chore: update versions (next-7) (#4711)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.babelrc

@@ -10,9 +10,5 @@
     ],
     "@babel/typescript"
   ],
-  "ignore": ["**/*.d.ts"],
-  "plugins": [
-    "@babel/plugin-proposal-optional-chaining",
-    "@babel/plugin-proposal-nullish-coalescing-operator"
-  ]
+  "ignore": ["**/*.d.ts"]
 }

.changeset/big-cameras-invent.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/store': patch
+---
+
+chore: fix types for some store tests

.changeset/chilly-rivers-chew.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/cli': patch
+---
+
+chore: add config location and loglevel to startup log

.changeset/cuddly-camels-relax.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/middleware': patch
+---
+
+fix(middleware): custom favicon

.changeset/dirty-dolphins-try.md

@@ -0,0 +1,10 @@
+---
+'@verdaccio/ui-components': minor
+'@verdaccio/ui-theme': patch
+'@verdaccio/types': patch
+'@verdaccio/middleware': patch
+'@verdaccio/config': patch
+'@verdaccio/cli': patch
+---
+
+feat: complete overhaul of web user interface

.changeset/dirty-islands-push.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/ui-components': patch
+'@verdaccio/ui-theme': patch
+---
+
+chore: fix type for country flags

.changeset/dry-shoes-report.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/logger-commons': patch
+'@verdaccio/logger-prettify': patch
+---
+
+fix: log spacing depending on the FORMAT and COLORS options

.changeset/eight-icons-heal.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/tarball': patch
+'@verdaccio/store': patch
+---
+
+feat: add tarball details for published packages

.changeset/fluffy-onions-act.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/middleware': patch
+---
+
+fix(middleware): link to favicon in template

.changeset/good-lions-rush.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/ui-components': patch
+---
+
+chore: sync dependency defs between ui-components and ui-theme

.changeset/grumpy-pots-watch.md

@@ -0,0 +1,9 @@
+---
+'@verdaccio/types': patch
+'@verdaccio/config': patch
+'@verdaccio/core': patch
+'@verdaccio/store': patch
+'@verdaccio/api': patch
+---
+
+feat: add support for npm owner

.changeset/many-bees-tickle.md

@@ -0,0 +1,5 @@
+---
+'verdaccio-audit': minor
+---
+
+feat: verdaccio-audit support timeout option

.changeset/nervous-fireants-design.md

@@ -0,0 +1,5 @@
+---
+'generator-verdaccio-plugin': major
+---
+
+feat: migration to monorepo

.changeset/poor-seals-turn.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/tarball': patch
+'@verdaccio/store': patch
+---
+
+revert #4600

.changeset/pre.json

@@ -57,25 +57,40 @@
     "@verdaccio/website": "5.20.2",
     "@verdaccio/local-publish": "0.0.1",
     "@verdaccio/search": "7.0.0-next.0",
-    "@verdaccio/e2e-cli-pnpm9": "1.0.1"
+    "@verdaccio/e2e-cli-pnpm9": "1.0.1",
+    "generator-verdaccio-plugin": "4.1.0"
   },
   "changesets": [
     "angry-trees-tie",
+    "big-cameras-invent",
     "breezy-mayflies-pull",
     "chilled-carrots-guess",
+    "chilly-rivers-chew",
+    "cuddly-camels-relax",
+    "dirty-dolphins-try",
+    "dirty-islands-push",
+    "dry-shoes-report",
+    "eight-icons-heal",
     "eight-squids-judge",
     "eighty-lobsters-study",
+    "fluffy-onions-act",
     "good-cups-train",
+    "good-lions-rush",
+    "grumpy-pots-watch",
     "itchy-mangos-wink",
     "long-jars-collect",
     "long-moles-attend",
+    "many-bees-tickle",
+    "nervous-fireants-design",
     "old-turkeys-heal",
     "olive-bananas-wink",
     "perfect-chairs-act",
     "pink-apples-nail",
     "pink-balloons-leave",
+    "poor-seals-turn",
     "quick-buses-scream",
     "real-socks-vanish",
+    "rich-shrimps-check",
     "sharp-wolves-carry",
     "shiny-worms-retire",
     "shy-carrots-compare",
@@ -84,12 +99,18 @@
     "slow-wasps-glow",
     "spicy-birds-flow",
     "strange-points-repair",
+    "stupid-dancers-relate",
+    "ten-kids-tan",
+    "thin-snails-flow",
     "thirty-toes-swim",
+    "twenty-queens-protect",
     "unlucky-cycles-sparkle",
     "weak-fans-explain",
+    "wet-balloons-give",
     "wicked-kiwis-check",
     "wicked-worms-wash",
     "wild-otters-talk",
+    "witty-meals-nail",
     "young-donuts-own"
   ]
 }

.changeset/rich-shrimps-check.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/types': patch
+'@verdaccio/store': patch
+---
+
+fix: update fields for abbreviated manifest

.changeset/stupid-dancers-relate.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/url': patch
+---
+
+patch(core/url): Throw if VERDACCIO_FORWARDED_PROTO resolves to an array (#4613 by @Tobbe)

.changeset/ten-kids-tan.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/ui-components': patch
+---
+
+chore(ui): update babel dependencies

.changeset/thin-snails-flow.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/config': patch
+'@verdaccio/website': patch
+---
+
+fix: typo in config docs regarding check_owners

.changeset/twenty-queens-protect.md

@@ -0,0 +1,7 @@
+---
+'@verdaccio/ui-theme': patch
+'@verdaccio/ui-components': patch
+'@verdaccio/types': patch
+---
+
+fix: change bundleDependencies to array

.changeset/wet-balloons-give.md

@@ -0,0 +1,10 @@
+---
+'@verdaccio/types': minor
+'@verdaccio/core': minor
+'@verdaccio/signature': minor
+'@verdaccio/node-api': minor
+'@verdaccio/config': minor
+'@verdaccio/auth': minor
+---
+
+feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property

.changeset/witty-meals-nail.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/api': patch
+---
+
+chore(api): update comment about route parameters

.github/dependabot.yml

@@ -8,18 +8,11 @@ updates:
   # Maintain dependencies for GitHub Actions
   - package-ecosystem: 'github-actions'
     directory: '/'
-    schedule:
-      interval: 'weekly'
-
-  # Maintain dependencies for npm
-  - package-ecosystem: 'npm'
-    directory: '/'
-    schedule:
-      interval: 'daily'
-    allow:
-      - dependency-name: '@verdaccio/*'
-      - dependency-name: 'verdaccio-*'
+    open-pull-requests-limit: 1
+    prefix: "[github-actions] "
     assignees:
-      - 'verdacciobot'
+      - 'verdacciobot'    
+    schedule:
+      interval: 'monthly'
     labels:
       - 'bot: dependencies'

.github/disabled/ci-windows.yml

@@ -18,21 +18,23 @@ jobs:
         env:
           NODE_ENV: production          
     steps:
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
     - name: Node
       uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
       with:
         node-version-file: '.nvmrc'
     - name: Install pnpm
-      run: npm i pnpm@latest-8 -g
+      run: |
+        corepack enable
+        corepack install
     - name: set store
       run: |
         mkdir ~/.pnpm-store
         pnpm config set store-dir ~/.pnpm-store
     - name: Install
-      run: pnpm install --registry http://localhost:4873
+      run: pnpm install  --registry http://localhost:4873
     - name: Cache .pnpm-store
-      uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
       with:
         path: ~/.pnpm-store
         key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -43,14 +45,14 @@ jobs:
     name: Lint
     needs: prepare
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -67,14 +69,14 @@ jobs:
     name: Format
     needs: prepare
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -96,14 +98,14 @@ jobs:
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Use Node ${{ matrix.node_version }}
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node_version }}
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -122,13 +124,13 @@ jobs:
     runs-on: windows-latest
     name: UI Test E2E
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/workflows/changesets.yml

@@ -20,7 +20,7 @@ jobs:
     if: github.ref == 'refs/heads/master' && github.repository == 'verdaccio/verdaccio'
     steps:
       - name: checkout code repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
         with:
           fetch-depth: 0
 

.github/workflows/ci.yml

@@ -30,7 +30,7 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -46,7 +46,7 @@ jobs:
       - name: Install
         run: pnpm install  --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -57,7 +57,7 @@ jobs:
     name: Lint
     needs: prepare
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -66,7 +66,7 @@ jobs:
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -82,7 +82,7 @@ jobs:
     name: Format
     needs: prepare
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -91,7 +91,7 @@ jobs:
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -108,11 +108,11 @@ jobs:
       fail-fast: true
       matrix:
         os: [ubuntu-latest]
-        node_version: [18, 20, 21]
+        node_version: [18, 20, 21, 22]
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Use Node ${{ matrix.node_version }}
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -121,7 +121,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -140,7 +140,7 @@ jobs:
     name: synchronize translations
     if: (github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'verdaccio/verdaccio') || github.event_name == 'workflow_dispatch'
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
@@ -148,7 +148,7 @@ jobs:
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/workflows/codeql-analysis.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
         with:
           # We must fetch at least the immediate parents so that if this is
           # a pull request then we can checkout the head.
@@ -34,7 +34,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c7f9125735019aa87cfc361530512d50ea439c71 # v2
+        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v2
 
       # Override language selection by uncommenting this and choosing your languages
       # with:
@@ -42,7 +42,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@c7f9125735019aa87cfc361530512d50ea439c71 # v2
+        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -56,4 +56,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c7f9125735019aa87cfc361530512d50ea439c71 # v2
+        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v2

.github/workflows/docker-proxy-apache-e2e.yml

@@ -16,7 +16,7 @@ jobs:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       
     - name: Start containers
       run: docker-compose -f "./e2e/docker/apache-verdaccio/docker-compose.yaml" up -d --build

.github/workflows/docker-proxy-nginx-e2e.yml

@@ -13,7 +13,7 @@ jobs:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       
     - name: Start containers
       run: docker-compose -f "./e2e/docker/proxy-nginx/docker-compose.yaml" up -d --build

.github/workflows/docker-publish.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'verdaccio/verdaccio'
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # tag=v1
       - uses: docker/setup-buildx-action@v1
         with:
@@ -46,7 +46,7 @@ jobs:
             {{major}}
             {{major}}.{{minor}}
       - name: Build & Push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile

.github/workflows/e2e-ci.yml

@@ -18,7 +18,7 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -34,7 +34,7 @@ jobs:
       - name: Install
         run: pnpm install --reporter=silence --ignore-scripts --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -44,7 +44,7 @@ jobs:
     needs: [prepare]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Use Node 16
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -53,7 +53,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -65,7 +65,7 @@ jobs:
       - name: build
         run: pnpm build
       - name: Cache packages
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         id: cache-packages
         with:
           path: ./packages/
@@ -97,7 +97,7 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
@@ -105,7 +105,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -114,7 +114,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -141,7 +141,7 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
@@ -149,7 +149,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -158,7 +158,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --loglevel debug --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -186,7 +186,7 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
@@ -194,7 +194,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -203,7 +203,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}

.github/workflows/e2e-ui.yml

@@ -18,7 +18,7 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -33,7 +33,7 @@ jobs:
         run: pnpm build
       - name: Test UI
         run: pnpm test:e2e:ui
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v3
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
         with:
           name: videos
           path: /home/runner/work/verdaccio/verdaccio/e2e/ui/cypress/videos

.github/workflows/plugin-generator-e2e.yaml

@@ -0,0 +1,47 @@
+name: E2E Generator Verdaccio Plugin
+
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+jobs:
+  e2e-plugin-generator:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18,20, 22]
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Install pnpm
+        run: |
+          corepack enable
+          corepack install
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
+        with:
+          path: ~/.pnpm-store
+          key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
+      - name: install
+        run: pnpm install
+      - name: build
+        run: pnpm build
+      - name: install verdaccio
+        run: npm install -g verdaccio@5
+      - name: Start server
+        run: verdaccio -c e2e/docker/generator-e2e/generator.yaml &
+      - name: ping server
+        run: curl http://localhost:4873/-/ping
+      - name: login
+        run: npx npm-cli-login -u test -p test -e test@domain.test -r http://localhost:4873
+      - name: publish
+        run: pnpm local:publish
+      - name: install yeoman
+        run: npm install -g yo@4 --loglevel=info
+      - name: install generator
+        run: npm install -g generator-verdaccio-plugin --loglevel=info --registry http://localhost:4873
+# Future: add a test to verify the plugin is working with prompt 

.github/workflows/static-data.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'verdaccio/verdaccio'
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
         with:
           persist-credentials: false
           fetch-depth: 0

.github/workflows/ui-components.yml

@@ -23,7 +23,7 @@ jobs:
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
 
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
@@ -31,7 +31,7 @@ jobs:
           node-version-file: '.nvmrc'
 
       - name: Cache pnpm modules
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         env:
           cache-name: cache-pnpm-modules
         with:

.github/workflows/website.yml

@@ -2,8 +2,6 @@ name: Verdaccio Website CI
 
 on:
   workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * *' 
 
 permissions:
   contents: read  #  to fetch code (actions/checkout)
@@ -28,7 +26,7 @@ jobs:
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
 
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
@@ -45,7 +43,7 @@ jobs:
       - name: Install
         run: pnpm install  --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -56,7 +54,7 @@ jobs:
       - name: Build Translations percentage
         run: pnpm --filter @verdaccio/crowdin-translations build
       - name: Cache Docusaurus Build
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: website/node_modules/.cache/webpack
           key: cache/webpack-${{github.ref}}-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -69,6 +67,7 @@ jobs:
           CONTEXT: production
         run: pnpm --filter @verdaccio/website netlify:build
       - name: Deploy to Netlify
+        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
         env:
           NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}

.gitignore

@@ -41,7 +41,7 @@ packages/plugins/ui-theme/static
 # CI Pnpm cache
 .pnpm-store/
 
-#docs 
+#docs
 website/docs/api/**/*.md
 website/docs/api/**/*.yml
 !website/docs/api/index.md
@@ -53,3 +53,6 @@ e2e/ui/cypress/screenshots/**/*
 
 # storybook
 packages/ui-components/storybook-static
+
+# plugin generator
+packages/tools/generator-verdaccio-plugin/generators/

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=${BUILDPLATFORM:-linux/amd64} node:21-alpine as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} node:21-alpine AS builder
 
 ENV NODE_ENV=development \
     VERDACCIO_BUILD_REGISTRY=https://registry.npmjs.org

README.md

@@ -251,7 +251,7 @@ Verdaccio aims to support all features of a standard npm client that make sense
 
 - Registering new users (`npm adduser {newuser}`) - **supported**
 - Change password (`npm profile set password`) - **supported**
-- Transferring ownership (`npm owner add {user} {pkg}`) - not supported, _PR-welcome_
+- Transferring ownership (`npm owner`) - **supported**
 - Token (`npm token`) - **supported**
 
 ### Miscellaneous

docker-examples/v5/plugins/docker-local-plugin/Dockerfile

@@ -1,7 +1,7 @@
 # Docs based on https://github.com/xlts-dev/verdaccio-prometheus-middleware#installation
 # Docker multi-stage build - https://docs.docker.com/develop/develop-images/multistage-build/
 # Use an alpine node image to install the plugin
-FROM node:lts-alpine as builder
+FROM node:lts-alpine AS builder
 
 RUN mkdir -p /verdaccio/plugins
 

docker-examples/v6/plugins/docker-build-install-plugin/Dockerfile

@@ -2,7 +2,7 @@
 
 # Docker multi-stage build - https://docs.docker.com/develop/develop-images/multistage-build/
 # Use an alpine node image to install the plugin
-FROM node:lts-alpine as builder
+FROM node:lts-alpine AS builder
 
 # Install the metrics middleware plugin
 # npm docs

docker-examples/v6/plugins/docker-local-plugin/Dockerfile

@@ -1,7 +1,7 @@
 # Docs based on https://github.com/xlts-dev/verdaccio-prometheus-middleware#installation
 # Docker multi-stage build - https://docs.docker.com/develop/develop-images/multistage-build/
 # Use an alpine node image to install the plugin
-FROM node:lts-alpine as builder
+FROM node:lts-alpine AS builder
 
 RUN mkdir -p /verdaccio/plugins
 

docs/env.variables.md

@@ -5,12 +5,13 @@ internal features.
 
 #### VERDACCIO_LEGACY_ALGORITHM
 
-Allows to define the specific algorithm for the token
-signature which by default is `aes-256-ctr`
+Allows to define the specific algorithm for the token signature which by default is `aes-256-ctr`. The algorithm must be supported by `crypto.createCipheriv` and `crypto.createDecipheriv`.
+Read more here: https://nodejs.org/api/crypto.html#crypto_crypto_createcipheriv_algorithm_key_iv_options
 
 #### VERDACCIO_LEGACY_ENCRYPTION_KEY
 
-By default, the token stores in the database, but using this variable allows to get it from memory
+By default, the token stores in the database, but using this variable allows to get it from memory, the length must be 32 characters otherwise will throw an error.
+Read more here: https://nodejs.org/api/crypto.html#crypto_crypto_createcipheriv_algorithm_key_iv_options
 
 #### VERDACCIO_PUBLIC_URL
 

docs/migration-v5-to-v6.md

@@ -1,14 +1,14 @@
-# Migration guide from Verdaccio 5 to Verdaccio 6
+# Migration Guide from Verdaccio 5 to Verdaccio 6
 
 Notes regarding breaking changes for next major release.
 
-> This list might growth over the development.
+> This list might growth over the course of development.
 
-## Breaking changes
+## Breaking Changes
 
 ### New node-api interface [#2165](https://github.com/verdaccio/verdaccio/pull/2165)
 
-If you are using the node-api, the new structure is Promise based and less arguments.
+If you are using the `node-api`, the new structure is Promise based and less arguments.
 
 ```js
 import { runServer } from '@verdaccio/node-api';
@@ -22,7 +22,7 @@ app.listen(4000, (event) => {
 });
 ```
 
-### allow other password hashing algorithms [#1917](https://github.com/verdaccio/verdaccio/pull/1917)
+### Allow other password hashing algorithms [#1917](https://github.com/verdaccio/verdaccio/pull/1917)
 
 The current implementation of the `htpasswd` module supports multiple hash formats on verify, but only `crypt` on sign in.
 `crypt` is an insecure old format, so to improve the security of the new `verdaccio` release we introduce the support of multiple hash algorithms on sign in step.
@@ -53,21 +53,28 @@ htpasswd:
 
 - The `experiments` configuration is renamed to `flags`. The functionality is exactly the same.
 
-```js
-flags: token: false;
-search: false;
+```yaml
+flags:
+  token: false;
+  search: false;
 ```
 
 - The `self_path` property from the config file is being removed in favor of `config_file` full path.
 - Refactor `config` module, better types and utilities
 
-### legacy token signature by removing crypto.createDecipher is deprecated [#1953](https://github.com/verdaccio/verdaccio/pull/1953)
+### Legacy token signature by removing crypto.createDecipher is deprecated [#1953](https://github.com/verdaccio/verdaccio/pull/1953)
 
 - Replace signature handler for legacy tokens by removing deprecated crypto.createDecipher by createCipheriv
 - **The new signature invalidates all previous tokens generated by Verdaccio 5 or previous versions**.
 - The secret key must have 32 characters long
   > Remediation, update `.verdaccio-db.json` secret field with a secret key with 32 characters.
 
+### Legacy token secret length
+
+If the migration to v6 include an update to node 22 or higher, be aware that token secrets with a length other than 32 are not
+supported anymore. A new secret will be generated. See [docs](https://verdaccio.org/docs/6.x/configuration#legacy-token-signature)
+for more details.
+
 #### New environment variables
 
 Introduce environment variables for legacy tokens.

e2e/cli/cli-commons/package.json

@@ -5,16 +5,16 @@
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
   "devDependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/config": "workspace:7.0.0-next-7.19",
+    "@verdaccio/core": "workspace:7.0.0-next-7.19",
+    "@verdaccio/types": "workspace:12.0.0-next-7.5",
     "debug": "4.3.4",
     "fs-extra": "11.2.0",
     "get-port": "5.1.1",
     "got": "11.8.6",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",
-    "verdaccio": "workspace:7.0.0-next-7.14"
+    "verdaccio": "workspace:7.0.0-next-7.19"
   },
   "scripts": {
     "test": "jest",

e2e/docker/generator-e2e/generator.yaml

@@ -0,0 +1,43 @@
+storage: ./storage
+
+web:
+  title: Verdaccio E2E Local
+auth:
+  htpasswd:
+    file: ./htpasswd
+uplinks:
+  npmjs:
+    url: https://registry.npmjs.org/
+packages:
+  '@verdaccio/*':
+    access: $all
+    publish: $all
+    unpublish: $all
+  '@*/*':
+    access: $all
+    publish: $authenticated
+    unpublish: $authenticated
+    proxy: npmjs
+  'verdaccio-*':
+    access: $all
+    publish: $all
+    unpublish: $all
+  'generator-verdaccio-plugin':
+    access: $all
+    publish: $all
+    unpublish: $all
+  'verdaccio':
+    access: $all
+    publish: $all
+    unpublish: $all
+  '**':
+    access: $all
+    publish: $authenticated
+    unpublish: $authenticated
+    proxy: npmjs
+
+middlewares:
+  audit:
+    enabled: false
+
+log: { type: stdout, format: json, level: http }

e2e/ui/package.json

@@ -3,9 +3,9 @@
   "name": "@verdaccio/e2e-ui",
   "version": "2.0.0",
   "devDependencies": {
-    "verdaccio": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
+    "verdaccio": "workspace:7.0.0-next-7.19",
+    "@verdaccio/core": "workspace:7.0.0-next-7.19",
+    "@verdaccio/config": "workspace:7.0.0-next-7.19",
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
     "debug": "4.3.4",
     "cypress": "^13.6.0",

package.json

@@ -15,30 +15,30 @@
     "url": "https://opencollective.com/verdaccio"
   },
   "devDependencies": {
-    "@babel/cli": "7.23.9",
-    "@babel/core": "7.23.9",
-    "@babel/eslint-parser": "7.23.3",
-    "@babel/node": "7.23.9",
-    "@babel/plugin-proposal-class-properties": "7.18.6",
-    "@babel/plugin-proposal-decorators": "7.23.9",
-    "@babel/plugin-proposal-export-namespace-from": "7.18.9",
-    "@babel/plugin-proposal-function-sent": "7.23.3",
-    "@babel/plugin-proposal-json-strings": "7.18.6",
-    "@babel/plugin-proposal-nullish-coalescing-operator": "7.18.6",
-    "@babel/plugin-proposal-numeric-separator": "7.18.6",
-    "@babel/plugin-proposal-object-rest-spread": "7.20.7",
-    "@babel/plugin-proposal-optional-chaining": "7.21.0",
-    "@babel/plugin-proposal-throw-expressions": "7.23.3",
+    "@babel/cli": "7.24.8",
+    "@babel/core": "7.24.9",
+    "@babel/eslint-parser": "7.24.8",
+    "@babel/node": "7.24.8",
+    "@babel/plugin-proposal-decorators": "7.24.7",
+    "@babel/plugin-proposal-function-sent": "7.24.7",
+    "@babel/plugin-proposal-throw-expressions": "7.24.7",
     "@babel/plugin-syntax-dynamic-import": "7.8.3",
     "@babel/plugin-syntax-import-meta": "7.10.4",
-    "@babel/plugin-transform-async-to-generator": "7.23.3",
-    "@babel/plugin-transform-classes": "7.23.8",
-    "@babel/plugin-transform-runtime": "7.23.9",
-    "@babel/preset-env": "7.23.9",
-    "@babel/preset-react": "7.23.3",
-    "@babel/preset-typescript": "7.23.3",
-    "@babel/register": "7.23.7",
-    "@babel/runtime": "7.23.9",
+    "@babel/plugin-transform-async-to-generator": "7.24.7",
+    "@babel/plugin-transform-class-properties": "7.24.7",
+    "@babel/plugin-transform-classes": "7.24.8",
+    "@babel/plugin-transform-export-namespace-from": "7.24.7",
+    "@babel/plugin-transform-json-strings": "7.24.7",
+    "@babel/plugin-transform-nullish-coalescing-operator": "7.24.7",
+    "@babel/plugin-transform-numeric-separator": "7.24.7",
+    "@babel/plugin-transform-object-rest-spread": "7.24.7",
+    "@babel/plugin-transform-optional-chaining": "7.24.8",
+    "@babel/plugin-transform-runtime": "7.24.7",
+    "@babel/preset-env": "7.24.8",
+    "@babel/preset-react": "7.24.7",
+    "@babel/preset-typescript": "7.24.7",
+    "@babel/register": "7.24.6",
+    "@babel/runtime": "7.24.8",
     "@changesets/changelog-github": "0.5.0",
     "@changesets/cli": "2.27.1",
     "@changesets/get-dependents-graph": "1.3.6",
@@ -61,6 +61,9 @@
     "@types/http-errors": "2.0.4",
     "@types/jest": "29.5.11",
     "@types/jsonwebtoken": "9.0.5",
+    "@types/yeoman-environment": "2.10.11",
+    "@types/yeoman-generator": "5.2.14",
+    "@types/yeoman-test": "4.0.6",
     "@types/lodash": "4.14.202",
     "@types/mime": "3.0.4",
     "@types/minimatch": "5.1.2",
@@ -72,13 +75,11 @@
     "@types/react-dom": "18.2.18",
     "@types/react-router-dom": "5.3.3",
     "@types/react-virtualized": "9.21.29",
-    "@types/redux": "3.6.0",
     "@types/semver": "7.5.6",
     "@types/send": "0.17.4",
     "@types/serve-static": "1.15.5",
     "@types/superagent": "4.1.24",
     "@types/supertest": "2.0.16",
-    "@types/testing-library__jest-dom": "6.0.0",
     "@types/validator": "13.11.8",
     "@types/webpack": "5.28.5",
     "@types/webpack-env": "1.18.4",
@@ -127,7 +128,7 @@
     "verdaccio-auth-memory": "workspace:*",
     "verdaccio-htpasswd": "workspace:*",
     "verdaccio-memory": "workspace:*",
-    "vitest": "0.34.6"
+    "vitest": "1.6.0"
   },
   "scripts": {
     "prepare": "husky install",

packages/api/CHANGELOG.md

@@ -1,5 +1,77 @@
 # @verdaccio/api
 
+## 7.0.0-next-7.19
+
+### Patch Changes
+
+- 19df355: chore(api): update comment about route parameters
+- Updated dependencies [2a6ee33]
+- Updated dependencies [6c5f7a4]
+- Updated dependencies [c31aec8]
+  - @verdaccio/middleware@7.0.0-next-7.19
+  - @verdaccio/config@7.0.0-next-7.19
+  - @verdaccio/auth@7.0.0-next-7.19
+  - @verdaccio/store@7.0.0-next-7.19
+  - @verdaccio/core@7.0.0-next-7.19
+  - @verdaccio/utils@7.0.0-next-7.19
+  - @verdaccio/logger@7.0.0-next-7.19
+
+## 7.0.0-next-7.18
+
+### Patch Changes
+
+- Updated dependencies [10dd81f]
+  - @verdaccio/middleware@7.0.0-next-7.18
+  - @verdaccio/config@7.0.0-next-7.18
+  - @verdaccio/auth@7.0.0-next-7.18
+  - @verdaccio/core@7.0.0-next-7.18
+  - @verdaccio/logger@7.0.0-next-7.18
+  - @verdaccio/store@7.0.0-next-7.18
+  - @verdaccio/utils@7.0.0-next-7.18
+
+## 7.0.0-next-7.17
+
+### Patch Changes
+
+- 6e764e3: feat: add support for npm owner
+- Updated dependencies [6e764e3]
+- Updated dependencies [de6ff5c]
+  - @verdaccio/config@7.0.0-next-7.17
+  - @verdaccio/core@7.0.0-next-7.17
+  - @verdaccio/store@7.0.0-next-7.17
+  - @verdaccio/auth@7.0.0-next-7.17
+  - @verdaccio/logger@7.0.0-next-7.17
+  - @verdaccio/middleware@7.0.0-next-7.17
+  - @verdaccio/utils@7.0.0-next-7.17
+
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- Updated dependencies [e5624e1]
+- Updated dependencies [5bfab62]
+  - @verdaccio/store@7.0.0-next-7.16
+  - @verdaccio/logger@7.0.0-next-7.16
+  - @verdaccio/middleware@7.0.0-next-7.16
+  - @verdaccio/auth@7.0.0-next-7.16
+  - @verdaccio/core@7.0.0-next-7.16
+  - @verdaccio/config@7.0.0-next-7.16
+  - @verdaccio/utils@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [7400830]
+- Updated dependencies [bd8703e]
+  - @verdaccio/store@7.0.0-next-7.15
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/auth@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/middleware@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/api",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.19",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,25 +38,25 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.14",
-    "@verdaccio/store": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.19",
+    "@verdaccio/config": "workspace:7.0.0-next-7.19",
+    "@verdaccio/core": "workspace:7.0.0-next-7.19",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.19",
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.19",
+    "@verdaccio/store": "workspace:7.0.0-next-7.19",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.19",
     "abortcontroller-polyfill": "1.7.5",
     "body-parser": "1.20.2",
     "cookies": "0.9.0",
     "debug": "4.3.4",
-    "express": "4.18.3",
+    "express": "4.19.2",
     "lodash": "4.17.21",
     "mime": "2.6.0",
-    "semver": "7.6.0"
+    "semver": "7.6.2"
   },
   "devDependencies": {
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.5",
     "mockdate": "3.0.5",
     "nock": "13.5.1",
     "supertest": "6.3.4"

packages/api/src/index.ts

@@ -37,10 +37,11 @@ export default function (config: Config, auth: Auth, storage: Storage): Router {
   app.param('revision', validateName);
   app.param('token', validateName);
 
-  // these can't be safely put into express url for some reason
-  // TODO: For some reason? what reason?
+  // Express route parameter names must be valid JavaScript identifiers, which means
+  // they cannot start with a hyphen (-) or contain special characters like dots (.)
   app.param('_rev', match(/^-rev$/));
   app.param('org_couchdb_user', match(/^org\.couchdb\.user:/));
+
   app.use(auth.apiJWTmiddleware());
   app.use(express.json({ strict: false, limit: config.max_body_size || '10mb' }));
   app.use(antiLoop(config));

packages/api/src/package.ts

@@ -28,6 +28,7 @@ export default function (route: Router, auth: Auth, storage: Storage): void {
       const name = req.params.package;
       let version = req.params.version;
       const write = req.query.write === 'true';
+      const username = req?.remote_user?.name;
       const abbreviated =
         stringUtils.getByQualityPriorityValue(req.get('Accept')) === Storage.ABBREVIATED_HEADER;
       const requestOptions = {
@@ -37,6 +38,7 @@ export default function (route: Router, auth: Auth, storage: Storage): void {
         host: req.host,
         remoteAddress: req.socket.remoteAddress,
         byPassCache: write,
+        username,
       };
 
       try {

packages/api/src/publish.ts

@@ -76,11 +76,11 @@ const debug = buildDebug('verdaccio:api:publish');
    * 
    * 3. Star a package
    *
-   * Permissions: start a package depends of the publish and unpublish permissions, there is no
-   * specific flag for star or un start.
+   * Permissions: staring a package depends of the publish and unpublish permissions, there is no
+   * specific flag for star or unstar.
    * The URL for star is similar to the unpublish (change package format)
    *
-   * npm has no endpoint for star a package, rather mutate the metadata and acts as, the difference
+   * npm has no endpoint for staring a package, rather mutate the metadata and acts as, the difference
    * is the users property which is part of the payload and the body only includes
    *
    * {
@@ -89,7 +89,24 @@ const debug = buildDebug('verdaccio:api:publish');
 		  "users": {
 		    [username]: boolean value (true, false)
 		  }
-	}
+	   }
+   *
+   * 4. Change owners of a package
+   *
+   * Similar to staring a package, changing owners (maintainers) of a package uses the publish
+   * endpoint. 
+   *
+   * The body includes a list of the new owners with the following format
+   *
+   * {
+		  "_id": pkgName,
+	  	"_rev": "4-b0cdaefc9bdb77c8",
+		  "maintainers": [
+        { "name": "first owner", "email": "me@verdaccio.org" },
+        { "name": "second owner", "email": "you@verdaccio.org" },
+        ...
+		  ]
+	   }
    *
    */
 export default function publish(router: Router, auth: Auth, storage: Storage): void {
@@ -127,10 +144,11 @@ export default function publish(router: Router, auth: Auth, storage: Storage): v
     async function (req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) {
       const packageName = req.params.package;
       const rev = req.params.revision;
+      const username = req?.remote_user?.name;
 
       logger.debug({ packageName }, `unpublishing @{packageName}`);
       try {
-        await storage.removePackage(packageName, rev);
+        await storage.removePackage(packageName, rev, username);
         debug('package %s unpublished', packageName);
         res.status(HTTP_STATUS.CREATED);
         return next({ ok: API_MESSAGE.PKG_REMOVED });
@@ -155,13 +173,14 @@ export default function publish(router: Router, auth: Auth, storage: Storage): v
     ): Promise<void> {
       const packageName = req.params.package;
       const { filename, revision } = req.params;
+      const username = req?.remote_user?.name;
 
       logger.debug(
         { packageName, filename, revision },
         `removing a tarball for @{packageName}-@{tarballName}-@{revision}`
       );
       try {
-        await storage.removeTarball(packageName, filename, revision);
+        await storage.removeTarball(packageName, filename, revision, username);
         res.status(HTTP_STATUS.CREATED);
 
         logger.debug(
@@ -188,6 +207,12 @@ export function publishPackage(storage: Storage): any {
     const metadata = req.body;
     const username = req?.remote_user?.name;
 
+    debug('publishing package %o for user %o', packageName, username);
+    logger.debug(
+      { packageName, username },
+      'publishing package @{packageName} for user @{username}'
+    );
+
     try {
       const message = await storage.updateManifest(metadata, {
         name: packageName,

packages/api/src/user.ts

@@ -27,10 +27,22 @@ export default function (route: Router, auth: Auth, config: Config): void {
     rateLimit(config?.userRateLimit),
     function (req: $RequestExtend, res: Response, next: $NextFunctionVer): void {
       debug('verifying user');
+
+      if (typeof req.remote_user.name !== 'string' || req.remote_user.name === '') {
+        debug('user not logged in');
+        res.status(HTTP_STATUS.OK);
+        return next({ ok: false });
+      }
+
+      const username = req.params.org_couchdb_user.split(':')[1];
       const message = getAuthenticatedMessage(req.remote_user.name);
       debug('user authenticated message %o', message);
       res.status(HTTP_STATUS.OK);
       next({
+        // 'npm owner' requires user info
+        // TODO: we don't have the email
+        name: username,
+        email: '',
         ok: message,
       });
     }
@@ -61,6 +73,10 @@ export default function (route: Router, auth: Auth, config: Config): void {
       debug('login or adduser');
       const remoteName = req?.remote_user?.name;
 
+      if (!validatioUtils.validateUserName(req.params.org_couchdb_user, name)) {
+        return next(errorUtils.getBadRequest(API_ERROR.USERNAME_MISMATCH));
+      }
+
       if (typeof remoteName !== 'undefined' && typeof name === 'string' && remoteName === name) {
         debug('login: no remote user detected');
         auth.authenticate(
@@ -97,6 +113,7 @@ export default function (route: Router, auth: Auth, config: Config): void {
           }
         );
       } else {
+        debug('adduser: %o', name);
         if (
           validatioUtils.validatePassword(
             password,

packages/api/test/integration/_helper.ts

@@ -11,7 +11,7 @@ import {
   generatePackageMetadata,
   initializeServer as initializeServerHelper,
 } from '@verdaccio/test-helper';
-import { GenericBody, PackageUsers } from '@verdaccio/types';
+import { Author, GenericBody, PackageUsers } from '@verdaccio/types';
 import { buildToken, generateRandomHexString } from '@verdaccio/utils';
 
 import apiMiddleware from '../../src';
@@ -142,6 +142,37 @@ export function starPackage(
   return test;
 }
 
+export function changeOwners(
+  app,
+  options: {
+    maintainers: Author[];
+    name: string;
+    _rev: string;
+    _id?: string;
+  },
+  token?: string
+): supertest.Test {
+  const { _rev, _id, maintainers } = options;
+  const ownerManifest = {
+    _rev,
+    _id,
+    maintainers,
+  };
+
+  const test = supertest(app)
+    .put(`/${encodeURIComponent(options.name)}`)
+    .set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
+    .send(JSON.stringify(ownerManifest))
+    .set('accept', HEADERS.GZIP)
+    .set(HEADER_TYPE.ACCEPT_ENCODING, HEADERS.JSON);
+
+  if (typeof token === 'string') {
+    test.set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, token));
+  }
+
+  return test;
+}
+
 export function getDisTags(app, pkgName) {
   return supertest(app)
     .get(`/-/package/${encodeURIComponent(pkgName)}/dist-tags`)

packages/api/test/integration/config/owner.yaml

@@ -0,0 +1,24 @@
+storage: ./storage
+
+auth:
+  htpasswd:
+    file: ./htpasswd-owner
+
+web:
+  enable: true
+  title: verdaccio
+
+log: { type: stdout, format: pretty, level: info }
+
+# TODO: Add test case for $owner access
+packages:
+  '@*/*':
+    access: $all
+    publish: $authenticated
+    unpublish: $authenticated
+  '**':
+    access: $all
+    publish: $authenticated
+    unpublish: $authenticated
+
+_debug: true

packages/api/test/integration/owner.spec.ts

@@ -0,0 +1,118 @@
+/* eslint-disable jest/no-commented-out-tests */
+import nock from 'nock';
+
+import { HTTP_STATUS } from '@verdaccio/core';
+
+import {
+  changeOwners,
+  createUser,
+  getPackage,
+  initializeServer,
+  publishVersionWithToken,
+} from './_helper';
+
+describe('owner', () => {
+  test.each([['foo', '@scope%2Ffoo']])('should get owner of package', async (pkgName) => {
+    nock('https://registry.npmjs.org').get(`/${pkgName}`).reply(404);
+    const app = await initializeServer('owner.yaml');
+    const credentials = { name: 'test', password: 'test' };
+    const response = await createUser(app, credentials.name, credentials.password);
+    expect(response.body.ok).toMatch(`user '${credentials.name}' created`);
+    await publishVersionWithToken(app, pkgName, '1.0.0', response.body.token).expect(
+      HTTP_STATUS.CREATED
+    );
+
+    // expect publish to set owner to logged in user
+    const manifest = await getPackage(app, '', decodeURIComponent(pkgName));
+    const maintainers = manifest.body.maintainers;
+    expect(maintainers).toHaveLength(1);
+    // TODO: This should eventually include the email of the user
+    expect(maintainers).toEqual([{ name: credentials.name, email: '' }]);
+  });
+
+  test.each([['foo', '@scope%2Ffoo']])('should add/remove owner to package', async (pkgName) => {
+    nock('https://registry.npmjs.org').get(`/${pkgName}`).reply(404);
+    const app = await initializeServer('owner.yaml');
+    const credentials = { name: 'test', password: 'test' };
+    const firstOwner = { name: 'test', email: '' };
+    const response = await createUser(app, credentials.name, credentials.password);
+    expect(response.body.ok).toMatch(`user '${credentials.name}' created`);
+    await publishVersionWithToken(app, pkgName, '1.0.0', response.body.token).expect(
+      HTTP_STATUS.CREATED
+    );
+
+    // publish sets owner to logged in user
+    const manifest = await getPackage(app, '', decodeURIComponent(pkgName));
+    const maintainers = manifest.body.maintainers;
+    expect(maintainers).toHaveLength(1);
+    expect(maintainers).toEqual([firstOwner]);
+
+    // add another owner
+    const secondOwner = { name: 'tester', email: 'test@verdaccio.org' };
+    const newOwners = [...maintainers, secondOwner];
+    await changeOwners(
+      app,
+      {
+        _rev: manifest.body._rev,
+        _id: manifest.body._id,
+        name: pkgName,
+        maintainers: newOwners,
+      },
+      response.body.token
+    ).expect(HTTP_STATUS.CREATED);
+
+    const manifest2 = await getPackage(app, '', decodeURIComponent(pkgName));
+    const maintainers2 = manifest2.body.maintainers;
+    expect(maintainers2).toHaveLength(2);
+    expect(maintainers2).toEqual([firstOwner, secondOwner]);
+
+    // remove original owner
+    await changeOwners(
+      app,
+      {
+        _rev: manifest2.body._rev,
+        _id: manifest2.body._id,
+        name: pkgName,
+        maintainers: [secondOwner],
+      },
+      response.body.token
+    ).expect(HTTP_STATUS.CREATED);
+
+    const manifest3 = await getPackage(app, '', decodeURIComponent(pkgName));
+    const maintainers3 = manifest3.body.maintainers;
+    expect(maintainers3).toHaveLength(1);
+    expect(maintainers3).toEqual([secondOwner]);
+  });
+
+  test.each([['foo', '@scope%2Ffoo']])('should fail if user is not logged in', async (pkgName) => {
+    nock('https://registry.npmjs.org').get(`/${pkgName}`).reply(404);
+    const app = await initializeServer('owner.yaml');
+    const credentials = { name: 'test', password: 'test' };
+    const firstOwner = { name: 'test', email: '' };
+    const response = await createUser(app, credentials.name, credentials.password);
+    expect(response.body.ok).toMatch(`user '${credentials.name}' created`);
+    await publishVersionWithToken(app, pkgName, '1.0.0', response.body.token).expect(
+      HTTP_STATUS.CREATED
+    );
+
+    // publish sets owner to logged in user
+    const manifest = await getPackage(app, '', decodeURIComponent(pkgName));
+    const maintainers = manifest.body.maintainers;
+    expect(maintainers).toHaveLength(1);
+    expect(maintainers).toEqual([firstOwner]);
+
+    // try adding another owner
+    const secondOwner = { name: 'tester', email: 'test@verdaccio.org' };
+    const newOwners = [...maintainers, secondOwner];
+    await changeOwners(
+      app,
+      {
+        _rev: manifest.body._rev,
+        _id: manifest.body._id,
+        name: pkgName,
+        maintainers: newOwners,
+      },
+      '' // no token
+    ).expect(HTTP_STATUS.UNAUTHORIZED);
+  });
+});

packages/api/test/integration/search.spec.ts

@@ -43,6 +43,12 @@ describe('search', () => {
               links: {
                 npm: '',
               },
+              maintainers: [
+                {
+                  email: '',
+                  name: 'test',
+                },
+              ],
               name: pkg,
               publisher: {},
               scope: '',
@@ -97,6 +103,12 @@ describe('search', () => {
               links: {
                 npm: '',
               },
+              maintainers: [
+                {
+                  email: '',
+                  name: 'test',
+                },
+              ],
               name: pkg,
               publisher: {},
               scope: '@scope',

packages/api/test/integration/user.spec.ts

@@ -148,6 +148,25 @@ describe('token', () => {
           .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
           .expect(HTTP_STATUS.OK);
         expect(response2.body.ok).toBe(`you are authenticated as '${credentials.name}'`);
+        expect(response2.body.name).toBe(credentials.name);
+      }
+    );
+
+    test.each([['user.yaml'], ['user.jwt.yaml']])(
+      'should return name of requested user',
+      async (conf) => {
+        const app = await initializeServer(conf);
+        const username = 'yeti';
+        const credentials = { name: 'jota', password: 'secretPass' };
+        const response = await createUser(app, credentials.name, credentials.password);
+        expect(response.body.ok).toMatch(`user '${credentials.name}' created`);
+        const response3 = await supertest(app)
+          .get(`/-/user/org.couchdb.user:${username}`)
+          .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+          .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+          .expect(HTTP_STATUS.OK);
+        expect(response3.body.ok).toBe(`you are authenticated as '${credentials.name}'`);
+        expect(response3.body.name).toBe(username);
       }
     );
 
@@ -165,5 +184,38 @@ describe('token', () => {
         .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
         .expect(HTTP_STATUS.OK);
     });
+
+    test.each([['user.yaml'], ['user.jwt.yaml']])(
+      'should return "false" if user is not logged in',
+      async (conf) => {
+        const app = await initializeServer(conf);
+        const credentials = { name: 'jota', password: '' };
+        const response = await supertest(app)
+          .get(`/-/user/org.couchdb.user:${credentials.name}`)
+          .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+          .expect(HTTP_STATUS.OK);
+        expect(response.body.ok).toBe(false);
+      }
+    );
+
+    test.each([['user.yaml'], ['user.jwt.yaml']])(
+      'should fail if URL does not match user in request body',
+      async (conf) => {
+        const app = await initializeServer(conf);
+        const credentials = { name: 'jota', password: 'secretPass' };
+        const response = await createUser(app, credentials.name, credentials.password);
+        expect(response.body.ok).toMatch(`user '${credentials.name}' created`);
+        const response2 = await supertest(app)
+          .put('/-/user/org.couchdb.user:yeti') // different user
+          .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+          .send({
+            name: credentials.name,
+            password: credentials.password,
+          })
+          .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+          .expect(HTTP_STATUS.BAD_REQUEST);
+        expect(response2.body.error).toBe(API_ERROR.USERNAME_MISMATCH);
+      }
+    );
   });
 });

packages/auth/CHANGELOG.md

@@ -1,5 +1,73 @@
 # @verdaccio/auth
 
+## 7.0.0-next-7.19
+
+### Patch Changes
+
+- Updated dependencies [c31aec8]
+  - @verdaccio/config@7.0.0-next-7.19
+  - @verdaccio/loaders@7.0.0-next-7.19
+  - verdaccio-htpasswd@12.0.0-next-7.19
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/core@7.0.0-next-7.19
+  - @verdaccio/utils@7.0.0-next-7.19
+  - @verdaccio/logger@7.0.0-next-7.19
+
+## 7.0.0-next-7.18
+
+### Patch Changes
+
+- Updated dependencies [10dd81f]
+  - @verdaccio/config@7.0.0-next-7.18
+  - @verdaccio/core@7.0.0-next-7.18
+  - @verdaccio/loaders@7.0.0-next-7.18
+  - @verdaccio/logger@7.0.0-next-7.18
+  - verdaccio-htpasswd@12.0.0-next-7.18
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/utils@7.0.0-next-7.18
+
+## 7.0.0-next-7.17
+
+### Patch Changes
+
+- Updated dependencies [6e764e3]
+  - @verdaccio/config@7.0.0-next-7.17
+  - @verdaccio/core@7.0.0-next-7.17
+  - @verdaccio/loaders@7.0.0-next-7.17
+  - @verdaccio/logger@7.0.0-next-7.17
+  - verdaccio-htpasswd@12.0.0-next-7.17
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/utils@7.0.0-next-7.17
+
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.16
+- @verdaccio/loaders@7.0.0-next-7.16
+- verdaccio-htpasswd@12.0.0-next-7.16
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/config@7.0.0-next-7.16
+- @verdaccio/utils@7.0.0-next-7.16
+- @verdaccio/signature@7.0.0-next-7.5
+
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/loaders@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - verdaccio-htpasswd@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/auth",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.19",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,21 +38,21 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/loaders": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/signature": "workspace:7.0.0-next-7.4",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.19",
+    "@verdaccio/config": "workspace:7.0.0-next-7.19",
+    "@verdaccio/loaders": "workspace:7.0.0-next-7.19",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.19",
+    "@verdaccio/signature": "workspace:7.0.0-next-7.5",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.19",
     "debug": "4.3.4",
     "lodash": "4.17.21",
-    "verdaccio-htpasswd": "workspace:12.0.0-next-7.14"
+    "verdaccio-htpasswd": "workspace:12.0.0-next-7.19"
   },
   "devDependencies": {
-    "express": "4.18.3",
+    "express": "4.19.2",
     "supertest": "6.3.4",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.19",
+    "@verdaccio/types": "workspace:12.0.0-next-7.5"
   },
   "funding": {
     "type": "opencollective",

packages/auth/src/auth.ts

@@ -13,7 +13,6 @@ import {
   pluginUtils,
   warningUtils,
 } from '@verdaccio/core';
-import '@verdaccio/core';
 import { asyncLoadPlugin } from '@verdaccio/loaders';
 import { logger } from '@verdaccio/logger';
 import {
@@ -21,6 +20,7 @@ import {
   aesEncryptDeprecated,
   parseBasicPayload,
   signPayload,
+  utils as signatureUtils,
 } from '@verdaccio/signature';
 import {
   AllowAccess,
@@ -481,14 +481,9 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     next: Function
   ): void {
     debug('handle legacy api middleware');
-    debug('api middleware secret %o', typeof secret === 'string');
+    debug('api middleware has a secret? %o', typeof secret === 'string');
     debug('api middleware authorization %o', typeof authorization === 'string');
-    const credentials: any = getMiddlewareCredentials(
-      security,
-      secret,
-      authorization,
-      this.config?.getEnhancedLegacySignature()
-    );
+    const credentials: any = getMiddlewareCredentials(security, secret, authorization);
     debug('api middleware credentials %o', credentials?.name);
     if (credentials) {
       const { user, password } = credentials;
@@ -588,13 +583,12 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
    * Encrypt a string.
    */
   public aesEncrypt(value: string): string | void {
-    // enhancedLegacySignature enables modern aes192 algorithm signature
-    if (this.config?.getEnhancedLegacySignature()) {
-      debug('signing with enhaced aes legacy');
+    if (this.secret.length === signatureUtils.TOKEN_VALID_LENGTH) {
+      debug('signing with enhanced aes legacy');
       const token = aesEncrypt(value, this.secret);
       return token;
     } else {
-      debug('signing with enhaced aes deprecated legacy');
+      debug('signing with enhanced aes deprecated legacy');
       // deprecated aes (legacy) signature, only must be used for legacy version
       const token = aesEncryptDeprecated(Buffer.from(value), this.secret).toString('base64');
       return token;

packages/auth/src/signature.ts

@@ -1,66 +0,0 @@
-import buildDebug from 'debug';
-import _ from 'lodash';
-
-import { TOKEN_BASIC, TOKEN_BEARER } from '@verdaccio/core';
-import { aesDecrypt, parseBasicPayload } from '@verdaccio/signature';
-import { Security } from '@verdaccio/types';
-
-import { AuthMiddlewarePayload } from './types';
-import {
-  convertPayloadToBase64,
-  isAESLegacy,
-  parseAuthTokenHeader,
-  verifyJWTPayload,
-} from './utils';
-
-const debug = buildDebug('verdaccio:auth:utils');
-
-export function parseAESCredentials(authorizationHeader: string, secret: string) {
-  debug('parseAESCredentials');
-  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
-
-  // basic is deprecated and should not be enforced
-  // basic is currently being used for functional test
-  if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
-    debug('legacy header basic');
-    const credentials = convertPayloadToBase64(token).toString();
-
-    return credentials;
-  } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
-    debug('legacy header bearer');
-    const credentials = aesDecrypt(token, secret);
-
-    return credentials;
-  }
-}
-
-export function getMiddlewareCredentials(
-  security: Security,
-  secretKey: string,
-  authorizationHeader: string
-): AuthMiddlewarePayload {
-  debug('getMiddlewareCredentials');
-  // comment out for debugging purposes
-  if (isAESLegacy(security)) {
-    debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey);
-    if (!credentials) {
-      debug('parse legacy credentials failed');
-      return;
-    }
-
-    const parsedCredentials = parseBasicPayload(credentials);
-    if (!parsedCredentials) {
-      debug('parse legacy basic payload credentials failed');
-      return;
-    }
-
-    return parsedCredentials;
-  }
-  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
-
-  debug('is jwt');
-  if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
-    return verifyJWTPayload(token, secretKey);
-  }
-}

packages/auth/src/utils.ts

@@ -40,12 +40,8 @@ export function parseAuthTokenHeader(authorizationHeader: string): AuthTokenHead
   return { scheme, token };
 }
 
-export function parseAESCredentials(
-  authorizationHeader: string,
-  secret: string,
-  enhanced: boolean
-) {
-  debug('parseAESCredentials');
+export function parseAESCredentials(authorizationHeader: string, secret: string) {
+  debug('parseAESCredentials init');
   const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
 
   // basic is deprecated and should not be enforced
@@ -57,27 +53,29 @@ export function parseAESCredentials(
     return credentials;
   } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
     debug('legacy header bearer');
-    debug('legacy header enhanced?', enhanced);
-    const credentials = enhanced
-      ? aesDecrypt(token.toString(), secret)
-      : // FUTURE: once deprecated legacy is removed this logic won't be longer need it
-        aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
-
-    return credentials;
+    debug('secret length %o', secret.length);
+    const isLegacyUnsecure = secret.length > 32;
+    debug('is legacy unsecure %o', isLegacyUnsecure);
+    if (isLegacyUnsecure) {
+      debug('legacy unsecure enabled');
+      return aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
+    } else {
+      debug('legacy secure enabled');
+      return aesDecrypt(token.toString(), secret);
+    }
   }
 }
 
 export function getMiddlewareCredentials(
   security: Security,
   secretKey: string,
-  authorizationHeader: string,
-  enhanced: boolean = true
+  authorizationHeader: string
 ): AuthMiddlewarePayload {
-  debug('getMiddlewareCredentials');
+  debug('getMiddlewareCredentials init');
   // comment out for debugging purposes
   if (isAESLegacy(security)) {
     debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey, enhanced);
+    const credentials = parseAESCredentials(authorizationHeader, secretKey);
     if (!credentials) {
       debug('parse legacy credentials failed');
       return;

packages/auth/test/auth.spec.ts

@@ -601,16 +601,14 @@ describe('AuthTest', () => {
           });
         });
 
-        describe('deprecated legacy handling forceEnhancedLegacySignature=false', () => {
+        describe('deprecated legacy handling', () => {
           test('should handle valid auth token', async () => {
             const payload = 'juan:password';
             // const token = await signPayload(remoteUser, '12345');
-            const config: Config = new AppConfig(
-              { ...authProfileConf },
-              { forceEnhancedLegacySignature: false }
-            );
+            const config: Config = new AppConfig({ ...authProfileConf });
             // intended to force key generator (associated with mocks above)
-            config.checkSecretKey(undefined);
+            // 64 characters secret long
+            config.checkSecretKey('35fabdd29b820d39125e76e6d85cc294');
             const auth = new Auth(config);
             await auth.init();
             const token = auth.aesEncrypt(payload) as string;
@@ -624,10 +622,7 @@ describe('AuthTest', () => {
 
           test('should handle invalid auth token', async () => {
             const payload = 'juan:password';
-            const config: Config = new AppConfig(
-              { ...authPluginFailureConf },
-              { forceEnhancedLegacySignature: false }
-            );
+            const config: Config = new AppConfig({ ...authPluginFailureConf });
             // intended to force key generator (associated with mocks above)
             config.checkSecretKey(undefined);
             const auth = new Auth(config);
@@ -691,8 +686,7 @@ describe('AuthTest', () => {
               {
                 ...authProfileConf,
                 ...{ security: { api: { jwt: { sign: { expiresIn: '29d' } } } } },
-              },
-              { forceEnhancedLegacySignature: false }
+              }
             );
             // intended to force key generator (associated with mocks above)
             config.checkSecretKey(undefined);
@@ -700,7 +694,6 @@ describe('AuthTest', () => {
             await auth.init();
             const token = (await auth.jwtEncrypt(
               createRemoteUser('jwt_user', [ROLES.ALL]),
-              // @ts-expect-error
               config.security.api.jwt.sign
             )) as string;
             const app = await getServer(auth);

packages/cli/CHANGELOG.md

@@ -1,5 +1,56 @@
 # @verdaccio/cli
 
+## 7.0.0-next-7.19
+
+### Patch Changes
+
+- Updated dependencies [c31aec8]
+  - @verdaccio/config@7.0.0-next-7.19
+  - @verdaccio/node-api@7.0.0-next-7.19
+  - @verdaccio/core@7.0.0-next-7.19
+  - @verdaccio/logger@7.0.0-next-7.19
+
+## 7.0.0-next-7.18
+
+### Patch Changes
+
+- 10dd81f: feat: complete overhaul of web user interface
+- Updated dependencies [10dd81f]
+  - @verdaccio/config@7.0.0-next-7.18
+  - @verdaccio/core@7.0.0-next-7.18
+  - @verdaccio/logger@7.0.0-next-7.18
+  - @verdaccio/node-api@7.0.0-next-7.18
+
+## 7.0.0-next-7.17
+
+### Patch Changes
+
+- 199aea3: chore: add config location and loglevel to startup log
+- Updated dependencies [6e764e3]
+  - @verdaccio/config@7.0.0-next-7.17
+  - @verdaccio/core@7.0.0-next-7.17
+  - @verdaccio/logger@7.0.0-next-7.17
+  - @verdaccio/node-api@7.0.0-next-7.17
+
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.16
+- @verdaccio/node-api@7.0.0-next-7.16
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/config@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/node-api@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/cli",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.19",
   "author": {
     "name": "Juan Picado",
     "email": "juanpicado19@gmail.com"
@@ -43,14 +43,14 @@
     "start": "ts-node src/index.ts"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/node-api": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.19",
+    "@verdaccio/config": "workspace:7.0.0-next-7.19",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.19",
+    "@verdaccio/node-api": "workspace:7.0.0-next-7.19",
     "clipanion": "3.2.1",
     "envinfo": "7.11.0",
     "kleur": "4.1.5",
-    "semver": "7.6.0"
+    "semver": "7.6.2"
   },
   "devDependencies": {
     "ts-node": "10.9.2"

packages/cli/src/commands/init.ts

@@ -58,6 +58,8 @@ export class InitCommand extends Command {
       const configPathLocation = findConfigFile(this.config as string);
       const configParsed = parseConfigFile(configPathLocation);
       this.initLogger(configParsed);
+      logger.info({ file: configPathLocation }, 'using config file: @{file}');
+      logger.info('log level: %s', configParsed.log?.level || 'default');
       const { web } = configParsed;
 
       process.title = web?.title || DEFAULT_PROCESS_NAME;

packages/config/CHANGELOG.md

@@ -1,5 +1,49 @@
 # @verdaccio/config
 
+## 7.0.0-next-7.19
+
+### Patch Changes
+
+- c31aec8: fix: typo in config docs regarding check_owners
+  - @verdaccio/core@7.0.0-next-7.19
+  - @verdaccio/utils@7.0.0-next-7.19
+
+## 7.0.0-next-7.18
+
+### Patch Changes
+
+- 10dd81f: feat: complete overhaul of web user interface
+  - @verdaccio/core@7.0.0-next-7.18
+  - @verdaccio/utils@7.0.0-next-7.18
+
+## 7.0.0-next-7.17
+
+### Patch Changes
+
+- 6e764e3: feat: add support for npm owner
+- Updated dependencies [6e764e3]
+  - @verdaccio/core@7.0.0-next-7.17
+  - @verdaccio/utils@7.0.0-next-7.17
+
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/utils@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/config",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.19",
   "description": "logger",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,8 +38,8 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.19",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.19",
     "debug": "4.3.4",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",

packages/config/src/conf/default.yaml

@@ -18,6 +18,12 @@ storage: ./storage
 # https://verdaccio.org/docs/webui
 web:
   title: Verdaccio
+  # custom colors for header background and font
+  # primaryColor: "#4b5e40"
+  # custom logos and favicon
+  # logo: ./path/to/logo.png
+  # logoDark: ./path/to/logoDark.png
+  # favicon: ./path/to/favicon.ico
   # comment out to disable gravatar support
   # gravatar: false
   # by default packages are ordercer ascendant (asc|desc)
@@ -35,6 +41,7 @@ web:
   # showSearch: true
   # showRaw: true
   # showDownloadTarball: true
+  # showUplinks: true
   #  HTML tags injected after manifest <scripts/>
   # scriptsBodyAfter:
   #    - '<script type="text/javascript" src="https://my.company.com/customJS.min.js"></script>'
@@ -113,6 +120,7 @@ server:
 # https://verdaccio.org/docs/configuration#offline-publish
 # publish:
 #   allow_offline: false
+#   check_owners: false
 
 # https://verdaccio.org/docs/configuration#url-prefix
 # url_prefix: /verdaccio/
@@ -179,6 +187,7 @@ server:
 middlewares:
   audit:
     enabled: true
+    # timeout: 10000
 
 # https://verdaccio.org/docs/logger
 # log settings

packages/config/src/conf/docker.yaml

@@ -21,6 +21,12 @@ plugins: /verdaccio/plugins
 # https://verdaccio.org/docs/webui
 web:
   title: Verdaccio
+  # custom colors for header background and font
+  # primaryColor: "#4b5e40"
+  # custom logos and favicon
+  # logo: ./path/to/logo.png
+  # logoDark: ./path/to/logoDark.png
+  # favicon: ./path/to/favicon.ico
   # Comment out to disable gravatar support
   # gravatar: false
   # By default packages are ordered ascendant (asc|desc)
@@ -38,6 +44,7 @@ web:
   # showSearch: true
   # showRaw: true
   # showDownloadTarball: true
+  # showUplinks: true
   #  HTML tags injected after manifest <scripts/>
   # scriptsBodyAfter:
   #    - '<script type="text/javascript" src="https://my.company.com/customJS.min.js"></script>'
@@ -119,6 +126,7 @@ server:
 # https://verdaccio.org/docs/configuration#offline-publish
 # publish:
 #   allow_offline: false
+#   check_owners: false
 
 # https://verdaccio.org/docs/configuration#url-prefix
 # url_prefix: /verdaccio/
@@ -185,6 +193,7 @@ server:
 middlewares:
   audit:
     enabled: true
+    # timeout: 10000
 
 # https://verdaccio.org/docs/logger
 # log settings

packages/config/src/config.ts

@@ -36,6 +36,13 @@ export const defaultUserRateLimiting = {
   max: 1000,
 };
 
+export function isNodeVersionGreaterThan21() {
+  const [major, minor] = process.versions.node.split('.').map(Number);
+  return major > 21 || (major === 21 && minor >= 0);
+}
+
+const TOKEN_VALID_LENGTH = 32;
+
 /**
  * Coordinates the application configuration
  */
@@ -56,21 +63,20 @@ class Config implements AppConfig {
   public plugins: string | void | null;
   public security: Security;
   public serverSettings: ServerSettingsConf;
+  private configOverrideOptions: { forceMigrateToSecureLegacySignature: boolean };
   // @ts-ignore
   public secret: string;
   public flags: FlagsConfig;
   public userRateLimit: RateLimit;
-  private configOptions: { forceEnhancedLegacySignature: boolean };
   public constructor(
     config: ConfigYaml & { config_path: string },
     // forceEnhancedLegacySignature is a property that
     // allows switch a new legacy aes signature token signature
     // for older versions do not want to have this new signature model
     // this property must be false
-    configOptions = { forceEnhancedLegacySignature: true }
+    configOverrideOptions = { forceMigrateToSecureLegacySignature: true }
   ) {
     const self = this;
-    this.configOptions = configOptions;
     this.storage = process.env.VERDACCIO_STORAGE_PATH || config.storage;
     if (!config.configPath) {
       // backport self_path for previous to version 6
@@ -80,11 +86,21 @@ class Config implements AppConfig {
         throw new Error('configPath property is required');
       }
     }
+    this.configOverrideOptions = configOverrideOptions;
     this.configPath = config.configPath;
     this.self_path = this.configPath;
     debug('config path: %s', this.configPath);
     this.plugins = config.plugins;
-    this.security = _.merge(defaultSecurity, config.security);
+    this.security = _.merge(
+      // override the default security configuration via constructor
+      _.merge(defaultSecurity, {
+        api: {
+          migrateToSecureLegacySignature:
+            this.configOverrideOptions.forceMigrateToSecureLegacySignature,
+        },
+      }),
+      config.security
+    );
     this.serverSettings = serverSettings;
     this.flags = {
       searchRemote: config.flags?.searchRemote ?? true,
@@ -135,14 +151,8 @@ class Config implements AppConfig {
     }
   }
 
-  public getEnhancedLegacySignature() {
-    if (typeof this?.security.enhancedLegacySignature !== 'undefined') {
-      if (this.security.enhancedLegacySignature === true) {
-        return true;
-      }
-      return false;
-    }
-    return this.configOptions.forceEnhancedLegacySignature;
+  public getMigrateToSecureLegacySignature() {
+    return this.security.api.migrateToSecureLegacySignature;
   }
 
   public getConfigPath() {
@@ -158,36 +168,70 @@ class Config implements AppConfig {
   }
 
   /**
-   * Store or create whether receive a secret key
+   * Verify if the secret complies with the required structure
+   *  - If the secret is not provided, it will generate a new one
+   *    - For any Node.js version the new secret will be 32 characters long (to allow compatibility with modern Node.js versions)
+   *  - If the secret is provided:
+   *    - If Node.js 22 or higher, the secret must be 32 characters long thus the application will fail on startup
+   *    - If Node.js 21 or lower, the secret will be used as is but will display a deprecation warning
+   *    - If the property `security.api.migrateToSecureLegacySignature` is provided and set to true, the secret will be
+   *      generated with the new signature model
    * @secret external secret key
    */
   public checkSecretKey(secret?: string): string {
-    debug('check secret key');
+    debug('checking secret key init');
     if (typeof secret === 'string' && _.isEmpty(secret) === false) {
+      debug('checking secret key length %s', secret.length);
+      if (secret.length > TOKEN_VALID_LENGTH) {
+        if (isNodeVersionGreaterThan21()) {
+          debug('is node version greater than 21');
+          if (this.getMigrateToSecureLegacySignature() === true) {
+            this.secret = generateRandomSecretKey();
+            debug('rewriting secret key with length %s', this.secret.length);
+            return this.secret;
+          }
+          // oops, user needs to generate a new secret key
+          debug(
+            'secret does not comply with the required length, current length  %d, application will fail on startup',
+            secret.length
+          );
+          throw new Error(
+            `Invalid storage secret key length, must be 32 characters long but is ${secret.length}. 
+            The secret length in Node.js 22 or higher must be 32 characters long. Please consider generate a new one. 
+            Learn more at https://verdaccio.org/docs/configuration/#.verdaccio-db`
+          );
+        } else {
+          debug('is node version lower than 22');
+          if (this.getMigrateToSecureLegacySignature() === true) {
+            this.secret = generateRandomSecretKey();
+            debug('rewriting secret key with length %s', this.secret.length);
+            return this.secret;
+          }
+          debug('triggering deprecation warning for secret key length %s', secret.length);
+          // still using Node.js versions previous to 22, but we need to emit a deprecation warning
+          // deprecation warning, secret key is too long and must be 32
+          // this will be removed in the next major release and will produce an error
+          warningUtils.emit(Codes.VERWAR007);
+          this.secret = secret;
+          return this.secret;
+        }
+      } else if (secret.length === TOKEN_VALID_LENGTH) {
+        debug('detected valid secret key length %s', secret.length);
+        this.secret = secret;
+        return this.secret;
+      }
+      debug('reusing previous key with length %s', secret.length);
       this.secret = secret;
-      debug('reusing previous key');
-      return secret;
-    }
-    // generate a new a secret key
-    // FUTURE: this might be an external secret key, perhaps within config file?
-    debug('generating a new secret key');
-
-    if (this.getEnhancedLegacySignature()) {
-      debug('key generated with "enhanced" legacy signature user config');
-      this.secret = generateRandomSecretKey();
+      return this.secret;
     } else {
-      debug('key generated with legacy signature user config');
-      this.secret = generateRandomHexString(32);
-    }
-    // set this to false allow use old token signature and is not recommended
-    // only use for migration reasons, major release will remove this property and
-    // set it by default
-    if (this.security?.enhancedLegacySignature === false) {
-      warningUtils.emit(Codes.VERWAR005);
-    }
+      // generate a new a secret key
+      // FUTURE: this might be an external secret key, perhaps within config file?
+      debug('generating a new secret key');
+      this.secret = generateRandomSecretKey();
+      debug('generated a new secret key length %s', this.secret?.length);
 
-    debug('generated a new secret key length %s', this.secret?.length);
-    return this.secret;
+      return this.secret;
+    }
   }
 }
 

packages/config/src/security.ts

@@ -13,6 +13,7 @@ const defaultWebTokenOptions: JWTOptions = {
 
 const defaultApiTokenConf: APITokenOptions = {
   legacy: true,
+  migrateToSecureLegacySignature: true,
 };
 
 export const defaultSecurity: Security = {

packages/config/src/token.ts

@@ -1,9 +1,11 @@
 import { randomBytes } from 'crypto';
 
+// TODO: code duplicated at @verdaccio/signature
 export const TOKEN_VALID_LENGTH = 32;
 
 /**
  * Secret key must have 32 characters.
+ * // TODO: code duplicated at @verdaccio/signature
  */
 export function generateRandomSecretKey(): string {
   return randomBytes(TOKEN_VALID_LENGTH).toString('base64').substring(0, TOKEN_VALID_LENGTH);

packages/config/test/config.spec.ts

@@ -6,9 +6,12 @@ import {
   DEFAULT_REGISTRY,
   DEFAULT_UPLINK,
   ROLES,
+  TOKEN_VALID_LENGTH,
   WEB_TITLE,
   defaultSecurity,
+  generateRandomSecretKey,
   getDefaultConfig,
+  isNodeVersionGreaterThan21,
   parseConfigFile,
 } from '../src';
 import { parseConfigurationFile } from './utils';
@@ -19,6 +22,8 @@ const resolveConf = (conf) => {
   return path.join(__dirname, `../src/conf/${name}${ext.startsWith('.') ? ext : '.yaml'}`);
 };
 
+const itif = (condition) => (condition ? it : it.skip);
+
 const checkDefaultUplink = (config) => {
   expect(_.isObject(config.uplinks[DEFAULT_UPLINK])).toBeTruthy();
   expect(config.uplinks[DEFAULT_UPLINK].url).toMatch(DEFAULT_REGISTRY);
@@ -94,32 +99,85 @@ describe('check basic content parsed file', () => {
 describe('checkSecretKey', () => {
   test('with default.yaml and pre selected secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(config.checkSecretKey('12345')).toEqual('12345');
+    expect(config.checkSecretKey(generateRandomSecretKey())).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
   test('with default.yaml and void secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
+    const secret = config.checkSecretKey();
+    expect(typeof secret === 'string').toBeTruthy();
+    expect(secret).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
-  test('with default.yaml and emtpy string secret', () => {
+  test('with default.yaml and empty string secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(typeof config.checkSecretKey('') === 'string').toBeTruthy();
+    const secret = config.checkSecretKey('');
+    expect(typeof secret === 'string').toBeTruthy();
+    expect(secret).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
-  test('with enhanced legacy signature', () => {
+  test('with default.yaml and valid string secret length', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    config.security.enhancedLegacySignature = true;
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
-    expect(config.secret.length).toBe(32);
+    expect(typeof config.checkSecretKey(generateRandomSecretKey()) === 'string').toBeTruthy();
   });
 
-  test('without enhanced legacy signature', () => {
-    const config = new Config(parseConfigFile(resolveConf('default')));
-    config.security.enhancedLegacySignature = false;
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
-    expect(config.secret.length).toBe(64);
+  test('with default.yaml migrate a valid string secret length', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: true,
+    });
+    expect(
+      // 64 characters secret long
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
   });
+
+  // only runs on Node.js 22 or higher
+  itif(isNodeVersionGreaterThan21())('with enhanced legacy signature Node 22 or higher', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: false,
+    });
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(() =>
+      // 64 characters secret long
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toThrow();
+  });
+
+  itif(isNodeVersionGreaterThan21())('with enhanced legacy signature Node 22 or higher', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: false,
+    });
+    config.security.api.migrateToSecureLegacySignature = true;
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
+  });
+
+  itif(isNodeVersionGreaterThan21() === false)(
+    'with old unsecure legacy signature Node 21 or lower',
+    () => {
+      const config = new Config(parseConfigFile(resolveConf('default')));
+      config.security.api.migrateToSecureLegacySignature = false;
+      // 64 characters secret long
+      // eslint-disable-next-line jest/no-standalone-expect
+      expect(
+        config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+      ).toHaveLength(64);
+    }
+  );
+
+  test('with migration to new legacy signature Node 21 or lower', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')));
+    config.security.api.migrateToSecureLegacySignature = true;
+    // 64 characters secret long
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
+  });
+
+  test.todo('test emit warning with secret key');
 });
 
 describe('getMatchedPackagesSpec', () => {

packages/core/core/CHANGELOG.md

@@ -1,5 +1,23 @@
 # @verdaccio/core
 
+## 7.0.0-next-7.19
+
+## 7.0.0-next-7.18
+
+## 7.0.0-next-7.17
+
+### Patch Changes
+
+- 6e764e3: feat: add support for npm owner
+
+## 7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
 ## 7.0.0-next-7.14
 
 ## 7.0.0-next-7.13

packages/core/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/core",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.19",
   "description": "core utilities",
   "keywords": [
     "private",
@@ -35,7 +35,7 @@
   "dependencies": {
     "http-errors": "2.0.0",
     "http-status-codes": "2.3.0",
-    "semver": "7.6.0",
+    "semver": "7.6.2",
     "ajv": "8.12.0",
     "process-warning": "1.0.0",
     "core-js": "3.35.0"
@@ -44,7 +44,7 @@
     "lodash": "4.17.21",
     "typedoc": "0.23.25",
     "typedoc-plugin-missing-exports": "latest",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.5"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/core/src/constants.ts

@@ -6,6 +6,7 @@ export const TIME_EXPIRATION_1H = '1h';
 export const DIST_TAGS = 'dist-tags';
 export const LATEST = 'latest';
 export const USERS = 'users';
+export const MAINTAINERS = 'maintainers';
 export const DEFAULT_USER = 'Anonymous';
 
 export const HEADER_TYPE = {

packages/core/core/src/error-utils.ts

@@ -39,6 +39,7 @@ export const API_ERROR = {
   BAD_PACKAGE_DATA: 'bad incoming package data',
   USERNAME_PASSWORD_REQUIRED: 'username and password is required',
   USERNAME_ALREADY_REGISTERED: 'username is already registered',
+  USERNAME_MISMATCH: 'username does not match logged in user',
 };
 
 export const SUPPORT_ERRORS = {

packages/core/core/src/index.ts

@@ -23,6 +23,7 @@ export {
   DEFAULT_PASSWORD_VALIDATION,
   DEFAULT_USER,
   USERS,
+  MAINTAINERS,
   HtpasswdHashAlgorithm,
 } from './constants';
 const validationUtils = validatioUtils;

packages/core/core/src/validation-utils.ts

@@ -2,7 +2,7 @@ import assert from 'assert';
 
 import { Manifest } from '@verdaccio/types';
 
-import { DEFAULT_PASSWORD_VALIDATION, DIST_TAGS } from './constants';
+import { DEFAULT_PASSWORD_VALIDATION, DIST_TAGS, MAINTAINERS } from './constants';
 
 export { validatePublishSingleVersion } from './schemes/publish-manifest';
 
@@ -67,7 +67,6 @@ export function validatePackage(name: string): boolean {
  * @param {*} manifest
  * @param {*} name
  * @return {Object} the object with additional properties as dist-tags ad versions
- * FUTURE: rename to normalizeMetadata
  */
 export function normalizeMetadata(manifest: Manifest, name: string): Manifest {
   assert.strictEqual(manifest.name, name);
@@ -77,7 +76,11 @@ export function normalizeMetadata(manifest: Manifest, name: string): Manifest {
     _manifest[DIST_TAGS] = {};
   }
 
-  // This may not be nee dit
+  if (!Array.isArray(manifest[MAINTAINERS])) {
+    _manifest[MAINTAINERS] = [];
+  }
+
+  // This may not be needed
   if (!isObject(manifest['versions'])) {
     _manifest['versions'] = {};
   }
@@ -114,3 +117,11 @@ export function validatePassword(
     ? password.match(validation) !== null
     : false;
 }
+
+export function validateUserName(userName: any, expectedName: string): boolean {
+  return (
+    typeof userName === 'string' &&
+    userName.split(':')[0] === 'org.couchdb.user' &&
+    userName.split(':')[1] === expectedName
+  );
+}

packages/core/core/src/warning-utils.ts

@@ -9,17 +9,13 @@ export enum Codes {
   VERWAR002 = 'VERWAR002',
   VERWAR003 = 'VERWAR003',
   VERWAR004 = 'VERWAR004',
-  VERWAR005 = 'VERWAR005',
   // deprecation warnings
   VERDEP003 = 'VERDEP003',
   VERWAR006 = 'VERWAR006',
+  VERWAR007 = 'VERWAR007',
 }
 
-warningInstance.create(
-  verdaccioWarning,
-  Codes.VERWAR002,
-  `The configuration property "logs" has been deprecated, please rename to "log" for future compatibility`
-);
+/* general warnings */
 
 warningInstance.create(
   verdaccioWarning,
@@ -27,6 +23,12 @@ warningInstance.create(
   `Verdaccio doesn't need superuser privileges. don't run it under root`
 );
 
+warningInstance.create(
+  verdaccioWarning,
+  Codes.VERWAR002,
+  `The configuration property "logs" has been deprecated, please rename to "log" for future compatibility`
+);
+
 warningInstance.create(
   verdaccioWarning,
   Codes.VERWAR003,
@@ -42,23 +44,26 @@ https://verdaccio.org/docs/en/configuration#listen-port`
 );
 
 warningInstance.create(
-  verdaccioWarning,
-  Codes.VERWAR005,
-  'disable enhanced legacy signature is considered a security risk, please reconsider enable it'
+  verdaccioDeprecation,
+  Codes.VERWAR006,
+  'the auth plugin method "add_user" in the auth plugin is deprecated and will be removed in next major release, rename to "adduser"'
 );
 
+warningInstance.create(
+  verdaccioDeprecation,
+  Codes.VERWAR007,
+  `the secret length is too long, it must be 32 characters long, please consider generate a new one 
+  Learn more at https://verdaccio.org/docs/configuration/#.verdaccio-db`
+);
+
+/* deprecation warnings */
+
 warningInstance.create(
   verdaccioDeprecation,
   Codes.VERDEP003,
   'multiple addresses will be deprecated in the next major, only use one'
 );
 
-warningInstance.create(
-  verdaccioDeprecation,
-  Codes.VERWAR006,
-  'the auth plugin method "add_user" in the auth plugin is deprecated and will be removed in next major release, rename to "adduser"'
-);
-
 export function emit(code: string, a?: string, b?: string, c?: string) {
   warningInstance.emit(code, a, b, c);
 }

packages/core/core/test/validation-utilts.spec.ts

@@ -6,6 +6,7 @@ import {
   validateName,
   validatePackage,
   validatePassword,
+  validateUserName,
 } from '../src/validation-utils';
 
 describe('validatePackage', () => {
@@ -224,3 +225,17 @@ describe('validatePassword', () => {
     expect(validatePassword('1235678910')).toBeTruthy();
   });
 });
+
+describe('validateUserName', () => {
+  test('should validate username according to expected name', () => {
+    expect(validateUserName('org.couchdb.user:test', 'test')).toBeTruthy();
+  });
+
+  test('should fail to validate username if different from expected name', () => {
+    expect(validateUserName('org.couchdb.user:foouser', 'test')).toBeFalsy();
+  });
+
+  test('should fail to validate username if not given', () => {
+    expect(validateUserName(undefined, 'test')).toBeFalsy();
+  });
+});

packages/core/file-locking/package.json

@@ -39,7 +39,7 @@
     "lockfile": "1.0.4"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.5"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/tarball/CHANGELOG.md

@@ -1,5 +1,50 @@
 # Change Log
 
+## 12.0.0-next-7.19
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.19
+- @verdaccio/url@12.0.0-next-7.19
+- @verdaccio/utils@7.0.0-next-7.19
+
+## 12.0.0-next-7.18
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.18
+- @verdaccio/url@12.0.0-next-7.18
+- @verdaccio/utils@7.0.0-next-7.18
+
+## 12.0.0-next-7.17
+
+### Patch Changes
+
+- Updated dependencies [6e764e3]
+  - @verdaccio/core@7.0.0-next-7.17
+  - @verdaccio/url@12.0.0-next-7.17
+  - @verdaccio/utils@7.0.0-next-7.17
+
+## 12.0.0-next-7.16
+
+### Patch Changes
+
+- 5bfab62: feat: add tarball details for published packages
+- Updated dependencies [38b1e82]
+  - @verdaccio/url@12.0.0-next-7.16
+  - @verdaccio/core@7.0.0-next-7.16
+  - @verdaccio/utils@7.0.0-next-7.16
+
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- 7400830: revert #4600
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/url@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/core/tarball/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/tarball",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.19",
   "description": "tarball utilities resolver",
   "keywords": [
     "private",
@@ -33,16 +33,16 @@
     "access": "public"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/url": "workspace:12.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.19",
+    "@verdaccio/url": "workspace:12.0.0-next-7.19",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.19",
     "debug": "4.3.4",
     "gunzip-maybe": "^1.4.2",
     "lodash": "4.17.21",
     "tar-stream": "^3.1.7"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.5",
     "node-mocks-http": "1.14.1"
   },
   "scripts": {

packages/core/tarball/src/getTarballDetails.ts

@@ -7,10 +7,10 @@ export type TarballDetails = {
   unpackedSize: number; // in bytes
 };
 
-export async function getTarballDetails(readable: Readable): Promise<TarballDetails> {
+export async function getTarballDetails(buffer: Buffer): Promise<TarballDetails> {
   let fileCount = 0;
   let unpackedSize = 0;
-
+  const readable = Readable.from(buffer);
   const unpack = tarStream.extract();
 
   return new Promise((resolve, reject) => {

packages/core/tarball/src/index.ts

@@ -5,6 +5,6 @@ export {
   convertDistVersionToLocalTarballsUrl,
 } from './convertDistRemoteToLocalTarballUrls';
 export { extractTarballFromUrl, getLocalRegistryTarballUri } from './getLocalRegistryTarballUri';
-export { TarballDetails, getTarballDetails } from './getTarballDetails';
+export { getTarballDetails, TarballDetails } from './getTarballDetails';
 
 export { RequestOptions };

packages/core/tarball/tests/getTarballDetails.spec.ts

@@ -1,6 +1,5 @@
 import fs from 'fs';
 import path from 'path';
-import { Readable } from 'stream';
 
 import { getTarballDetails } from '../src/getTarballDetails.ts';
 
@@ -15,23 +14,20 @@ const getFileBuffer = async (filename: string): Promise<Buffer> => {
 describe('getTarballDetails', () => {
   test('should return stats of tarball (gzipped)', async () => {
     const buffer = await getFileBuffer('tarball.tgz');
-    const readable = Readable.from(buffer);
-    const details = await getTarballDetails(readable);
+    const details = await getTarballDetails(buffer);
     expect(details.fileCount).toBe(2);
     expect(details.unpackedSize).toBe(1280);
   });
 
   test('should return stats of tarball (uncompressed)', async () => {
     const buffer = await getFileBuffer('tarball.tar');
-    const readable = Readable.from(buffer);
-    const details = await getTarballDetails(readable);
+    const details = await getTarballDetails(buffer);
     expect(details.fileCount).toBe(2);
     expect(details.unpackedSize).toBe(1280);
   });
 
   test('should throw an error if the buffer is corrupt', async () => {
     const corruptBuffer = Buffer.from('this is not a tarball');
-    const readable = Readable.from(corruptBuffer);
-    await expect(getTarballDetails(readable)).rejects.toThrow();
+    await expect(getTarballDetails(corruptBuffer)).rejects.toThrow();
   });
 });

packages/core/types/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Change Log
 
+## 12.0.0-next-7.5
+
+### Patch Changes
+
+- 10dd81f: feat: complete overhaul of web user interface
+
+## 12.0.0-next-7.4
+
+### Patch Changes
+
+- 6e764e3: feat: add support for npm owner
+- de6ff5c: fix: update fields for abbreviated manifest
+- 117eb1c: fix: change bundleDependencies to array
+
+## 12.0.0-next-7.3
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
 ## 12.0.0-next.2
 
 ### Minor Changes

packages/core/types/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/types",
-  "version": "12.0.0-next.2",
+  "version": "12.0.0-next-7.5",
   "description": "verdaccio types definitions",
   "keywords": [
     "private",

packages/core/types/src/configuration.ts

@@ -83,6 +83,7 @@ export type PackageManagers = 'pnpm' | 'yarn' | 'npm';
 export type CommonWebConf = {
   title?: string;
   logo?: string;
+  logoDark?: string;
   favicon?: string;
   gravatar?: boolean;
   sort_packages?: string;
@@ -98,6 +99,7 @@ export type CommonWebConf = {
   showFooter?: boolean;
   showThemeSwitch?: boolean;
   showDownloadTarball?: boolean;
+  showUplinks?: boolean;
   hideDeprecatedVersions?: boolean;
   primaryColor: string;
   showRaw?: boolean;
@@ -182,17 +184,21 @@ export interface JWTVerifyOptions {
 
 export interface APITokenOptions {
   legacy: boolean;
+  /**
+   * Temporary flag to allow migration to the new legacy signature
+   */
+  migrateToSecureLegacySignature: boolean;
   jwt?: JWTOptions;
 }
 
 export interface Security {
-  enhancedLegacySignature?: boolean;
   web: JWTOptions;
   api: APITokenOptions;
 }
 
 export interface PublishOptions {
   allow_offline: boolean;
+  check_owners: boolean;
 }
 
 export interface ListenAddress {

packages/core/types/src/manifest.ts

@@ -123,7 +123,8 @@ export interface Version {
   devDependencies?: Dependencies;
   optionalDependencies?: Dependencies;
   peerDependenciesMeta?: PeerDependenciesMeta;
-  bundleDependencies?: Dependencies;
+  bundleDependencies?: string[];
+  acceptDependencies?: Dependencies;
   keywords?: string | string[];
   nodeVersion?: string;
   _id: string;
@@ -178,7 +179,9 @@ export interface FullRemoteManifest {
   'dist-tags': GenericBody;
   time: GenericBody;
   versions: Versions;
+  /** store owners of this package */
   maintainers?: Author[];
+  contributors?: Author[];
   /** store the latest readme **/
   readme?: string;
   /** store star assigned to this packages by users */
@@ -223,7 +226,6 @@ export type AbbreviatedVersion = Pick<
   Version,
   | 'name'
   | 'version'
-  | 'description'
   | 'dependencies'
   | 'devDependencies'
   | 'bin'
@@ -231,6 +233,15 @@ export type AbbreviatedVersion = Pick<
   | 'engines'
   | 'funding'
   | 'peerDependencies'
+  | 'cpu'
+  | 'deprecated'
+  | 'directories'
+  | 'hasInstallScript'
+  | 'optionalDependencies'
+  | 'os'
+  | 'peerDependenciesMeta'
+  | 'acceptDependencies'
+  | '_hasShrinkwrap'
 >;
 
 export interface AbbreviatedVersions {

packages/core/url/CHANGELOG.md

@@ -1,5 +1,38 @@
 # Change Log
 
+## 12.0.0-next-7.19
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.19
+
+## 12.0.0-next-7.18
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.18
+
+## 12.0.0-next-7.17
+
+### Patch Changes
+
+- Updated dependencies [6e764e3]
+  - @verdaccio/core@7.0.0-next-7.17
+
+## 12.0.0-next-7.16
+
+### Patch Changes
+
+- 38b1e82: patch(core/url): Throw if VERDACCIO_FORWARDED_PROTO resolves to an array (#4613 by @Tobbe)
+  - @verdaccio/core@7.0.0-next-7.16
+
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/core/url/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/url",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.19",
   "description": "url utilities resolver",
   "keywords": [
     "private",
@@ -33,13 +33,13 @@
     "access": "public"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.19",
     "debug": "4.3.4",
     "lodash": "4.17.21",
     "validator": "13.11.0"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.5",
     "node-mocks-http": "1.14.1"
   },
   "scripts": {

packages/core/url/src/index.ts

@@ -121,10 +121,17 @@ export function getPublicUrl(url_prefix: string = '', requestOptions: RequestOpt
       throw new Error('invalid host');
     }
 
+    // 'X-Forwarded-Proto' is the default header
     const protoHeader: string =
       process.env.VERDACCIO_FORWARDED_PROTO?.toLocaleLowerCase() ??
       HEADERS.FORWARDED_PROTO.toLowerCase();
-    const forwardedProtocolHeaderValue = requestOptions.headers[protoHeader] as string | undefined;
+    const forwardedProtocolHeaderValue = requestOptions.headers[protoHeader];
+
+    if (Array.isArray(forwardedProtocolHeaderValue)) {
+      // This really should never happen - only set-cookie is allowed to have
+      // multiple values.
+      throw new Error('invalid forwarded protocol header value. Reading header ' + protoHeader);
+    }
 
     const protocol = getWebProtocol(forwardedProtocolHeaderValue, requestOptions.protocol);
     const combinedUrl = combineBaseUrl(protocol, host, url_prefix);

packages/core/url/tests/getPublicUrl.spec.ts

@@ -316,6 +316,31 @@ describe('env variable', () => {
     delete process.env.VERDACCIO_FORWARDED_PROTO;
   });
 
+  test('with the VERDACCIO_FORWARDED_PROTO environment variable set to "set-cookie"', () => {
+    process.env.VERDACCIO_FORWARDED_PROTO = 'set-cookie';
+    const req = httpMocks.createRequest({
+      method: 'GET',
+      headers: {
+        host: 'some.com',
+        cookie: 'name=value; name2=value2;',
+        'set-cookie': [
+          'cookieName1=value; expires=Tue, 19 Jan 2038 03:14:07 GMT;',
+          'cookieName2=value; expires=Tue, 19 Jan 2038 03:14:07 GMT;',
+        ],
+      },
+      url: '/',
+    });
+
+    expect(() =>
+      getPublicUrl('/test/', {
+        host: req.hostname,
+        headers: req.headers as any,
+        protocol: req.protocol,
+      })
+    ).toThrow('invalid forwarded protocol header value. Reading header set-cookie');
+    delete process.env.VERDACCIO_FORWARDED_PROTO;
+  });
+
   test('with a invalid X-Forwarded-Proto https and host injection with invalid host', () => {
     process.env.VERDACCIO_PUBLIC_URL = 'http://injection.test.com"><svg onload="alert(1)">';
     const req = httpMocks.createRequest({

packages/hooks/CHANGELOG.md

@@ -1,5 +1,42 @@
 # @verdaccio/hooks
 
+## 7.0.0-next-7.19
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.19
+- @verdaccio/logger@7.0.0-next-7.19
+
+## 7.0.0-next-7.18
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.18
+- @verdaccio/logger@7.0.0-next-7.18
+
+## 7.0.0-next-7.17
+
+### Patch Changes
+
+- Updated dependencies [6e764e3]
+  - @verdaccio/core@7.0.0-next-7.17
+  - @verdaccio/logger@7.0.0-next-7.17
+
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.16
+- @verdaccio/core@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/hooks/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/hooks",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.19",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -29,17 +29,17 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.19",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.19",
     "core-js": "3.35.0",
     "debug": "4.3.4",
     "got-cjs": "12.5.4",
     "handlebars": "4.7.8"
   },
   "devDependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.19",
+    "@verdaccio/config": "workspace:7.0.0-next-7.19",
+    "@verdaccio/types": "workspace:12.0.0-next-7.5",
     "nock": "13.5.1"
   },
   "scripts": {