmodule",
+      "version": "0.0.1",
+      "description": "mk2testmodule version description here",
+      "main": "index.js",
+      "scripts": {
+        "test": "echo \"Error: no test specified\" && exit 1"
+      },
+      "author": "",
+      "license": "ISC",
+      "readme": "ERROR: No README data found!",
+      "_id": "mk2testmodule@0.0.1",
+      "dist": {
+        "shasum": "fa475605f88bab9b1127833633ca3ae0a477224c",
+        "tarball": "http://127.0.0.1:7001/mk2testmodule/-/mk2testmodule-0.0.1.tgz"
+      },
+      "_from": ".",
+      "_npmVersion": "1.4.3",
+      "_npmUser": {
+        "name": "fengmk2",
+        "email": "fengmk2@gmail.com"
+      },
+      "maintainers": [
+        {
+          "name": "fengmk2",
+          "email": "fengmk2@gmail.com"
+        }
+      ]
+    }
+  },
+  "readme": "ERROR: No README data found!",
+  "maintainers": [
+    {
+      "name": "fengmk2",
+      "email": "fengmk2@gmail.com"
+    }
+  ],
+  "_attachments": {
+    "mk2testmodule-0.0.1.tgz": {
+      "content_type": "application/octet-stream",
+      "data": "H4sIAAAAAAAAA+2SsWrDMBCGPfspDg2ZinOyEgeylg6Zu2YR8rVRHEtGkkOg5N0jWaFdujVQAv6W4/7/dHcSGqTq5Ccthxyro7emeDCI2KxWkOKmaaaIdc4TouZQ8FqgwI3AdVMgF8ijho9e5DdGH6SLq/y1T74LfMcn4asEYEb2xLbA+q4O5ENv2/FE7CVZZ3JeW5NcrLDiWW3JK6eHcHey2Es9Zdq0dIkfKau50EcjjYpCmpDKSB0s7Nmbc9ZtwVhIBviBlP7Q1O4ZLBZAFx2As3jyOnWTYzhY9zPzpBUZPy2/e39l5bX87wedmZmZeRJuheTX2wAIAAA=",
+      "length": 251
+    }
+  }
+}
--- a/test/fixtures/package_and_tgz_by_token.json
+++ b/test/fixtures/package_and_tgz_by_token.json
@@ -0,0 +1 @@
+{"_id":"mk2testmodule","name":"mk2testmodule","description":"","dist-tags":{"latest":"0.0.1"},"versions":{"0.0.1":{"name":"mk2testmodule","version":"0.0.1","description":"","main":"index.js","scripts":{"test":"echo \"Error: no test specified\" && exit 1"},"author":"","license":"ISC","readme":"ERROR: No README data found!","_id":"mk2testmodule@0.0.1","dist":{"shasum":"fa475605f88bab9b1127833633ca3ae0a477224c","tarball":"http://127.0.0.1:7001/mk2testmodule/-/mk2testmodule-0.0.1.tgz"},"_from":".","_npmVersion":"1.4.3","_npmUser":{"name":"fengmk2","email":"fengmk2@gmail.com"}}},"readme":"ERROR: No README data found!","_attachments":{"mk2testmodule-0.0.1.tgz":{"content_type":"application/octet-stream","data":"H4sIAAAAAAAAA+2SsWrDMBCGPfspDg2ZinOyEgeylg6Zu2YR8rVRHEtGkkOg5N0jWaFdujVQAv6W4/7/dHcSGqTq5Ccthxyro7emeDCI2KxWkOKmaaaIdc4TouZQ8FqgwI3AdVMgF8ijho9e5DdGH6SLq/y1T74LfMcn4asEYEb2xLbA+q4O5ENv2/FE7CVZZ3JeW5NcrLDiWW3JK6eHcHey2Es9Zdq0dIkfKau50EcjjYpCmpDKSB0s7Nmbc9ZtwVhIBviBlP7Q1O4ZLBZAFx2As3jyOnWTYzhY9zPzpBUZPy2/e39l5bX87wedmZmZeRJuheTX2wAIAAA=","length":251}}}
--- a/test/fixtures/scope-package/Makefile
+++ b/test/fixtures/scope-package/Makefile
@@ -4,7 +4,7 @@ TIMEOUT = 1000
 MOCHA_OPTS =

 install:
-	@npm install --registry=https://registry.npm.taobao.org --disturl=https://npm.taobao.org/dist
+	@npm install --registry=https://registry.npmmirror.com --disturl=https://npmmirror.com/dist

 jshint: install
 	@./node_modules/.bin/jshint .
--- a/test/lib/common.test.js
+++ b/test/lib/common.test.js
@@ -11,28 +11,50 @@

 'use strict';

+const { co } = require('co');
+const mm = require('mm');
+const config = require('../../config');
+const createModule = require('../utils').createModule;
+const packageService = require('../../services/package');
 /**
 * Module dependencies.
 */

 var common = require('../../lib/common');

-describe('test/lib/common.test.js', function () {
-  describe('isAdmin()', function () {
-    it('should admin is admin', function () {
-      common.isAdmin('admin').should.equal(true);
-      common.isAdmin('fengmk2').should.equal(true);
-      common.isAdmin('constructor').should.equal(false);
-      common.isAdmin('toString').should.equal(false);
+describe("test/lib/common.test.js", function () {
+  describe("isAdmin()", function () {
+    it("should admin is admin", function () {
+      common.isAdmin("admin").should.equal(true);
+      common.isAdmin("fengmk2").should.equal(true);
+      common.isAdmin("constructor").should.equal(false);
+      common.isAdmin("toString").should.equal(false);
    });
  });

-  describe('getCDNKey()', function () {
-    it('should auto fix scope filename', function () {
-      common.getCDNKey('foo', 'foo-1.0.0.tgz').should.equal('/foo/-/foo-1.0.0.tgz');
-      common.getCDNKey('@bar/foo', 'foo-1.0.0.tgz').should.equal('/@bar/foo/-/@bar/foo-1.0.0.tgz');
-      common.getCDNKey('@bar/foo', '@bar/foo-1.0.0.tgz').should.equal('/@bar/foo/-/@bar/foo-1.0.0.tgz');
-      common.getCDNKey('@bar/foo', '@bar1/foo-1.0.0.tgz').should.equal('/@bar/foo/-/@bar1/foo-1.0.0.tgz');
+  describe("getCDNKey()", function () {
+    it("should auto fix scope filename", function () {
+      common
+        .getCDNKey("foo", "foo-1.0.0.tgz")
+        .should.equal("/foo/-/foo-1.0.0.tgz");
+      common
+        .getCDNKey("@bar/foo", "foo-1.0.0.tgz")
+        .should.equal("/@bar/foo/-/@bar/foo-1.0.0.tgz");
+      common
+        .getCDNKey("@bar/foo", "@bar/foo-1.0.0.tgz")
+        .should.equal("/@bar/foo/-/@bar/foo-1.0.0.tgz");
+      common
+        .getCDNKey("@bar/foo", "@bar1/foo-1.0.0.tgz")
+        .should.equal("/@bar/foo/-/@bar1/foo-1.0.0.tgz");
+    });
+  });
+
+  describe("isLocalModule", function () {
+    it("should ignore private packages", function * () {
+      yield createModule("banana", "1.0.0");
+      const modules = yield packageService.listModulesByName('banana');
+      mm(config, "privatePackages", ["banana"]);
+      common.isLocalModule(modules).should.equal(true);
    });
  });
 });
--- a/test/middleware/auth.test.js
+++ b/test/middleware/auth.test.js
@@ -5,11 +5,12 @@ var app = require('../../servers/registry');
 var mm = require('mm');
 var config = require('../../config');
 var userService = require('../../services/user');
+var tokenService = require('../../services/token');

 describe('test/middleware/auth.test.js', function () {
  afterEach(mm.restore);

-  describe('auth()', function () {
+  describe('basic auth', function () {
    it('should pass if no authorization', function (done) {
      request(app)
      .get('/-/user/org.couchdb.user:cnpmjstest10')
@@ -63,6 +64,25 @@ describe('test/middleware/auth.test.js', function () {
    });
  });

+  describe('bearer auth', function () {
+    var token;
+
+    beforeEach(function* () {
+      token = yield tokenService.createToken('cnpmjstest10');
+    });
+
+    afterEach(function* () {
+      yield tokenService.deleteToken('cnpmjstest10', token.token);
+    });
+
+    it('should ok', function (done) {
+      request(app)
+        .get('/-/user/org.couchdb.user:cnpmjstest10')
+        .set('authorization', 'Bearer ' + token.token)
+        .expect(200, done);
+    });
+  });
+
  describe('config.alwaysAuth = true', function () {
    beforeEach(function () {
      mm(config, 'alwaysAuth', true);
--- a/test/mocks/package/koa/default.js
+++ b/test/mocks/package/koa/default.js
@@ -5,7 +5,7 @@ module.exports = {
    name: 'koa',
    version: '0.13.0',
    description: 'description: Koa web app framework',
-    registryUrl: 'https://registry.npm.taobao.org/koa',
+    registryUrl: 'https://registry.npmmirror.com/koa',
    engines: {
      node: {
        version: '>= 0.11.13',
--- a/test/models/token.test.js
+++ b/test/models/token.test.js
@@ -0,0 +1,65 @@
+'use strict';
+
+var mm = require('mm');
+var should = require('should');
+var uuid = require('uuid');
+var sequelize = require('../../models').sequelize;
+var Token = require('../../models').Token;
+var TestUtil = require('../utils');
+
+describe('models/token.test.js', function () {
+  afterEach(mm.restore);
+
+  describe('deleteByKeyOrToken', function () {
+    var token1;
+    var token2;
+
+    beforeEach(function *() {
+      var token1Str = 'mock_token1_' + uuid.v4();
+      var token2Str= 'mock_token2_' + uuid.v4();
+
+      token1 = yield Token.add({
+        token: token1Str,
+        userId: TestUtil.admin,
+        readonly: false,
+        key: '1_token_1' + token1Str,
+        cidrWhitelist: [],
+      });
+
+      token2 = yield Token.add({
+        token: token2Str,
+        userId: TestUtil.admin,
+        readonly: false,
+        key: '1_token_2' + token2Str,
+        cidrWhitelist: [],
+      });
+    });
+
+    describe('delete by key', function () {
+      it('should work', function* () {
+        yield Token.deleteByKeyOrToken(TestUtil.admin, '1_token_1');
+        var tokenRow = yield Token.findByToken(token1.token);
+        should.not.exist(tokenRow);
+      });
+
+      describe('key is ambiguous', function () {
+        it('should not delete token', function* () {
+          var error;
+          try {
+            yield Token.deleteByKeyOrToken(TestUtil.admin, '1_token_');
+          } catch (e) {
+            error = e;
+          }
+          should.exist(error);
+          error.message.should.match(/Token ID ".+" was ambiguous/);
+
+          var token1Row = yield Token.findByToken(token1.token);
+          should.exist(token1Row);
+
+          var token2Row = yield Token.findByToken(token2.token);
+          should.exist(token2Row);
+        });
+      });
+    });
+  });
+});
--- a/test/services/blocklist.test.js
+++ b/test/services/blocklist.test.js
@@ -0,0 +1,28 @@
+'use strict';
+
+const assert = require('assert');
+const blocklist = require('../../services/blocklist');
+
+describe('test/services/blocklist.test.js', () => {
+  describe('blockPackageVersion()', () => {
+    it('should block one package version ', function* () {
+      yield blocklist.blockPackageVersion('test-block-name-other', '1.0.0', 'only for test');
+
+      yield blocklist.blockPackageVersion('test-block-name', '1.0.0', 'only for test');
+      const blocks1 = yield blocklist.findBlockPackageVersions('test-block-name');
+      assert(Object.keys(blocks1).length === 1);
+      assert(blocks1['1.0.0'].reason === 'only for test');
+      // block again
+      yield blocklist.blockPackageVersion('test-block-name', '1.0.0', 'only for test new');
+      const blocks2 = yield blocklist.findBlockPackageVersions('test-block-name');
+      assert(Object.keys(blocks2).length === 1);
+      assert(blocks2['1.0.0'].reason === 'only for test new');
+
+      // block all versions
+      yield blocklist.blockPackageVersion('test-block-name', '*', 'only for test all');
+      const blocks3 = yield blocklist.findBlockPackageVersions('test-block-name');
+      assert(Object.keys(blocks3).length === 2);
+      assert(blocks3['*'].reason === 'only for test all');
+    });
+  });
+});
--- a/test/services/common.test.js
+++ b/test/services/common.test.js
@@ -1,19 +1,5 @@
-/**!
- * cnpmjs.org - test/services/common.test.js
- *
- * Copyright(c) fengmk2 and other contributors.
- * MIT Licensed
- *
- * Authors:
- *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.github.com)
- */
-
 'use strict';

-/**
- * Module dependencies.
- */
-
 var mm = require('mm');
 var config = require('../../config');
 var common = require('../../services/common');
--- a/test/services/default_user_service.test.js
+++ b/test/services/default_user_service.test.js
@@ -1,17 +1,5 @@
-/**
- * Copyright(c) cnpm and other contributors.
- * MIT Licensed
- *
- * Authors:
- *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.com)
- */
-
 'use strict';

-/**
- * Module dependencies.
- */
-
 var should = require('should');
 var mm = require('mm');
 var User = require('../../models').User;
@@ -89,7 +77,7 @@ describe('services/default_user_service.test.js', function () {
      });
    });

-    it('should get a npm sync user by login name', function* () {
+    it.skip('should get a npm sync user by login name', function* () {
      var user = yield userService.get('fengmk2');
      should.exist(user);
      user.should.eql({
@@ -113,7 +101,7 @@ describe('services/default_user_service.test.js', function () {
  describe('list()', function () {
    it('should return all exists users', function* () {
      var users = yield userService.list(['cnpmjstest10', 'fengmk2', 'cnpmjstest101']);
-      users.should.length(3);
+      users.should.length(2);
    });

    it('should return some exists users', function* () {
--- a/test/services/package.test.js
+++ b/test/services/package.test.js
@@ -1,59 +1,22 @@
-/**!
- * cnpmjs.org - test/services/package.test.js
- *
- * Copyright(c) fengmk2 and other contributors.
- * MIT Licensed
- *
- * Authors:
- *   fengmk2 <fengmk2@gmail.com> (http://fengmk2.com)
- */
-
 'use strict';

-/**
- * Module dependencies.
- */
-
 var should = require('should');
 var sleep = require('co-sleep');
 var Package = require('../../services/package');
 var utils = require('../utils');
+var common = require('../../services/common');
+var config = require('../../config');
+var mm = require('mm');

 describe('test/services/package.test.js', function () {
-  function* createModule(name, version, user, tag) {
-    var sourcePackage = {
-      version: version,
-      name: name,
-      publish_time: Date.now(),
-    };
-    var mod = {
-      version: sourcePackage.version,
-      name: sourcePackage.name,
-      package: sourcePackage,
-      author: user || 'unittest',
-      publish_time: sourcePackage.publish_time,
-    };
-    var dist = {
-      tarball: 'http://registry.npmjs.org/' + name + '/-/' + name + '-' + version + '.tgz',
-      shasum: '9d7bc446e77963933301dd602d5731cb861135e0',
-      size: 100,
-    };
-    mod.package.dist = dist;
-    yield Package.saveModule(mod);
-    yield Package.saveModuleAbbreviated(mod);
-    // add tag
-    yield Package.addModuleTag(name, tag || 'latest', version);
-    return yield Package.getModule(mod.name, mod.version);
-  }
-
  describe('addModuleTag()', function () {
    it('should add latest tag to 1.0.0', function* () {
-      var r = yield createModule('test-addModuleTag-module-name', '1.0.0');
+      var r = yield utils.createModule('test-addModuleTag-module-name', '1.0.0');
      var tag = yield Package.addModuleTag(r.name, 'latest', r.version);
      should.exist(tag);
      tag.id.should.above(0);

-      r = yield createModule('test-addModuleTag-module-name', '1.1.0');
+      r = yield utils.createModule('test-addModuleTag-module-name', '1.1.0');
      var tag2 = yield Package.addModuleTag(r.name, 'latest', r.version);
      should.exist(tag2);
      tag.id.should.equal(tag2.id);
@@ -70,7 +33,7 @@ describe('test/services/package.test.js', function () {

  describe('getModuleByTag()', function () {
    it('should get latest module', function* () {
-      var r = yield createModule('test-getModuleByTag-module-name', '1.0.0');
+      var r = yield utils.createModule('test-getModuleByTag-module-name', '1.0.0');
      var tag = yield Package.addModuleTag(r.name, 'latest', r.version);
      should.exist(tag);

@@ -106,9 +69,9 @@ describe('test/services/package.test.js', function () {

  describe('listPublicModuleNamesByUser(), listPublicModulesByUser()', function () {
    before(function* () {
-      yield createModule('listPublicModuleNamesByUser-module0', '1.0.0', 'listPublicModuleNamesByUser-user');
-      yield createModule('listPublicModuleNamesByUser-module1', '1.0.0', 'listPublicModuleNamesByUser-user');
-      yield createModule('listPublicModuleNamesByUser-module2', '1.0.0', 'listPublicModuleNamesByUser-user');
+      yield utils.createModule('listPublicModuleNamesByUser-module0', '1.0.0', 'listPublicModuleNamesByUser-user');
+      yield utils.createModule('listPublicModuleNamesByUser-module1', '1.0.0', 'listPublicModuleNamesByUser-user');
+      yield utils.createModule('listPublicModuleNamesByUser-module2', '1.0.0', 'listPublicModuleNamesByUser-user');
    });

    it('should got all public module names', function* () {
@@ -143,8 +106,8 @@ describe('test/services/package.test.js', function () {
    });

    it('should return all version modules', function* () {
-      yield createModule('test-listModulesByName-module-1', '1.0.0');
-      yield createModule('test-listModulesByName-module-1', '2.0.0');
+      yield utils.createModule('test-listModulesByName-module-1', '1.0.0');
+      yield utils.createModule('test-listModulesByName-module-1', '2.0.0');
      var modules = yield Package.listModulesByName('test-listModulesByName-module-1');
      modules.should.length(2);
      modules.forEach(function (mod) {
@@ -161,22 +124,87 @@ describe('test/services/package.test.js', function () {
    });

    it('should work', function* () {
-      yield createModule('@cnpm-test/test-listPrivateModules-module-1', '1.0.0');
-      yield createModule('@cnpm-test/test-listPrivateModules-module-2', '1.0.0');
+      yield utils.createModule('@cnpm-test/test-listPrivateModules-module-1', '1.0.0');
+      yield utils.createModule('@cnpm-test/test-listPrivateModules-module-2', '1.0.0');
      var modules = yield Package.listPrivateModulesByScope('@cnpm-test');
      modules.should.length(2);
      modules[0].name.should.containEql('@cnpm-test/test-listPrivateModules-module-');
    });
  });

+  describe('listModelSince()', function () {
+    it('list tags since', function* () {
+      mm(config, 'changesDelay', 0);
+      yield utils.createModule('test-listModuleSince-module-0', '1.0.0');
+      yield sleep(2100);
+      var start = Date.now() - 1000;
+      yield utils.createModule('test-listModuleSince-module-1', '1.0.0');
+      yield utils.createModule('test-listModuleSince-module-1', '1.0.1', null, 'beta');
+      yield utils.createModule('test-listModuleSince-module-2', '1.0.0');
+      var tags = yield Package.listTagSince(start);
+
+      var modules = tags.map(function (item) {
+        return { name: item.id, tag: item.changes[0].tag };
+      });
+
+      modules
+        .should.eql([
+          { name: "test-listModuleSince-module-1", tag: "latest" },
+          { name: "test-listModuleSince-module-1", tag: "beta" },
+          { name: "test-listModuleSince-module-2", tag: "latest" },
+        ]);
+
+      tags = yield Package.listTagSince(start, 2);
+      modules = tags.map(function (item) {
+        return { name: item.id, tag: item.changes[0].tag};
+      });
+      modules
+        .should.eql([
+          { name: "test-listModuleSince-module-1", tag: "latest" },
+          { name: "test-listModuleSince-module-1", tag: "beta" },
+        ]);
+    });
+    it('list package version since', function* () {
+      mm(config, 'changesDelay', 0);
+      yield utils.createModule('test-listModuleSince-module-0', '1.0.0');
+      yield sleep(2100);
+      var start = Date.now() - 1000;
+      yield utils.createModule('test-listModuleSince-module-1', '1.0.0');
+      yield utils.createModule('test-listModuleSince-module-1', '1.0.1', null, 'beta');
+      yield utils.createModule('test-listModuleSince-module-2', '1.0.0');
+      var tags = yield Package.listVersionSince(start);
+
+      var modules = tags.map(function (item) {
+        return { name: item.id, version: item.changes[0].version };
+      });
+
+      modules
+        .should.eql([
+          { name: "test-listModuleSince-module-1", version: "1.0.0" },
+          { name: "test-listModuleSince-module-1", version: "1.0.1" },
+          { name: "test-listModuleSince-module-2", version: "1.0.0" },
+        ]);
+
+      tags = yield Package.listVersionSince(start, 2);
+      modules = tags.map(function (item) {
+        return { name: item.id, version: item.changes[0].version};
+      });
+      modules
+        .should.eql([
+          { name: "test-listModuleSince-module-1", version: "1.0.0" },
+          { name: "test-listModuleSince-module-1", version: "1.0.1" },
+        ]);
+    });
+  });
+
  describe('listPublicModuleNamesSince(), listAllPublicModuleNames()', function () {
    it('should got those module names', function* () {
-      yield createModule('test-listPublicModuleNamesSince-module-0', '1.0.0');
+      yield utils.createModule('test-listPublicModuleNamesSince-module-0', '1.0.0');
      yield sleep(1100);
      var start = Date.now() - 1000;
-      yield createModule('test-listPublicModuleNamesSince-module-1', '1.0.0');
-      yield createModule('test-listPublicModuleNamesSince-module-1', '1.0.1', null, 'beta');
-      yield createModule('test-listPublicModuleNamesSince-module-2', '1.0.0');
+      yield utils.createModule('test-listPublicModuleNamesSince-module-1', '1.0.0');
+      yield utils.createModule('test-listPublicModuleNamesSince-module-1', '1.0.1', null, 'beta');
+      yield utils.createModule('test-listPublicModuleNamesSince-module-2', '1.0.0');
      var names = yield Package.listPublicModuleNamesSince(start);
      names.should.length(2);
      names.should.eql(['test-listPublicModuleNamesSince-module-1', 'test-listPublicModuleNamesSince-module-2']);
@@ -184,14 +212,14 @@ describe('test/services/package.test.js', function () {
      var alls = yield Package.listAllPublicModuleNames();
      alls.length.should.above(0);
      alls.forEach(function (name) {
-        name.should.not.containEql('@');
+        common.isPrivatePackage(name).should.equal(false);
      });
    });
  });

  describe('getModuleLastModified()', function () {
    it('should get a datetime', function* () {
-      yield createModule('test-getModuleLastModified-module-0', '1.0.0');
+      yield utils.createModule('test-getModuleLastModified-module-0', '1.0.0');
      var t = yield Package.getModuleLastModified('test-getModuleLastModified-module-0');
      t.should.be.a.Date();
    });
@@ -204,9 +232,9 @@ describe('test/services/package.test.js', function () {

  describe('removeModulesByName()', function () {
    it('should remove all', function* () {
-      yield createModule('test-removeModulesByName-module-1', '1.0.0');
-      yield createModule('test-removeModulesByName-module-1', '1.0.1', null, 'beta');
-      yield createModule('test-removeModulesByName-module-1', '2.0.0');
+      yield utils.createModule('test-removeModulesByName-module-1', '1.0.0');
+      yield utils.createModule('test-removeModulesByName-module-1', '1.0.1', null, 'beta');
+      yield utils.createModule('test-removeModulesByName-module-1', '2.0.0');

      var mods = yield Package.listModulesByName('test-removeModulesByName-module-1');
      mods.should.length(3);
@@ -218,10 +246,10 @@ describe('test/services/package.test.js', function () {

  describe('removeModulesByNameAndVersions()', function () {
    it('should remove some versions', function* () {
-      yield createModule('test-removeModulesByNameAndVersions-module-1', '0.0.0');
-      yield createModule('test-removeModulesByNameAndVersions-module-1', '1.0.0');
-      yield createModule('test-removeModulesByNameAndVersions-module-1', '1.0.1', null, 'beta');
-      yield createModule('test-removeModulesByNameAndVersions-module-1', '2.0.0');
+      yield utils.createModule('test-removeModulesByNameAndVersions-module-1', '0.0.0');
+      yield utils.createModule('test-removeModulesByNameAndVersions-module-1', '1.0.0');
+      yield utils.createModule('test-removeModulesByNameAndVersions-module-1', '1.0.1', null, 'beta');
+      yield utils.createModule('test-removeModulesByNameAndVersions-module-1', '2.0.0');

      var mods = yield Package.listModulesByName('test-removeModulesByNameAndVersions-module-1');
      mods.should.length(4);
@@ -245,11 +273,11 @@ describe('test/services/package.test.js', function () {

  describe('removeModuleTags()', function () {
    it('should remove all tags by name', function* () {
-      var r2 = yield createModule('test-removeModuleTagsByName2-module-name', '1.0.0');
+      var r2 = yield utils.createModule('test-removeModuleTagsByName2-module-name', '1.0.0');
      var tag = yield Package.addModuleTag(r2.name, 'latest', r2.version);
      should.exist(tag);

-      var r = yield createModule('test-removeModuleTagsByName-module-name', '1.0.0');
+      var r = yield utils.createModule('test-removeModuleTagsByName-module-name', '1.0.0');
      var tag = yield Package.addModuleTag(r.name, 'latest', r.version);
      should.exist(tag);
      var tag = yield Package.addModuleTag(r.name, 'beta', r.version);
@@ -268,7 +296,7 @@ describe('test/services/package.test.js', function () {

  describe('removeModuleTagsByIds()', function () {
    it('should remove tags by ids', function* () {
-      var r = yield createModule('test-removeModuleTagsByIds-module-name', '1.0.0');
+      var r = yield utils.createModule('test-removeModuleTagsByIds-module-name', '1.0.0');
      var tag1 = yield Package.addModuleTag(r.name, 'latest', r.version);
      should.exist(tag1);
      var tag2 = yield Package.addModuleTag(r.name, 'beta', r.version);
@@ -291,7 +319,7 @@ describe('test/services/package.test.js', function () {

  describe('removeModuleTagsByNames()', function () {
    it('should remove some tags', function* () {
-      var r = yield createModule('test-removeModuleTagsByNames-module-name', '1.0.0');
+      var r = yield utils.createModule('test-removeModuleTagsByNames-module-name', '1.0.0');
      var tag1 = yield Package.addModuleTag(r.name, 'latest', r.version);
      should.exist(tag1);
      var tag2 = yield Package.addModuleTag(r.name, 'beta', r.version);
@@ -340,17 +368,17 @@ describe('test/services/package.test.js', function () {

  describe('getModuleByRange()', function() {
    it('should get undefined when not match semver range', function* () {
-      yield createModule('test-getModuleByRange-module-0', '1.0.0');
-      yield createModule('test-getModuleByRange-module-0', '1.1.0');
-      yield createModule('test-getModuleByRange-module-0', '2.0.0');
+      yield utils.createModule('test-getModuleByRange-module-0', '1.0.0');
+      yield utils.createModule('test-getModuleByRange-module-0', '1.1.0');
+      yield utils.createModule('test-getModuleByRange-module-0', '2.0.0');
      var mod = yield Package.getModuleByRange('test-getModuleByRange-module-0', '~2.1.0');
      should.not.exist(mod);
    });

    it('should get package with semver range', function* () {
-      yield createModule('test-getModuleByRange-module-1', '1.0.0');
-      yield createModule('test-getModuleByRange-module-1', '1.1.0');
-      yield createModule('test-getModuleByRange-module-1', '2.0.0');
+      yield utils.createModule('test-getModuleByRange-module-1', '1.0.0');
+      yield utils.createModule('test-getModuleByRange-module-1', '1.1.0');
+      yield utils.createModule('test-getModuleByRange-module-1', '2.0.0');
      var mod = yield Package.getModuleByRange('test-getModuleByRange-module-1', '1');
      mod.package.name.should.equal(mod.name);
      mod.name.should.equal('test-getModuleByRange-module-1');
@@ -358,9 +386,9 @@ describe('test/services/package.test.js', function () {
    });

    it('should get package with semver range when have invalid version', function* () {
-      yield createModule('test-getModuleByRange-module-2', '1.0.0');
-      yield createModule('test-getModuleByRange-module-2', '1.1.0');
-      yield createModule('test-getModuleByRange-module-2', 'next');
+      yield utils.createModule('test-getModuleByRange-module-2', '1.0.0');
+      yield utils.createModule('test-getModuleByRange-module-2', '1.1.0');
+      yield utils.createModule('test-getModuleByRange-module-2', 'next');
      var mod = yield Package.getModuleByRange('test-getModuleByRange-module-2', '1');
      mod.package.name.should.equal(mod.name);
      mod.name.should.equal('test-getModuleByRange-module-2');
@@ -412,7 +440,7 @@ describe('test/services/package.test.js', function () {
    });

    it('should return updated module instance', function* () {
-      var r = yield createModule('test-updateModulePackageFields-name', '1.0.0');
+      var r = yield utils.createModule('test-updateModulePackageFields-name', '1.0.0');
      should.exist(r);
      var r1 = yield Package.updateModulePackageFields(r.id, {foo: 'update for field'});
      r1.id.should.equal(r.id);
@@ -428,7 +456,7 @@ describe('test/services/package.test.js', function () {
    });

    it('should return updated module instance', function* () {
-      var r = yield createModule('test-updateModuleReadme-name', '1.0.0');
+      var r = yield utils.createModule('test-updateModuleReadme-name', '1.0.0');
      should.exist(r);
      var r1 = yield Package.updateModuleReadme(r.id, 'test updateModuleReadme');
      r1.id.should.equal(r.id);
@@ -444,7 +472,7 @@ describe('test/services/package.test.js', function () {
    });

    it('should return updated module instance', function* () {
-      var r = yield createModule('test-updateModuleDescription-name', '1.0.0');
+      var r = yield utils.createModule('test-updateModuleDescription-name', '1.0.0');
      should.exist(r);
      var r1 = yield Package.updateModuleDescription(r.id, 'test updateModuleDescription');
      r1.id.should.equal(r.id);
@@ -461,7 +489,7 @@ describe('test/services/package.test.js', function () {
    });

    it('should return the update module when update lastTime exists', function* () {
-      var r1 = yield createModule('test-update-module-last-modified-package-name', '1.0.0');
+      var r1 = yield utils.createModule('test-update-module-last-modified-package-name', '1.0.0');
      yield sleep(1100);
      yield Package.updateModuleLastModified(r1.name);
      var r2 = yield Package.getModule(r1.name, r1.version);
--- a/test/services/token.test.js
+++ b/test/services/token.test.js
@@ -0,0 +1,177 @@
+'use strict';
+
+var should = require('should');
+var TokenService = require('../../services/token');
+var TestUtils = require('../utils');
+
+describe('service/token.test.js', function() {
+  var token;
+  afterEach(function* () {
+    if (!token) return
+    yield TokenService.deleteToken(TestUtils.admin, token.token);
+  });
+
+  describe('createToken()', function() {
+    describe('default options', function() {
+      it('should create token success', function* () {
+        token = yield TokenService.createToken(TestUtils.admin);
+        should.exist(token);
+        should.exist(token.token);
+        should.exist(token.key);
+        token.cidr_whitelist.should.eql([]);
+        token.readonly.should.eql(false);
+      });
+    });
+
+    describe('custom options', function() {
+      it('should create token success', function* () {
+        token = yield TokenService.createToken(TestUtils.admin, {
+          cidrWhitelist: [ '127.0.0.1' ],
+          readonly: true,
+        });
+        should.exist(token);
+        should.exist(token.token);
+        should.exist(token.key);
+        token.cidr_whitelist.should.eql([ '127.0.0.1' ]);
+        token.readonly.should.eql(true);
+      });
+    });
+  });
+
+  describe('validateToken()', function() {
+    describe('normal', function() {
+      beforeEach(function* () {
+        token = yield TokenService.createToken(TestUtils.admin);
+      });
+
+      describe('token is exits', function() {
+        it('should get user', function* () {
+          var user = yield TokenService.validateToken(token.token, {
+            isReadOperation: true,
+            accessIp: '127.0.0.1',
+          });
+          should.exist(user);
+        });
+      });
+
+      describe('token is not exits', function() {
+        it('should not get user', function* () {
+          var user = yield TokenService.validateToken('not exits', {
+            isReadOperation: true,
+            accessIp: '127.0.0.1',
+          });
+          should.not.exist(user);
+        });
+      });
+    });
+
+    describe('readonly case', function() {
+      beforeEach(function* () {
+        token = yield TokenService.createToken(TestUtils.admin, {
+          readonly: true,
+        });
+      });
+
+      describe('read operation', function() {
+        it('should get user', function* () {
+          var user = yield TokenService.validateToken(token.token, {
+            isReadOperation: true,
+            accessIp: '127.0.0.1',
+          });
+          should.exist(user);
+        });
+      });
+
+      describe('write operation', function() {
+        it('should not get user', function* () {
+          var user = yield TokenService.validateToken('not exits', {
+            isReadOperation: false,
+            accessIp: '127.0.0.1',
+          });
+          should.not.exist(user);
+        });
+      });
+    });
+
+    describe('cidr case', function() {
+      beforeEach(function* () {
+        token = yield TokenService.createToken(TestUtils.admin, {
+          cidrWhitelist: [ '127.0.0.1' ],
+        });
+      });
+
+      describe('in white list', function() {
+        it('should get user', function* () {
+          var user = yield TokenService.validateToken(token.token, {
+            isReadOperation: true,
+            accessIp: '127.0.0.1',
+          });
+          should.exist(user);
+        });
+      });
+
+      describe('not in white list', function() {
+        it('should not get user', function* () {
+          var user = yield TokenService.validateToken('not exits', {
+            isReadOperation: true,
+            accessIp: '127.0.0.2',
+          });
+          should.not.exist(user);
+        });
+      });
+    });
+  });
+
+  describe('listToken()', function() {
+    var token1;
+    var token2;
+
+    beforeEach(function* () {
+      token1 = yield TokenService.createToken(TestUtils.admin);
+      token2 = yield TokenService.createToken(TestUtils.admin);
+    });
+
+    afterEach(function* () {
+      yield TokenService.deleteToken(token1.user, token1.token);
+      yield TokenService.deleteToken(token2.user, token2.token);
+    });
+
+    it('perPage/page should work', function* () {
+      var tokens = yield TokenService.listToken(TestUtils.admin, {
+        perPage: 1,
+        page: 0,
+      });
+      should.exist(tokens);
+      tokens[0].key.should.eql(token1.key);
+
+      tokens = yield TokenService.listToken(TestUtils.admin, {
+        perPage: 1,
+        page: 1,
+      });
+      should.exist(tokens);
+      tokens[0].key.should.eql(token2.key);
+    });
+  });
+
+  describe('deleteToken()', function() {
+    beforeEach(function* () {
+      token = yield TokenService.createToken(TestUtils.admin);
+    });
+
+    describe('delete by key prefix', function() {
+      it('should work', function* () {
+        yield TokenService.deleteToken(TestUtils.admin, token.key.substring(0, 6));
+        var user = yield TokenService.validateToken(token.token, { isReadOperation: false, accessIp: '127.0.0.1' });
+        should.not.exists(user);
+      });
+    });
+
+    describe('delete by token', function() {
+      it('should work', function* () {
+        yield TokenService.deleteToken(TestUtils.admin, token.token);
+        var user = yield TokenService.validateToken(token.token, { isReadOperation: false, accessIp: '127.0.0.1' });
+        should.not.exists(user);
+      });
+    });
+  });
+});
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
fengmk2	8b29cd8b04	Release 3.0.0-rc.66	2023-03-25 21:41:57 +08:00
elrrrrrrr	6769a46d71	fix: download row create error (#1749 ) > 包名超长时，更新下载记录接口会无限重试 * 更新下载记录前，先判断当前包名是否存在 ------------- > When the package name is too long, the update download record interface will retry indefinitely. * Check pkg exists, before updating the download record.	2023-03-25 21:40:50 +08:00
fengmk2	cd60a7aa82	Release 3.0.0-rc.65	2023-02-06 14:09:25 +08:00
elrrrrrrr	a289d7dd5e	feat: ignore sync private pkg (#1747 ) > Ignore sync requests for private pacakges. * update isLocalModule Logic, follow the #privatePackages field in config.	2023-02-06 14:08:42 +08:00
fengmk2	922aa8ff1b	Release 3.0.0-rc.64	2022-10-31 23:17:24 +08:00
elrrrrrrr	af9f5f7499	feat: add changes delay (#1739 ) * 新增 changesDelay 配置，调用 /-/all/changes 接口时默认返回 delay 之前的 changes * 防止出现 since 和当前时间接近时，changes 异步插入，导致 changes 计算失败的问题	2022-10-31 23:15:56 +08:00
killagu	bc0d1db782	Release 3.0.0-rc.63	2022-08-31 16:01:03 +08:00
elrrrrrrr	1964d66abf	feat: remove block version changes (#1737 )	2022-08-31 15:41:23 +08:00
killagu	8ac988ae88	Release 3.0.0-rc.62	2022-07-28 16:51:56 +08:00
elrrrrrrr	d8b5c9f7a9	feat: add changes api (#1734 )	2022-07-28 16:28:47 +08:00
Ke Wu	4d534cad02	fix: listModulesByUser map error (#1731 ) Co-authored-by: 天玎 <tianding.wk@antgroup.com>	2022-06-15 22:05:42 +08:00
fengmk2	53af65c0e9	Release 3.0.0-rc.60	2022-04-28 09:49:00 +08:00
fengmk2	f8bcca1ea0	🐛 FIX: path url maybe encode (#1729 )	2022-04-28 09:48:27 +08:00
fengmk2	6c12a040a5	Release 3.0.0-rc.59	2022-04-28 09:26:48 +08:00
fengmk2	8663e215f0	🐛 FIX: Should show sync button on scoped package not exists (#1728 ) closes https://github.com/cnpm/cnpmcore/issues/218#issuecomment-1110955986	2022-04-28 09:13:43 +08:00
fengmk2	8573c4a600	📖 DOC: DEPRECATED, please use https://github.com/cnpm/cnpmcore instead	2022-03-27 09:48:55 +08:00
fengmk2	51d1276d2e	Release 3.0.0-rc.58	2022-03-20 09:51:14 +08:00
fengmk2	83497f2052	👌 IMPROVE: Return libc field on abbreviated manifests (#1721 ) pick from https://github.com/cnpm/cnpmcore/pull/188	2022-03-20 09:49:19 +08:00
AN	1e0f7e06bb	📖 DOC: Modify comments (#1710 ) Co-authored-by: Zian502 <yuanzhian@cai-inc.com>	2022-02-16 23:01:46 +08:00
fengmk2	e682e7a0a3	📖 DOC: Update contributors	2022-02-14 00:17:29 +08:00
XXBeii	f52e9c3382	feat: support sync private package from define registry (#1701 ) Co-authored-by: wangjx2018 <wangjx2018@chinaunicom.cn>	2022-02-14 00:16:00 +08:00
fossabot	19e5c3def2	chore: Add license scan report and status (#1708 ) Signed off by: fossabot <badges@fossa.com>	2022-02-12 01:11:01 +08:00
fengmk2	9f8dca4ac0	refactor: Sync exists package from cnpmcore changes stream (#1707 ) closes https://github.com/cnpm/cnpmjs.org/issues/1704	2022-02-12 01:06:45 +08:00
fengmk2	f2c4b9f1c8	📖 DOC: Use git-contributor instead	2022-02-09 22:33:36 +08:00
fengmk2	1b09b2c0db	Release 3.0.0-rc.57	2022-02-08 23:18:14 +08:00
fengmk2	ac07b215a7	🐛 FIX: Support new bson logId	2022-02-08 23:17:45 +08:00
fengmk2	52475aab2b	Release 3.0.0-rc.56	2022-01-30 00:23:25 +08:00
fengmk2	559d5baccf	📦 NEW: sync web support webDataRemoteRegistry (#1697 )	2022-01-29 23:39:37 +08:00
fengmk2	e5c5179e9e	📦 NEW: Support set registry to new cnpmcore registry (#1696 ) https://github.com/cnpm/cnpmcore/issues/120	2022-01-28 00:20:23 +08:00
fengmk2	ad622d55e3	chore: update contributors	2021-12-01 08:59:26 +08:00
fengmk2	e434288e49	Release 3.0.0-rc.55	2021-11-28 19:49:49 +08:00
fengmk2	b7bbf84ea3	fix: add missing config property for bug-versions (#1685 )	2021-11-28 19:44:38 +08:00
fengmk2	97d501c088	feat: support bug-versions on server (#1684 ) https://github.com/cnpm/bug-versions	2021-11-28 19:23:47 +08:00
fengmk2	a1bf6bfbf0	Release 3.0.0-rc.54	2021-11-24 00:40:37 +08:00
fengmk2	3c5bc9dc5e	feat: support package version block list (#1683 )	2021-11-24 00:39:48 +08:00
fengmk2	59a84769a9	Release 3.0.0-rc.53	2021-11-22 21:09:55 +08:00
hellojukay	c6973a98ce	fix(db.sql): use utf8mb4 on description column (#1681 )	2021-11-22 21:06:52 +08:00
fengmk2	f22a3e7370	refactor: dist tarbar url don't contains querystring (#1682 )	2021-11-22 21:04:49 +08:00
fengmk2	ffafab36ce	Release 3.0.0-rc.52	2021-11-09 14:56:07 +08:00
fengmk2	abc1723bef	feat: support dist.integrity (#1677 ) https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md#dist	2021-11-09 14:43:39 +08:00
alsotang	a49deec3b2	chore: remove unused config (#1495 )	2021-11-09 14:38:25 +08:00
alsotang	74d408d006	fix: database dialect config detect error (#1503 )	2021-11-09 14:37:34 +08:00
fengmk2	113a3c85cd	Release 3.0.0-rc.51	2021-11-07 23:43:23 +08:00
fengmk2	7f0aa2ad95	chore: update contributors	2021-11-07 23:42:05 +08:00
fengmk2	39cf77ae0f	refactor: use remote abbreviated version data (#1675 ) avoid npm abbreviated version fields change closes https://github.com/cnpm/cnpmjs.org/issues/1667 and starting use the new domain: npmmirror.com	2021-11-07 23:38:32 +08:00
Solais	37ba629028	fix: get count missing name (#1674 ) Co-authored-by: zhixiang.tzx <zhixiang.tzx@alibaba-inc.com>	2021-11-07 20:28:06 +08:00
killagu	ee9fc4f349	Release 3.0.0-rc.50	2021-11-04 17:05:33 +08:00
Solais	e4c3cd125e	feat: package view add download total count (#1673 ) Co-authored-by: zhixiang.tzx <zhixiang.tzx@alibaba-inc.com>	2021-11-04 17:00:34 +08:00
fengmk2	2ce14d147c	Release 3.0.0-rc.49	2021-10-01 17:54:58 +08:00
fengmk2	62fdbd400a	fix: should update etag after abbreviated meta change (#1670 )	2021-10-01 17:52:06 +08:00
fengmk2	ee6ba638a5	Release 3.0.0-rc.48	2021-09-27 17:32:54 +08:00
fengmk2	283f14976d	feat: add missing abbreviated meta attibutes (#1668 ) os, cpu, peerDependenciesMeta, workspaces	2021-09-27 17:21:53 +08:00
fengmk2	851ba3fdfa	Release 3.0.0-rc.47	2021-09-19 10:24:26 +08:00
killa	2e7354c647	fix: allow download without scope filename (#1665 )	2021-09-19 10:22:24 +08:00
killagu	5e1c608719	Release 3.0.0-rc.46	2021-09-10 14:45:32 +08:00
wxhuang	596bca908e	fix: fs-cnpm on dockerize config (#1656 ) Co-authored-by: huangwenxi <huangwx@seirobotics.net>	2021-09-07 11:19:08 +08:00
killa	bbae9d3bc3	fix: new publish with token should add user to maintainers (#1662 ) * fix: new publish with token should add user to maintainers ci: use github fix: fix _saveNpmUser * ci: github add mysql service	2021-09-03 14:04:40 +08:00
killagu	68317cc449	Release 3.0.0-rc.45	2021-07-28 14:42:58 +08:00
killa	d28af7fd7e	feat: support custom tokenService (#1658 )	2021-07-28 14:41:13 +08:00
Solais	e2582417fa	remove maintainers logic (#1654 ) * fix: remove maintainers logic when token mode Co-authored-by: zhixiang.tzx <zhixiang.tzx@alibaba-inc.com>	2021-07-06 17:52:43 +08:00
killagu	99b81f531e	Release 3.0.0-rc.44	2021-06-11 10:38:11 +08:00
killa	a1e8a82892	feat: impl npm owner hooks (#1645 ) * feat: impl npm owner hooks * fix: fix tagDir/packageDir for oss-cnpm	2021-06-11 10:34:50 +08:00
killagu	14a6f621f8	Release 3.0.0-rc.43	2021-05-06 20:59:25 +08:00
killa	f1217094b7	fix: should yield backup method (#1639 )	2021-05-06 15:02:57 +08:00
killa	2245dc2967	feat: impl accelerate request (#1637 ) * feat: impl accelerate request	2021-05-06 15:00:04 +08:00
killagu	3d34058542	Release 3.0.0-rc.42	2021-04-30 14:40:01 +08:00
killa	a21aed08c5	feat: impl sync to/from backup files (#1636 ) * feat: impl save backup files * feat: impl sync from backup files * feat: impl sync unpublish from backup file * config: add backupProtocol	2021-04-30 11:48:11 +08:00
fengmk2	cb2f3de5a6	Release 3.0.0-rc.41	2021-04-19 22:55:52 +08:00
fengmk2	819a499661	feat: add custom format hooks for registry package request (#1635 ) let custom registry can filter the package fields itself	2021-04-19 22:54:51 +08:00
fengmk2	dc0955320b	feat: export models ref to app (#1634 ) let custom middleware can access app.models	2021-04-18 13:55:02 +08:00
fengmk2	aa7cb3df01	feat: allow to disable total modules query on db (#1624 ) use `config.enableTotalCount = false`	2021-02-24 18:29:49 +08:00
fengmk2	35d9f9b00e	Release 3.0.0-rc.40	2021-02-05 21:45:07 +08:00
Bowen Huang	8ddbe9076f	feat: custom header html block (#1616 ) Co-authored-by: yanmei.hbw <yanmei.hbw@alibaba-inc.com>	2021-02-05 21:43:40 +08:00
withoutmeat	f0ba573f8b	fix: wrong position of the comma in the db.sql (#1613 )	2021-01-19 12:23:04 +08:00
killagu	134839d31e	Release 3.0.0-rc.39	2021-01-14 10:22:03 +08:00
killa	33dd3554f5	feat: impl dist-tag hooks (#1612 ) * feat: impl dist-tag hooks * test: add tag assert	2021-01-14 10:20:16 +08:00
killagu	dffe589e2c	Release 3.0.0-rc.38	2021-01-12 22:05:25 +08:00
killa	1c6040bc95	performance: optimise query pkg latestModified (#1611 )	2021-01-12 21:54:38 +08:00
Li Shuai	7909434b86	chore: add alibaba cloud devops link (#1602 ) Co-authored-by: 焦霸 <jiaoba@taobao.com>	2020-11-24 19:56:48 +08:00
dead-horse	09ec3f5392	Release 3.0.0-rc.37	2020-10-21 13:57:41 +08:00
killa	39c322332f	feat: new registry api (#1597 )	2020-10-21 13:53:44 +08:00
fengmk2	24a0039188	Release 3.0.0-rc.36	2020-09-28 20:18:10 +08:00
killa	b7089d33d4	fix: set maintainer to current user if maintainer is undefined (#1592 ) If pub with token, pkg has no default maintainer	2020-09-28 20:16:15 +08:00
fengmk2	2b74e00cb9	fix: release 3.0.0-rc.35 fix npm include functions dir	2020-09-20 21:50:43 +08:00
fengmk2	d26e9fdff1	Release 3.0.0-rc.34	2020-09-20 21:46:32 +08:00
killa	45f2f8b31f	feat: impl registry token api (#1590 ) Refs: - https://github.com/npm/registry/blob/master/docs/user/authentication.md	2020-09-20 21:41:15 +08:00
fengmk2	90d39aa4fc	Release 3.0.0-rc.33	2020-08-07 11:27:39 +08:00
fengmk2	61549b47a2	fix: avoid "ENAMETOOLONG: name too long" error (#1583 )	2020-08-07 11:26:23 +08:00
fengmk2	5e9859119f	Release 3.0.0-rc.32	2020-04-10 10:56:17 +08:00
fengmk2	e97835f702	feat: support custom web middlewares (#1563 )	2020-04-10 10:55:26 +08:00
fengmk2	3cb3fe02f0	feat: list all package versions by date (#1557 )	2020-02-23 20:43:24 +08:00
fengmk2	2cea5cd1c3	Release 3.0.0-rc.31	2020-01-13 18:00:56 +08:00
fengmk2	a8ff647aa0	feat: retry sync fail on cnpm registry (#1547 )	2020-01-13 18:00:09 +08:00
fengmk2	f48f27aae4	Release 3.0.0-rc.30	2019-12-12 16:26:23 +08:00
Khaidi Chu	2c511f2209	feat: add unpublishRemoveTarball mode (#1536 )	2019-12-12 16:24:33 +08:00
Khaidi Chu	e7bafb2ee9	fix: audit proxy test cases (#1537 )	2019-12-12 15:26:05 +08:00
				`@@ -0,0 +1 @@`
				{"_id":"mk2testmodule","name":"mk2testmodule","description":"","dist-tags":{"latest":"0.0.1"},"versions":{"0.0.1":{"name":"mk2testmodule","version":"0.0.1","description":"","main":"index.js","scripts":{"test":"echo \"Error: no test specified\" && exit 1"},"author":"","license":"ISC","readme":"ERROR: No README data found!","_id":"mk2testmodule@0.0.1","dist":{"shasum":"fa475605f88bab9b1127833633ca3ae0a477224c","tarball":"http://127.0.0.1:7001/mk2testmodule/-/mk2testmodule-0.0.1.tgz"},"_from":".","_npmVersion":"1.4.3","_npmUser":{"name":"fengmk2","email":"fengmk2@gmail.com"}}},"readme":"ERROR: No README data found!","_attachments":{"mk2testmodule-0.0.1.tgz":{"content_type":"application/octet-stream","data":"H4sIAAAAAAAAA+2SsWrDMBCGPfspDg2ZinOyEgeylg6Zu2YR8rVRHEtGkkOg5N0jWaFdujVQAv6W4/7/dHcSGqTq5Ccthxyro7emeDCI2KxWkOKmaaaIdc4TouZQ8FqgwI3AdVMgF8ijho9e5DdGH6SLq/y1T74LfMcn4asEYEb2xLbA+q4O5ENv2/FE7CVZZ3JeW5NcrLDiWW3JK6eHcHey2Es9Zdq0dIkfKau50EcjjYpCmpDKSB0s7Nmbc9ZtwVhIBviBlP7Q1O4ZLBZAFx2As3jyOnWTYzhY9zPzpBUZPy2/e39l5bX87wedmZmZeRJuheTX2wAIAAA=","length":251}}}