chore: update versions (next-7) (#4525)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.babelrc

@@ -4,7 +4,7 @@
       "@babel/env",
       {
         "targets": {
-          "node": 16
+          "node": 12
         }
       }
     ],

.changeset/angry-trees-tie.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/ui-components': patch
+'@verdaccio/ui-theme': patch
+---
+
+- fixed login state when token is expired (@ku3mi41 in #3980)

.changeset/eight-squids-judge.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/ui-theme': patch
+'@verdaccio/ui-components': patch
+---
+
+fix: display labels for engine versions

.changeset/long-jars-collect.md

@@ -0,0 +1,15 @@
+---
+'@verdaccio/ui-theme': minor
+'@verdaccio/ui-components': minor
+---
+
+feat: ui improvements
+
+Some UI improvements
+
+- download progress indicator: https://github.com/verdaccio/verdaccio/discussions/4068
+- fix dark mode and readme css support https://github.com/verdaccio/verdaccio/discussions/3942 https://github.com/verdaccio/verdaccio/discussions/3467
+- fix global for yarn packages and add version to the packages on copy
+- feat: hide deprecated versions option
+- fix: improve deprecated package style
+- feat: display deprecated versions

.changeset/old-turkeys-heal.md

@@ -0,0 +1,18 @@
+---
+'@verdaccio/config': minor
+'@verdaccio/core': minor
+'@verdaccio/file-locking': minor
+'@verdaccio/tarball': minor
+'@verdaccio/url': minor
+'@verdaccio/logger-7': minor
+'@verdaccio/logger-commons': minor
+'@verdaccio/logger-prettify': minor
+'@verdaccio/middleware': minor
+'verdaccio-audit': minor
+'verdaccio-htpasswd': minor
+'@verdaccio/search': minor
+'@verdaccio/signature': minor
+'@verdaccio/utils': minor
+---
+
+restore legacy support

.changeset/olive-bananas-wink.md

@@ -0,0 +1,7 @@
+---
+'@verdaccio/store': patch
+'@verdaccio/tarball': patch
+---
+
+- Fixes polynomial regular expression when determining the file name of tarball
+- Add tests for extracting tarball name

.changeset/perfect-chairs-act.md

@@ -0,0 +1,36 @@
+---
+'@verdaccio/api': major
+'@verdaccio/auth': major
+'@verdaccio/cli': major
+'@verdaccio/config': major
+'@verdaccio/core': major
+'@verdaccio/file-locking': major
+'@verdaccio/tarball': major
+'@verdaccio/types': major
+'@verdaccio/url': major
+'@verdaccio/hooks': major
+'@verdaccio/loaders': major
+'@verdaccio/logger': major
+'@verdaccio/logger-commons': major
+'@verdaccio/logger-prettify': major
+'@verdaccio/middleware': major
+'@verdaccio/node-api': major
+'verdaccio-audit': major
+'verdaccio-auth-memory': major
+'verdaccio-htpasswd': major
+'@verdaccio/local-storage': major
+'verdaccio-memory': major
+'@verdaccio/ui-theme': major
+'@verdaccio/proxy': major
+'@verdaccio/search': major
+'@verdaccio/server': major
+'@verdaccio/server-fastify': major
+'@verdaccio/signature': major
+'@verdaccio/store': major
+'@verdaccio/ui-components': major
+'@verdaccio/utils': major
+'verdaccio': major
+'@verdaccio/web': major
+---
+
+update major dependencies, remove old nodejs support

.changeset/pink-apples-nail.md

@@ -0,0 +1,7 @@
+---
+'@verdaccio/ui-theme': minor
+'@verdaccio/ui-components': minor
+'@verdaccio/config': minor
+---
+
+feat: forbidden user interface

.changeset/pre.json

@@ -1,6 +1,6 @@
 {
   "mode": "pre",
-  "tag": "next",
+  "tag": "next-7",
   "initialVersions": {
     "@verdaccio/test-cli-commons": "1.1.0",
     "@verdaccio/e2e-cli-npm6": "1.0.1",
@@ -57,5 +57,25 @@
     "@verdaccio/website": "5.20.2",
     "@verdaccio/local-publish": "0.0.1"
   },
-  "changesets": ["breezy-mayflies-pull", "chilled-carrots-guess"]
+  "changesets": [
+    "angry-trees-tie",
+    "breezy-mayflies-pull",
+    "chilled-carrots-guess",
+    "eight-squids-judge",
+    "long-jars-collect",
+    "old-turkeys-heal",
+    "olive-bananas-wink",
+    "perfect-chairs-act",
+    "pink-apples-nail",
+    "real-socks-vanish",
+    "shiny-worms-retire",
+    "shy-carrots-compare",
+    "shy-garlics-cry",
+    "spicy-birds-flow",
+    "strange-points-repair",
+    "thirty-toes-swim",
+    "weak-fans-explain",
+    "wild-otters-talk",
+    "young-donuts-own"
+  ]
 }

.changeset/real-socks-vanish.md

@@ -0,0 +1,5 @@
+---
+'verdaccio': patch
+---
+
+chore: test release

.changeset/shiny-worms-retire.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/search': patch
+---
+
+fix: keyword undefined errors

.changeset/shy-carrots-compare.md

@@ -0,0 +1,14 @@
+---
+'@verdaccio/server': minor
+'@verdaccio/test-helper': minor
+'@verdaccio/types': minor
+'@verdaccio/middleware': minor
+'@verdaccio/core': minor
+'@verdaccio/signature': minor
+'@verdaccio/url': minor
+'@verdaccio/config': minor
+'@verdaccio/auth': minor
+'@verdaccio/api': minor
+---
+
+refactor: auth with legacy sign support

.changeset/shy-garlics-cry.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/signature': patch
+---
+
+chore: export signature options type

.changeset/spicy-birds-flow.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/store': patch
+'@verdaccio/test-helper': patch
+---
+
+fix: store readme when publishing locally

.changeset/strange-points-repair.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/ui-theme': patch
+'@verdaccio/ui-components': patch
+---
+
+fix: render READMEs with correct font and highlighting

.changeset/thirty-toes-swim.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/ui-theme': patch
+'@verdaccio/ui-components': patch
+---
+
+fix: ui dialog break pages on open due remark error

.changeset/weak-fans-explain.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/server': patch
+---
+
+fix: Avoid 404 error when getting favicon from root

.changeset/wild-otters-talk.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/api': patch
+---
+
+fix: bug on change password npm profile

.changeset/young-donuts-own.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/config': patch
+---
+
+chore(config): increase test coverage

.github/workflows/changesets.yml

@@ -20,21 +20,21 @@ jobs:
     if: github.ref == 'refs/heads/master' && github.repository == 'verdaccio/verdaccio'
     steps:
       - name: checkout code repository
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           fetch-depth: 0
 
       - name: setup node.js
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
         env:
           NODE_AUTH_TOKEN: ${{ secrets.REGISTRY_AUTH_TOKEN }}
 
-      - name: install pnpm
-        run: npm i pnpm@latest-8 -g
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.REGISTRY_AUTH_TOKEN }}
+      - name: Install pnpm
+        run: |
+          corepack enable
+          corepack install
 
       - name: setup pnpm config
         run: pnpm config set store-dir $PNPM_CACHE_FOLDER

.github/workflows/ci-windows.yml

@@ -18,9 +18,9 @@ jobs:
         env:
           NODE_ENV: production          
     steps:
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
     - name: Node
-      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
       with:
         node-version-file: '.nvmrc'
     - name: Install pnpm
@@ -36,7 +36,7 @@ jobs:
     - name: Install
       run: pnpm install --registry http://localhost:4873
     - name: Cache .pnpm-store
-      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
       with:
         path: ~/.pnpm-store
         key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -47,14 +47,14 @@ jobs:
     name: Lint
     needs: prepare
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -71,14 +71,14 @@ jobs:
     name: Format
     needs: prepare
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -100,14 +100,14 @@ jobs:
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node ${{ matrix.node_version }}
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node_version }}
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -126,13 +126,13 @@ jobs:
     runs-on: windows-latest
     name: UI Test E2E
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/workflows/ci.yml

@@ -25,51 +25,51 @@ jobs:
         ports:
           - 4873:4873
         env:
-          NODE_ENV: production          
+          NODE_ENV: production
     steps:
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
-    - name: Node
-      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
-      with:
-        node-version-file: '.nvmrc'
-    - name: Install pnpm
-      run: |
-        corepack enable
-        corepack prepare --activate pnpm@latest-8
-    - name: set store
-      run: |
-        mkdir ~/.pnpm-store
-        pnpm config set store-dir ~/.pnpm-store
-    - name: Install
-      run: pnpm install  --registry http://localhost:4873
-    - name: Cache .pnpm-store
-      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
-      with:
-        path: ~/.pnpm-store
-        key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
-        restore-keys: |
-          pnpm-
-  lint:
-    runs-on: ubuntu-latest
-    name: Lint
-    needs: prepare
-    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
-          corepack prepare --activate pnpm@latest-8
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+          corepack install
+      - name: set store
+        run: |
+          mkdir ~/.pnpm-store
+          pnpm config set store-dir ~/.pnpm-store
+      - name: Install
+        run: pnpm install  --registry http://localhost:4873
+      - name: Cache .pnpm-store
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        with:
+          path: ~/.pnpm-store
+          key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
+          restore-keys: |
+            pnpm-
+  lint:
+    runs-on: ubuntu-latest
+    name: Lint
+    needs: prepare
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - name: Node
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        with:
+          node-version-file: '.nvmrc'
+      - name: Install pnpm
+        run: |
+          corepack enable
+          corepack install
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
       - name: set store
         run: |
-          pnpm config set store-dir ~/.pnpm-store              
+          pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --ignore-scripts
       - name: Lint
@@ -79,52 +79,52 @@ jobs:
     name: Format
     needs: prepare
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
-          corepack prepare --activate pnpm@latest-8
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+          corepack install
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
       - name: set store
         run: |
-          pnpm config set store-dir ~/.pnpm-store              
+          pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --ignore-scripts
       - name: Lint
         run: pnpm format:check
   test:
-    needs: [format, lint]
+    needs: [prepare]
     strategy:
       fail-fast: true
       matrix:
         os: [ubuntu-latest]
-        node_version: [16, 18]
+        node_version: [18, 20, 21]
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node ${{ matrix.node_version }}
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node_version }}
       - name: Install pnpm
         run: |
           corepack enable
-          corepack prepare --activate pnpm@latest-8
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+          corepack prepare
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
       - name: set store
         run: |
-          pnpm config set store-dir ~/.pnpm-store              
+          pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --ignore-scripts --registry http://localhost:4873
       - name: build
@@ -137,21 +137,21 @@ jobs:
     name: synchronize translations
     if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
-          corepack prepare --activate pnpm@latest-8
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+          corepack install
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
       - name: set store
         run: |
-          pnpm config set store-dir ~/.pnpm-store              
+          pnpm config set store-dir ~/.pnpm-store
       - name: Install
         ## we need scripts, pupetter downloads aditional content
         run: pnpm install --registry http://localhost:4873

.github/workflows/codeql-analysis.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           # We must fetch at least the immediate parents so that if this is
           # a pull request then we can checkout the head.
@@ -34,7 +34,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 # v2
+        uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v2
 
       # Override language selection by uncommenting this and choosing your languages
       # with:
@@ -42,7 +42,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@a09933a12a80f87b87005513f0abb1494c27a716 # v2
+        uses: github/codeql-action/autobuild@47b3d888fe66b639e431abf22ebca059152f1eea # v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -56,4 +56,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 # v2
+        uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v2

.github/workflows/docker-proxy-apache-e2e.yml

@@ -12,24 +12,31 @@ jobs:
   docker:
     timeout-minutes: 10
     runs-on: ubuntu-latest
-
+    env:
+      NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       
     - name: Start containers
       run: docker-compose -f "./e2e/docker/apache-verdaccio/docker-compose.yaml" up -d --build
 
     - name: Install node
-      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
       with:
-        node-version: 18
+        node-version-file: '.nvmrc'
+    - name: npm setup
+      run: |
+        npm config set fetch-retries="10"
+        npm config set fetch-retry-factor="50"
+        npm config set fetch-retry-mintimeout="20000"
+        npm config set fetch-retry-maxtimeout="80000"          
     - name: verdaccio cli
       run: npm install -g verdaccio --registry http://localhost
     - name: gastby cli 
       run:  npm install -g gatsby-cli --registry http://localhost
-    - name: netlify cli 
-      run:  npm install -g netlify-cli --registry http://localhost
+    # - name: netlify cli 
+    #   run:  npm install -g netlify-cli --registry http://localhost
     - name: angular cli 
       run:  npm install -g @angular/cli --registry http://localhost
 

.github/workflows/docker-proxy-nginx-e2e.yml

@@ -9,21 +9,22 @@ jobs:
   docker:
     timeout-minutes: 10
     runs-on: ubuntu-latest
-
+    env:
+      NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       
     - name: Start containers
       run: docker-compose -f "./e2e/docker/proxy-nginx/docker-compose.yaml" up -d --build
 
     - name: Install node
-      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
       with:
-        node-version: 18
+        node-version-file: '.nvmrc'
     - name: npm setup
       run: |
-        npm config set fetch-retries="5"
+        npm config set fetch-retries="10"
         npm config set fetch-retry-factor="50"
         npm config set fetch-retry-mintimeout="20000"
         npm config set fetch-retry-maxtimeout="80000"      
@@ -31,8 +32,8 @@ jobs:
       run: npm install -g verdaccio --registry http://localhost
     - name: gastby cli 
       run:  npm install -g gatsby-cli --registry http://localhost
-    - name: netlify cli 
-      run:  npm install -g netlify-cli --registry http://localhost
+    #- name: netlify cli 
+    #  run:  npm install -g netlify-cli --registry http://localhost
     - name: angular cli 
       run:  npm install -g @angular/cli --registry http://localhost
 

.github/workflows/docker-publish.yml

@@ -23,8 +23,8 @@ jobs:
   docker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
-      - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # tag=v1
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # tag=v1
       - uses: docker/setup-buildx-action@v1
         with:
           driver-opts: network=host

.github/workflows/e2e-ci.yml

@@ -3,6 +3,9 @@ name: E2E CLI
 on: [pull_request]
 permissions:
   contents: read
+concurrency:
+  group: e2e-ci-${{ github.ref }}
+  cancel-in-progress: true
 jobs:
   prepare:
     runs-on: ubuntu-latest
@@ -15,50 +18,54 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
-    - name: Use Node
-      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
-      with:
-        node-version-file: '.nvmrc'
-    - name: Install pnpm
-      run: npm i pnpm@latest-8 -g
-    - name: set store
-      run: |
-        mkdir ~/.pnpm-store
-        pnpm config set store-dir ~/.pnpm-store
-    - name: Install
-      run: pnpm install --reporter=silence --ignore-scripts --registry http://localhost:4873
-    - name: Cache .pnpm-store
-      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
-      with:
-        path: ~/.pnpm-store
-        key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
-        restore-keys: |
-          pnpm-
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - name: Use Node
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        with:
+          node-version-file: '.nvmrc'
+      - name: Install pnpm
+        run: |
+          corepack enable
+          corepack prepare 
+      - name: set store
+        run: |
+          mkdir ~/.pnpm-store
+          pnpm config set store-dir ~/.pnpm-store
+      - name: Install
+        run: pnpm install --reporter=silence --ignore-scripts --registry http://localhost:4873
+      - name: Cache .pnpm-store
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        with:
+          path: ~/.pnpm-store
+          key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+          restore-keys: |
+            pnpm-
   build:
     needs: [prepare]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node 16
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
-        run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+        run: |
+          corepack enable
+          corepack prepare 
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
       - name: set store
         run: |
-          pnpm config set store-dir ~/.pnpm-store              
+          pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm recursive install --reporter=silence --registry http://localhost:4873
       - name: build
         run: pnpm build
       - name: Cache packages
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         id: cache-packages
         with:
           path: ./packages/
@@ -73,32 +80,41 @@ jobs:
       #     key: test-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
       #     restore-keys: |
       #       test-
-  e2e-cli:
+  e2e-cli-npm:
     needs: [prepare, build]
     strategy:
-      fail-fast: false
+      fail-fast: false      
       matrix:
-        pkg: [npm6, npm7, npm8, npm9, pnpm6, pnpm7, pnpm8, yarn1, yarn2, yarn3, yarn4]
-        node: [16, 18, 19]
+        pkg:
+          [
+            npm6,
+            npm7,
+            npm8,
+            npm9,
+            npm10
+          ]
+        node: [20, 21]
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
       - name: Install pnpm
-        run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+        run: |
+          corepack enable
+          corepack prepare 
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
       - name: set store
         run: |
-          pnpm config set store-dir ~/.pnpm-store              
+          pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -107,6 +123,97 @@ jobs:
       #     path: ./e2e/
       #     key: test-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
       - name: build e2e
-        run:  pnpm --filter @verdaccio/test-cli-commons build
+        run: pnpm --filter @verdaccio/test-cli-commons build
       - name: Test CLI
         run: NODE_ENV=production pnpm test --filter ...@verdaccio/e2e-cli-${{matrix.pkg}}
+  # TODO: fix pnpm setup
+  # e2e-cli-pnpm:
+  #   needs: [prepare, build]
+  #   strategy:
+  #     fail-fast: true
+  #     matrix:
+  #       pkg:
+  #         [          
+  #           pnpm6,
+  #           pnpm7,
+  #           pnpm8          
+  #         ]
+  #       node: [20, 21]
+  #   name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+  #     - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+  #       with:
+  #         node-version: ${{ matrix.node }}
+  #     - name: Install pnpm
+  #       run: |
+  #         corepack enable
+  #         corepack prepare
+  #     - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+  #       with:
+  #         path: ~/.pnpm-store
+  #         key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+  #     - name: set store
+  #       run: |
+  #         pnpm config set store-dir ~/.pnpm-store
+  #     - name: Install
+  #       run: pnpm install --loglevel debug --ignore-scripts --registry http://localhost:4873
+  #     - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+  #       with:
+  #         path: ./packages/
+  #         key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+  #     # - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # tag=v3
+  #     #   with:
+  #     #     path: ./e2e/
+  #     #     key: test-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+  #     - name: build e2e
+  #       run: pnpm --filter @verdaccio/test-cli-commons build
+  #     - name: Test CLI
+  #       run: NODE_ENV=production pnpm test --filter ...@verdaccio/e2e-cli-${{matrix.pkg}}
+  e2e-cli-yarn:
+    needs: [prepare, build]
+    strategy:
+      fail-fast: false
+      matrix:
+        pkg:
+          [           
+            yarn1,
+            yarn2,
+            yarn3,
+            yarn4
+          ]
+        node: [20, 21]
+    name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        with:
+          node-version: ${{ matrix.node }}
+      - name: Install pnpm
+        run: |
+          corepack enable
+          corepack prepare 
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        with:
+          path: ~/.pnpm-store
+          key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+      - name: set store
+        run: |
+          pnpm config set store-dir ~/.pnpm-store
+      - name: Install
+        run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        with:
+          path: ./packages/
+          key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+      # - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # tag=v3
+      #   with:
+      #     path: ./e2e/
+      #     key: test-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+      - name: build e2e
+        run: pnpm --filter @verdaccio/test-cli-commons build
+      - name: Test CLI
+        run: NODE_ENV=production pnpm test --filter ...@verdaccio/e2e-cli-${{matrix.pkg}}
+      

.github/workflows/e2e-ui.yml

@@ -3,6 +3,9 @@ name: E2E UI
 on: [pull_request]
 permissions:
   contents: read
+concurrency:
+  group: e2e-ui-${{ github.ref }}
+  cancel-in-progress: true  
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -15,22 +18,22 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
-         corepack enable
-         corepack prepare --activate pnpm@latest-8
+          corepack enable
+          corepack prepare
       - name: Install
         run: pnpm install --reporter=silence --registry http://localhost:4873
       - name: build
         run: pnpm build
       - name: Test UI
         run: pnpm test:e2e:ui
-      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
         with:
           name: videos
           path: /home/runner/work/verdaccio/verdaccio/e2e/ui/cypress/videos

.github/workflows/static-data.yml

@@ -19,11 +19,11 @@ jobs:
     name: Run script
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           persist-credentials: false
           fetch-depth: 0
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: 18.x
       - name: install pnpm

.github/workflows/ui-components.yml

@@ -2,13 +2,6 @@ name: UI Components
 
 on: 
   workflow_dispatch:
-  pull_request:
-    paths:
-    - .github/workflows/ui-components.yml
-    - 'packages/ui-components/**'
-    - 'package.json'
-    - 'pnpm-workspace.yaml'
-    - 'pnpm-lock.yaml'
 
 permissions:
   contents: read  #  to fetch code (actions/checkout)
@@ -27,15 +20,15 @@ jobs:
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
       - name: Use Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
 
       - name: Cache pnpm modules
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         env:
           cache-name: cache-pnpm-modules
         with:
@@ -47,7 +40,7 @@ jobs:
       - name: Install pnpm
         run: |
           corepack enable
-            corepack prepare --activate pnpm@latest-8
+            corepack prepare --activate pnpm@8.9.0
       - name: Install
         run: pnpm install  
       - name: Build storybook

.github/workflows/website.yml

@@ -2,10 +2,6 @@ name: Verdaccio Website CI
 
 on:
   workflow_dispatch:
-  pull_request:
-    paths:
-        - 'website/**'
-        - './.github/workflows/website.yml'
   schedule:
     - cron: '0 0 * * *' 
 
@@ -20,125 +16,60 @@ jobs:
       pull-requests: write  #  to comment on pull-requests
 
     runs-on: ubuntu-latest
+    name: setup verdaccio
+    services:
+      verdaccio:
+        image: verdaccio/verdaccio:5
+        ports:
+          - 4873:4873
+        env:
+          NODE_ENV: production    
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
-      - name: Use Node 16
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+      - name: Node
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
-          node-version: 16
-
-      - name: Cache pnpm modules
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
-        env:
-          cache-name: cache-pnpm-modules
+          node-version-file: '.nvmrc'
+      - name: Install pnpm
+        run: |
+          corepack enable
+          corepack install
+      - name: set store
+        run: |
+          mkdir ~/.pnpm-store
+          pnpm config set store-dir ~/.pnpm-store
+      - name: Install
+        run: pnpm install  --registry http://localhost:4873
+      - name: Cache .pnpm-store
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
-          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ matrix.node-version }}-${{ hashFiles('**/pnpm-lock.yaml') }}
+          key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
           restore-keys: |
-            ${{ runner.os }}-build-${{ env.cache-name }}-${{ matrix.node-version }}-
-
-      - uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # tag=v2.4.0
-        with:
-          version: latest-8
-          run_install: |
-            - recursive: true
-              args: [--frozen-lockfile]
+            pnpm-          
       - name: Build 
         run: pnpm build
       - name: Build Translations percentage
         run: pnpm --filter @verdaccio/crowdin-translations build
       - name: Cache Docusaurus Build
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: website/node_modules/.cache/webpack
           key: cache/webpack-${{github.ref}}-${{ hashFiles('**/pnpm-lock.yaml') }}
           restore-keys: cache/webpack-${{github.ref}}
-
-      # Will deploy to production on:
-        # 1st: When a push occurs on master branch
-        # 2nd: When we force the worflow dispatch through the UI
       - name: Build Production
-        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
+        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
         env:
           CROWDIN_VERDACCIO_API_KEY: ${{ secrets.CROWDIN_VERDACCIO_API_KEY }}
           SENTRY_KEY: ${{ secrets.SENTRY_KEY }}
           CONTEXT: production
-        run: pnpm --filter @verdaccio/website netlify:build:production
-
-      - name: 🔥 Deploy Production Netlify
-        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
-        uses: semoal/action-netlify-deploy@1a53f098745bf78555d11b436f5ee3af87e6b566
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          netlify-auth-token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-          netlify-site-id: ${{ secrets.NETLIFY_SITE_ID }}
-          build-dir: './website/build'
-
-      # Will deploy to Preview URL, only when a pull request is open with changes on the website
-      - name: Build Deployment Preview
+        run: pnpm --filter @verdaccio/website netlify:build
+      - name: Deploy to Netlify
         env:
-          CONTEXT: deploy-preview
-        run: pnpm --filter ...@verdaccio/website netlify:build:deployPreview
+          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
+          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+        run: pnpm --filter ...@verdaccio/website netlify:deploy 
 
-      - name: 🤖 Deploy Preview Netlify
-        if: github.repository == 'verdaccio/verdaccio'
-        uses: semoal/action-netlify-deploy@1a53f098745bf78555d11b436f5ee3af87e6b566
-        id: netlify_preview
-        with:
-          draft: true
-          comment-on-pull-request: true
-          github-deployment-is-production: false
-          github-deployment-is-transient: true
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          netlify-auth-token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-          netlify-site-id: ${{ secrets.NETLIFY_SITE_ID }}
-          build-dir: './website/build'
-
-      - name: Audit preview URL with Lighthouse
-        if: github.repository == 'verdaccio/verdaccio'
-        id: lighthouse_audit
-        uses: treosh/lighthouse-ci-action@03becbfc543944dd6e7534f7ff768abb8a296826 # tag=10.1.0
-        with:
-          urls: |
-            ${{ steps.netlify_preview.outputs.preview-url }}
-          uploadArtifacts: true
-          temporaryPublicStorage: true
-
-      - name: Format lighthouse score
-        id: format_lighthouse_score
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # tag=v6
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            const result = ${{ steps.lighthouse_audit.outputs.manifest }}[0].summary
-            const links = ${{ steps.lighthouse_audit.outputs.links }}
-            const formatResult = (res) => Math.round((res * 100))
-            Object.keys(result).forEach(key => result[key] = formatResult(result[key]))
-            const score = res => res >= 90 ? '🟢' : res >= 50 ? '🟠' : '🔴'
-            const comment = [
-                `⚡️ [Lighthouse report](${Object.values(links)[0]}) for the changes in this PR:`,
-                '| Category | Score |',
-                '| --- | --- |',
-                `| ${score(result.performance)} Performance | ${result.performance} |`,
-                `| ${score(result.accessibility)} Accessibility | ${result.accessibility} |`,
-                `| ${score(result['best-practices'])} Best practices | ${result['best-practices']} |`,
-                `| ${score(result.seo)} SEO | ${result.seo} |`,
-                ' ',
-                `*Lighthouse ran on [${Object.keys(links)[0]}](${Object.keys(links)[0]})*`
-            ].join('\n')
-             core.setOutput("comment", comment);
-
-      - name: Add comment to PR
-        if: github.repository == 'verdaccio/verdaccio'
-        id: comment_to_pr
-        uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2
-        with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          number: ${{ github.event.issue.number }}
-          delete: true
-          header: lighthouse
-          message: |
-            ${{ steps.format_lighthouse_score.outputs.comment }}

.netlify/netlify-plugin-pnpm/index.js

@@ -1,10 +0,0 @@
-module.exports = {
-  onPreBuild: async ({ utils: { build, run } }) => {
-    try {
-      await run.command("npm install -g pnpm")
-      await run.command("pnpm install --ignore-scripts --frozen-lockfile")
-    } catch (error) {
-      return build.failBuild(error)
-    }
-  }
-}

.netlify/netlify-plugin-pnpm/manifest.yml

@@ -1,2 +0,0 @@
-name: netlify-plugin-pnpm
-inputs: []

.npmrc

@@ -1,3 +1,2 @@
 always-auth = true
-loglevel=info
 fetch-retries="10"

.nvmrc

@@ -1 +1 @@
-16
+20

.prettierrc

@@ -0,0 +1,15 @@
+{
+  "endOfLine": "lf",
+  "useTabs": false,
+  "printWidth": 100,
+  "tabWidth": 2,
+  "singleQuote": true,
+  "bracketSpacing": true,
+  "trailingComma": "es5",
+  "semi": true,
+  "plugins": ["@trivago/prettier-plugin-sort-imports"],
+  "importOrder": ["^@verdaccio/(.*)$", "^[./]"],
+  "importOrderSeparation": true,
+  "importOrderParserPlugins": ["typescript", "classProperties", "jsx"],
+  "importOrderSortSpecifiers": true
+}

.vscode/settings.json

@@ -1,13 +1,10 @@
 // Place your settings in this file to overwrite default and user settings.
 {
   "files.exclude": {
-    "**/.nyc_output": true,
     "**/build": false,
     "**/coverage": true,
     ".idea": true,
-    "storage_default_storage": true,
-    ".yarn": true
   },
-  "editor.formatOnSave": true,
-  "typescript.tsdk": "node_modules/typescript/lib"
+  "editor.defaultFormatter": "esbenp.prettier-vscode",
+  "editor.formatOnSave": true
 }

CONTRIBUTING.md

@@ -29,6 +29,8 @@ The Verdaccio project is split into several areas, the first three hosted in the
 
 ## Prepare local setup {#local-setup}
 
+**Note**: The size of the Verdaccio project is quite significant. Unzipped it is about 33 MB. However, a full build with all node_modules installed takes about **2.8 GB** of disk space (~190k files)!
+
 Verdaccio uses [pnpm](https://pnpm.io) as the package manager for development in this repository.
 
 If you are using pnpm for the first time the [pnpm configuration documentation](https://pnpm.io/configuring) may be useful to avoid any potential problems with the following steps.
@@ -41,61 +43,70 @@ package-lock=false
 
 This setting would cause the `pnpm install` command to install incorrect versions of package dependencies and the subsequent `pnpm build` step would likely fail.
 
-To begin your development setup, please install the latest version of pnpm globally:
+We use [corepack](https://github.com/nodejs/corepack) to install and use a specific (latest) version of pnpm. Please run the following commands which is use a specific version on Node.js and configure it to use a specific version of pnpm. The version of pnpm is specified in the `package.json` file in `packageManager` field.
 
+```shell
+nvm install
+corepack enable
 ```
-npm i -g pnpm@latest-8
+
+`pnpm` version will be updated mainly by the maintainers but if you would like to set it to a specific version, you can do so by running the following command:
+
+> `packageManager` at the `package.json` defines the default version to be used.
+
+```shell
+corepack prepare
 ```
 
 With pnpm installed, the first step is installing all dependencies:
 
-```
+```shell
 pnpm install
 ```
 
 ### Building the project
 
-To build the project run
+Each package is independent, dependencies must be build first, run:
 
-```
+```shell
 pnpm build
 ```
 
 ### Running test
 
-```
+```shell
 pnpm test
 ```
 
-Verdaccio is a mono repository. To run the tests for for a specific package:
+Verdaccio is a mono repository. To run the tests for a specific package:
 
-```
+```shell
 cd packages/store
 pnpm test
 ```
 
-or an specific test in that package:
+or a specific test in that package:
 
-```
+```shell
 pnpm test test/merge.dist.tags.spec.ts
 ```
 
 or a single test unit:
 
-```
+```shell
 pnpm test test/merge.dist.tags.spec.ts -- -t 'simple'
 ```
 
 Coverage reporting is enabled by default, but you can turn it off to speed up
 test runs:
 
-```
+```shell
 pnpm test test/merge.dist.tags.spec.ts -- -t 'simple' --coverage=false
 ```
 
 You can enable increased [`debug`](https://www.npmjs.com/package/debug) output:
 
-```
+```shell
 DEBUG=verdaccio:* pnpm test
 ```
 
@@ -108,11 +119,22 @@ More details in the debug section
 We use [`debug`](https://www.npmjs.com/package/debug) to add helpful debugging
 output to the code. Each package has it owns namespace.
 
-#### Useful Scripts
+#### Developing with local server
 
 To run the application from the source code, ensure the project has been built with `pnpm build`, once this is done, there are few commands that helps to run server:
 
-- `pnpm start`: Runs server on port `8000` and UI on port `4873`. This is particularly useful if you want to contribute to the UI, since it runs with hot reload.
+The command `pnpm start` runs web server on port `8000` and user interface (webpack-server) on port `4873`. This is particularly useful if you want to contribute to the UI, since it runs with hot reload. The request to the server are proxy through webpack proxy support through the port `4873`.
+
+The user interface is split in two packages, the `/packages/plugins/ui-theme` and the `/packages/ui-components`. The `ui-components` package uses _storybook_ in order to develop component, but if you need to reload ui components with `ui-theme` do the following.
+
+Go to `/packages/ui-component` and run `pnpm watch` to enable _babel_ in watch mode, every change on the components will be hot reloaded in combination with the `pnpm start` command.
+
+Any change on the server packages, must be build independently (server does not have hot reload, `pnpm start` should be triggered again).
+
+Any interaction with the server should be done through the port `8000` eg: `npm login --registry http://localhost:8000` .
+
+#### Useful commands
+
 - `pnpm debug`: Run the server in debug mode `--inspect`. UI runs too but without hot reload. For automatic break use `pnpm debug:break`.
 - `pnpm debug:fastify`: To contribute on the [fastify migration](https://github.com/verdaccio/verdaccio/discussions/2155) this is a temporary command for such purpose.
 - `pnpm website`: Build the website, for more commands to run the _website_, run `cd website` and then `pnpm serve`, website will run on port `3000`.
@@ -120,18 +142,18 @@ To run the application from the source code, ensure the project has been built w
 
 #### Debugging compiled code {#debugging-compiled-code}
 
-Currently you can only run pre-compiled packages in debug mode. To enable debug
+Currently, you can only run pre-compiled packages in debug mode. To enable debug
 while running add the `verdaccio` namespace using the `DEBUG` environment
 variable, like this:
 
-```
+```shell
 DEBUG=verdaccio:* node packages/verdaccio/debug/bootstrap.js
 ```
 
 You can filter this output to just the packages you're interested in using
 namespaces:
 
-```
+```shell
 DEBUG=verdaccio:plugin:* node packages/verdaccio/debug/bootstrap.js
 ```
 
@@ -142,24 +164,24 @@ of the output is sent to the logger module.
 
 #### Testing your changes in a local registry {#testing-local-registry}
 
-Once you have perform your changes in the code base, the build and tests passes you can publish a local version:
+Once you have performed your changes in the code base, the build and tests passes you can publish a local version:
 
-- Ensure you have build all modules (or the one you have modified)
+- Ensure you have built all modules by running `pnpm build` (or the one you have modified)
 - Run `pnpm local:publish:release` to launch a local registry and publish all packages into it. This command will be alive until server is killed (Control Key + C)
 
-```
+```shell
 pnpm build
 pnpm local:publish:release
 ```
 
 The last step consist on install globally the package from the local registry which runs on the default port (4873).
 
-```
+```shell
 npm i -g verdaccio --registry=http://localhost:4873
 verdaccio
 ```
 
-If you perform more changes in the source code, repeat this process, there is not _hot reloading_ support.
+If you perform more changes in the source code, repeat this process, there is no _hot reloading_ support.
 
 ## Feature Request {#feature-request}
 
@@ -186,7 +208,7 @@ a report in our [issue tracker](https://github.com/verdaccio/verdaccio/issues),
 > **NOTE: Verdaccio still does not support all npm commands. Some were not
 > considered important and others have not been requested yet.**
 
-### What's is not considered a bug?
+### What is not considered a bug?
 
 - _Third party integrations_: proxies integrations, external plugins
 - _Package managers_: If a package manager does not support a specific command
@@ -220,7 +242,7 @@ Questions can be asked via [Discord](https://discord.gg/7qWJxBf)
 
 ## Development Guidelines {#development-guidelines}
 
-It's recommended use a UNIX system for local development, Windows should works fine for development, but is not daily tested could not be perfect. To ensure a fast code review and merge, please follow the next guidelines:
+It's recommended use a UNIX system for local development, Windows dev local support is not being tested and might not work. To ensure a fast code review and merge, please follow the next guidelines:
 
 Any contribution gives you the right to be part of this organization as _collaborator_ and your avatar will be automatically added to the [contributors page](https://verdaccio.org/contributors).
 
@@ -250,7 +272,7 @@ information on [rebasing](https://git-scm.com/book/en/v2/Git-Branching-Rebasing)
 
 #### Caveats
 
-Feel free to commit as much times you want in your branch, but keep on mind on
+Feel free to commit as many times you want in your branch, but keep on mind on
 this repository we `git squash` on merge by default, as we like to maintain a
 clean git history.
 
@@ -285,7 +307,7 @@ contribution to get merged (unless it does not affect functionality or
 user-facing content, eg: docs, readme, adding test or typo/lint fixes). To
 create a changeset please run:
 
-```
+```shell
 pnpm changeset
 ```
 
@@ -337,7 +359,7 @@ The last step is to confirm your changeset or abort the operation:
 🦋  info /Users/user/verdaccio.clone/.changeset/light-scissors-smell.md
 ```
 
-Once the changeset is added (all will have an unique name) you can freely edit
+Once the changeset is added (all will have a unique name) you can freely edit
 using markdown, adding additional information, code snippets or whatever else
 you consider to be relevant.
 
@@ -364,6 +386,8 @@ All translations are provided by the **[crowdin](http://crowdin.com)** platform,
 
 If you want to contribute by adding translations, create an account (GitHub could be used as fast alternative), in the platform you can contribute to two areas, the website or improve User Interface translations.
 
+> Languages with less the 40% of translations available are excluded by the build system.
+
 If a language is not listed, ask for it in the [Discord](https://discord.gg/7qWJxBf) channel #contribute channel.
 
 For adding a new **language** on the UI follow these steps:
@@ -371,7 +395,7 @@ For adding a new **language** on the UI follow these steps:
 1. Ensure the **language** has been enabled, must be visible in the `crowdin` platform.
 2. Find in the explorer the file `en.US.json` in the path `packages/plugins/ui-theme/src/i18n/crowdin/ui.json` and complete the translations, **not need to find approval on this**.
 3. Into the project, add a new field into `packages/plugins/ui-theme/src/i18n/crowdin/ui.json` file, in the section `lng`, the new language, eg: `{ lng: {korean:"Korean"}}`. (This file is English based, once the PR has been merged, this string will be available in crowdin for translate to the targeted language).
-4. Add the language, [flag icon](https://www.npmjs.com/package/country-flag-icons), and the menu key fort he new language eg: `menuKey: 'lng.korean'` to the file `packages/plugins/ui-theme/src/i18n/enabledLanguages.ts`.
+4. Add the language, [flag icon](https://www.npmjs.com/package/country-flag-icons), and the menu key for the new language eg: `menuKey: 'lng.korean'` to the file `packages/plugins/ui-theme/src/i18n/enabledLanguages.ts`.
 5. For local testing, read `packages/plugins/ui-theme/src/i18n/ABOUT_TRANSLATIONS.md`.
 6. Add a `changeset` file, see more info below.
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=${BUILDPLATFORM:-linux/amd64} node:18-alpine as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} node:21-alpine as builder
 
 ENV NODE_ENV=development \
     VERDACCIO_BUILD_REGISTRY=https://registry.npmjs.org
@@ -11,7 +11,7 @@ RUN apk --no-cache add openssl ca-certificates wget && \
 
 WORKDIR /opt/verdaccio-build
 COPY . .
-RUN npm -g i pnpm@latest-8 && \
+RUN npm -g i pnpm@8.9.0 && \
     pnpm config set registry $VERDACCIO_BUILD_REGISTRY && \
     pnpm install --frozen-lockfile --ignore-scripts && \
     rm -Rf test && \
@@ -20,7 +20,7 @@ RUN npm -g i pnpm@latest-8 && \
 # NODE_ENV=production pnpm install --frozen-lockfile --ignore-scripts
 # RUN pnpm install --prod --ignore-scripts
 
-FROM node:18-alpine
+FROM node:21-alpine
 LABEL maintainer="https://github.com/verdaccio/verdaccio"
 
 ENV VERDACCIO_APPDIR=/opt/verdaccio \

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 Verdaccio contributors
+Copyright (c) 2024 Verdaccio contributors
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,4 +1,4 @@
-[![BannerUK](https://cdn.verdaccio.dev/readme/banner-uk.svg)](https://donate.redcrossredcrescent.org/ua/donate/~my-donation?_cv=1)
+[![BannerHelp](https://cdn.verdaccio.dev/readme/banner-uk.svg)](https://u24.gov.ua)
 
 > Verdaccio stands for **peace**, stop the war, we will be yellow / blue 🇺🇦 until that happens.
 
@@ -33,7 +33,6 @@ Google Cloud Storage** or create your own plugin.
 [![MIT](https://img.shields.io/github/license/mashape/apistatus.svg)](https://github.com/verdaccio/verdaccio/blob/master/LICENSE)
 [![Crowdin](https://d322cqt584bo4o.cloudfront.net/verdaccio/localized.svg)](https://crowdin.com/project/verdaccio)
 
-[![Twitter followers](https://img.shields.io/twitter/follow/verdaccio_npm.svg?style=social&label=Follow)](https://twitter.com/verdaccio_npm)
 [![Github](https://img.shields.io/github/stars/verdaccio/verdaccio.svg?style=social&label=Stars)](https://github.com/verdaccio/verdaccio/stargazers)
 [![StandWithUkraine](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/badges/StandWithUkraine.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)
 
@@ -88,7 +87,7 @@ Learn more [here](https://verdaccio.org/docs/dev-plugins) how to develop plugins
 
 ## Donations
 
-Verdaccio is run by **volunteers**; nobody is working full-time on it. If you find this project to be useful and would like to support its development, consider do a long support donation - **and your logo will be on this section of the readme.**
+Verdaccio is run by **volunteers**; nobody is working full-time on it. If you find this project to be useful and would like to support its development, consider doing a long support donation - **and your logo will be on this section of the readme.**
 
 **[Donate](https://github.com/sponsors/verdaccio)** 💵👍🏻 starting from _$1/month_ or just one single contribution.
 
@@ -114,7 +113,7 @@ If you want to use a modified version of some 3rd-party package (for example, yo
 ### E2E Testing
 
 Verdaccio has proved to be a lightweight registry that can be
-booted in a couple of seconds, fast enough for any CI. Many open source projects use verdaccio for end to end testing, to mention some examples, **create-react-app**, **mozilla neutrino**, **pnpm**, **storybook**, **babel.js**, **angular-cli** or **docusaurus**. You can read more in [here](https://verdaccio.org/docs/e2e).
+booted in a couple of seconds, fast enough for any CI. Many open source projects use Verdaccio for end to end testing, to mention some examples, **create-react-app**, **mozilla neutrino**, **pnpm**, **storybook**, **babel.js**, **angular-cli** or **docusaurus**. You can read more in [here](https://verdaccio.org/docs/e2e).
 
 Furthermore, here few examples how to start:
 
@@ -201,7 +200,7 @@ docker pull verdaccio/verdaccio:nightly-master
 
 Available as [tags](https://hub.docker.com/r/verdaccio/verdaccio/tags/).
 
-### Running verdaccio using Docker
+### Running Verdaccio using Docker
 
 To run the docker container:
 
@@ -213,35 +212,35 @@ Docker examples are available [in this repository](https://github.com/verdaccio/
 
 ## Compatibility
 
-Verdaccio aims to support all features of a standard npm client that make sense to support in private repository. Unfortunately, it isn't always possible.
+Verdaccio aims to support all features of a standard npm client that make sense to support in a private repository. Unfortunately, it isn't always possible.
 
 ### Basic features
 
-- Installing packages (npm install, npm upgrade, etc.) - **supported**
-- Publishing packages (npm publish) - **supported**
+- Installing packages (`npm install`, `npm update`, etc.) - **supported**
+- Publishing packages (`npm publish`) - **supported**
 
 ### Advanced package control
 
-- Unpublishing packages (npm unpublish) - **supported**
-- Tagging (npm tag) - **supported**
-- Deprecation (npm deprecate) - **supported**
+- Unpublishing packages (`npm unpublish`) - **supported**
+- Tagging (`npm dist-tag`) - **supported**
+- Deprecation (`npm deprecate`) - **supported**
 
 ### User management
 
-- Registering new users (npm adduser {newuser}) - **supported**
-- Change password (npm profile set password) - **supported**
-- Transferring ownership (npm owner add {user} {pkg}) - not supported, _PR-welcome_
-- Token (npm token) - **supported**
+- Registering new users (`npm adduser {newuser}`) - **supported**
+- Change password (`npm profile set password`) - **supported**
+- Transferring ownership (`npm owner add {user} {pkg}`) - not supported, _PR-welcome_
+- Token (`npm token`) - **supported**
 
-### Miscellany
+### Miscellaneous
 
-- Searching (npm search) - **supported** (cli / browser)
-- Ping (npm ping) - **supported**
-- Starring (npm star, npm unstar, npm stars) - **supported**
+- Searching (`npm search`) - **supported** (cli / browser)
+- Ping (`npm ping`) - **supported**
+- Starring (`npm star`, `npm unstar`, `npm stars`) - **supported**
 
 ### Security
 
-- npm/yarn audit - **supported**
+- Audit (`npm/yarn audit`) - **supported**
 
 ## Report a vulnerability
 
@@ -270,7 +269,7 @@ Thanks to the following companies to help us to achieve our goals providing free
 | ![priscilawebdev](https://avatars2.githubusercontent.com/u/29228205?s=120&v=4) | ![DanielRuf](https://avatars3.githubusercontent.com/u/827205?s=120&v=4)  |
 | [@priscilawebdev](https://twitter.com/priscilawebdev)                          | [@DanielRufde](https://twitter.com/DanielRufde)                          |
 
-You can find and chat with then over Discord, click [here](http://chat.verdaccio.org) or follow them at _Twitter_.
+You can find and chat with them over Discord, click [here](http://chat.verdaccio.org) or follow them at _Twitter_.
 
 ## Who is using Verdaccio?
 
@@ -324,7 +323,7 @@ This project exists thanks to all the people who contribute. [[Contribute](CONTR
 
 ### FAQ / Contact / Troubleshoot
 
-If you have any issue you can try the following options, do no desist to ask or check our issues database, perhaps someone has asked already what you are looking for.
+If you have any issue you can try the following options. Do no hesitate to ask or check our issues database. Perhaps someone has asked already what you are looking for.
 
 - [Blog](https://verdaccio.org/blog/)
 - [Donations](https://github.com/sponsors/verdaccio)

crowdin.yaml

@@ -15,5 +15,5 @@ files:
     ignore: [/website/docs/api/**/*]
   - source: /website/versioned_docs/**/*
     translation: /website/i18n/%locale%/docusaurus-plugin-content-docs/**/%original_file_name%
-    ignore: [/website/versioned_docs/version-5.x/api/**/*]
+    ignore: [/website/versioned_docs/version-5.x/api/**/*, /website/versioned_docs/version-6.x/api/**/*]
    

docker-examples/v6/plugins/docker-local-plugin/plugins/verdaccio-docker-memory/lib/local-memory.js

@@ -91,8 +91,8 @@ class LocalMemory {
       (_this$data = this.data) === null || _this$data === void 0
         ? void 0
         : (_this$data$list = _this$data.list) === null || _this$data$list === void 0
-        ? void 0
-        : _this$data$list.length
+          ? void 0
+          : _this$data$list.length
     );
     return Promise.resolve(
       (_this$data2 = this.data) === null || _this$data2 === void 0 ? void 0 : _this$data2.list

e2e/cli/README.md

@@ -3,14 +3,11 @@
 ## What is included on these test?
 
 - Default configuration only
-- Test with all popular package managers:
-- `yarn classic` and `yarn modern (2, 3, 4 RC)`
-- `pnpm 6, 7`
-- `npm 6, 7, 8 and 9`
+- Test with all popular package managers
 
 ### Commands Tested
 
-| cmd       | npm6 | npm7 | npm8 | npm9 | pnpm6 | pnpm7 | pnpm8 | yarn1 | yarn2 | yarn3 | yarn4 |
+| cmd       | npm6 | npm7 | npm8 | npm9 | npm10 | pnpm6 | pnpm7 | yarn1 | yarn2 | yarn3 | yarn4 |
 | --------- | ---- | ---- | ---- | ---- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
 | publish   | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    |
 | info      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    |

e2e/cli/cli-commons/package.json

@@ -5,16 +5,16 @@
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
   "devDependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next.1",
-    "@verdaccio/core": "workspace:7.0.0-next.1",
-    "@verdaccio/types": "workspace:12.0.0-next.0",
+    "@verdaccio/config": "workspace:7.0.0-next-7.11",
+    "@verdaccio/core": "workspace:7.0.0-next-7.11",
+    "@verdaccio/types": "workspace:12.0.0-next.2",
     "debug": "4.3.4",
-    "fs-extra": "10.1.0",
+    "fs-extra": "11.2.0",
+    "get-port": "5.1.1",
     "got": "11.8.6",
     "js-yaml": "4.1.0",
-    "get-port": "5.1.1",
     "lodash": "4.17.21",
-    "verdaccio": "workspace:7.0.0-next.1"
+    "verdaccio": "workspace:7.0.0-next-7.11"
   },
   "scripts": {
     "test": "jest",

e2e/cli/cli-commons/src/process.ts

@@ -31,12 +31,13 @@ export async function exec(options: SpawnOptions, cmd, args): Promise<ExecOutput
   }
 
   const childProcess = spawn(cmd, args, spawnOptions);
-  // @ts-ignore
-  const rl = createInterface({ input: childProcess.stdout });
+  if (childProcess.stdout) {
+    const rl = createInterface({ input: childProcess.stdout });
 
-  rl.on('line', function (line) {
-    stdout += line;
-  });
+    rl.on('line', function (line) {
+      stdout += line;
+    });
+  }
 
   const err = new Error(`Running "${cmd} ${args.join(' ')}" returned error code `);
   return new Promise((resolve, reject) => {
@@ -45,14 +46,9 @@ export async function exec(options: SpawnOptions, cmd, args): Promise<ExecOutput
         resolve({ stdout, stderr });
       } else {
         err.message += `${error}...\n\nSTDOUT:\n${stdout}\n\nSTDERR:\n${stderr}\n`;
-        return reject({ stdout, stderr: err });
+        const errorObj = { stdout, stderr: err };
+        return reject(errorObj);
       }
     });
   });
 }
-
-export function silentNpm(...args): Promise<ExecOutput> {
-  debug('run silent npm %o', args);
-  // @ts-ignore
-  return exec({ silent: true }, 'npm', args);
-}

e2e/cli/cli-commons/src/utils.ts

@@ -5,7 +5,6 @@ import { join } from 'path';
 import { fileUtils } from '@verdaccio/core';
 
 export function createProject(projectName: string) {
-  // @ts-ignore
   const tempRootFolder = global.__namespace.getItem('dir-suite-root');
   const verdaccioInstall = join(tempRootFolder, projectName);
   fs.mkdirSync(verdaccioInstall);

e2e/cli/e2e-npm10/.babelrc

@@ -0,0 +1,3 @@
+{
+  "extends": "../../../.babelrc"
+}

e2e/cli/e2e-npm10/.eslintrc

@@ -0,0 +1,7 @@
+{
+  "rules": {
+    "no-console": 0,
+    "@typescript-eslint/no-var-requires": 0,
+    "@typescript-eslint/explicit-member-accessibility": 0
+  }
+}

e2e/cli/e2e-npm10/CHANGELOG.md

@@ -0,0 +1,62 @@
+# @verdaccio/e2e-cli-npm9
+
+## 1.0.1
+
+### Patch Changes
+
+- Updated dependencies [351aeeaa8]
+- Updated dependencies [d167f92e1]
+- Updated dependencies [c383eb68c]
+  - @verdaccio/test-cli-commons@1.1.0
+
+## 1.0.1-6-next.7
+
+### Patch Changes
+
+- Updated dependencies [c383eb68]
+  - @verdaccio/test-cli-commons@1.1.0-6-next.7
+
+## 1.0.1-6-next.6
+
+### Patch Changes
+
+- Updated dependencies [d167f92e]
+  - @verdaccio/test-cli-commons@1.1.0-6-next.6
+
+## 1.0.1-6-next.5
+
+### Patch Changes
+
+- @verdaccio/test-cli-commons@1.0.1-6-next.5
+
+## 1.0.1-6-next.4
+
+### Patch Changes
+
+- @verdaccio/test-cli-commons@1.0.1-6-next.4
+
+## 1.0.1-6-next.3
+
+### Patch Changes
+
+- 351aeeaa: fix(deps): @verdaccio/utils should be a prod dep of local-storage
+- Updated dependencies [351aeeaa]
+  - @verdaccio/test-cli-commons@1.0.1-6-next.3
+
+## 1.0.1-6-next.2
+
+### Patch Changes
+
+- @verdaccio/test-cli-commons@1.0.1-6-next.2
+
+## 1.0.1-6-next.1
+
+### Patch Changes
+
+- @verdaccio/test-cli-commons@1.0.1-6-next.1
+
+## 1.0.1-6-next.0
+
+### Patch Changes
+
+- @verdaccio/test-cli-commons@1.0.1-6-next.0

e2e/cli/e2e-npm10/audit.spec.ts

@@ -0,0 +1,44 @@
+import { addRegistry, initialSetup, prepareGenericEmptyProject } from '@verdaccio/test-cli-commons';
+
+import { npm } from './utils';
+
+describe('audit a package', () => {
+  jest.setTimeout(10000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test.each([['verdaccio-memory', '@verdaccio/cli']])(
+    'should audit a package %s',
+    async (pkgName) => {
+      const { tempFolder } = await prepareGenericEmptyProject(
+        pkgName,
+        '1.0.0-patch',
+        registry.port,
+        registry.getToken(),
+        registry.getRegistryUrl(),
+        { jquery: '3.6.1' }
+      );
+      // install is required to create package lock file
+      await npm({ cwd: tempFolder }, 'install', ...addRegistry(registry.getRegistryUrl()));
+      const resp = await npm(
+        { cwd: tempFolder },
+        'audit',
+        '--json',
+        ...addRegistry(registry.getRegistryUrl())
+      );
+      const parsedBody = JSON.parse(resp.stdout as string);
+      expect(parsedBody.metadata).toBeDefined();
+      expect(parsedBody.auditReportVersion).toBeDefined();
+      expect(parsedBody.vulnerabilities).toBeDefined();
+    }
+  );
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-npm10/deprecate.spec.ts

@@ -0,0 +1,115 @@
+import {
+  addRegistry,
+  initialSetup,
+  npmUtils,
+  prepareGenericEmptyProject,
+} from '@verdaccio/test-cli-commons';
+
+import { npm } from './utils';
+
+describe('deprecate a package', () => {
+  jest.setTimeout(20000);
+  let registry;
+
+  async function deprecate(tempFolder, packageVersion, registry, message) {
+    await npm(
+      { cwd: tempFolder },
+      'deprecate',
+      packageVersion,
+      message,
+      '--json',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+  }
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test.each([['@verdaccio/deprecated-1']])(
+    'should deprecate a single package %s',
+    async (pkgName) => {
+      const message = 'some message';
+      const { tempFolder } = await prepareGenericEmptyProject(
+        pkgName,
+        '1.0.0',
+        registry.port,
+        registry.getToken(),
+        registry.getRegistryUrl()
+      );
+      await npmUtils.publish(npm, tempFolder, pkgName, registry);
+      // deprecate one version
+      await deprecate(tempFolder, `${pkgName}@1.0.0`, registry, message);
+      // verify is deprecated
+      const infoBody = await npmUtils.getInfoVersions(npm, `${pkgName}`, registry);
+      expect(infoBody.name).toEqual(pkgName);
+      expect(infoBody.deprecated).toEqual(message);
+    }
+  );
+
+  test.each([['@verdaccio/deprecated-2']])('should un-deprecate a package %s', async (pkgName) => {
+    const message = 'some message';
+    const { tempFolder } = await prepareGenericEmptyProject(
+      pkgName,
+      '1.0.0',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl()
+    );
+    await npmUtils.publish(npm, tempFolder, pkgName, registry);
+    // deprecate one version
+    await deprecate(tempFolder, `${pkgName}@1.0.0`, registry, message);
+    // verify is deprecated
+    const infoBody = await npmUtils.getInfoVersions(npm, `${pkgName}`, registry);
+    expect(infoBody.deprecated).toEqual(message);
+    // empty string is same as undeprecate
+    await deprecate(tempFolder, `${pkgName}@1.0.0`, registry, '');
+    const infoBody2 = await npmUtils.getInfoVersions(npm, `${pkgName}`, registry);
+    expect(infoBody2.deprecated).toBeUndefined();
+  });
+
+  test.each([['@verdaccio/deprecated-3']])(
+    'should deprecate a multiple packages %s',
+    async (pkgName) => {
+      const message = 'some message';
+      const { tempFolder } = await prepareGenericEmptyProject(
+        pkgName,
+        '1.0.0',
+        registry.port,
+        registry.getToken(),
+        registry.getRegistryUrl()
+      );
+      // publish 1.0.0
+      await npmUtils.publish(npm, tempFolder, pkgName, registry);
+      // publish 1.1.0
+      await npmUtils.bumbUp(npm, tempFolder, registry);
+      await npmUtils.publish(npm, tempFolder, pkgName, registry);
+      // publish 1.2.0
+      await npmUtils.bumbUp(npm, tempFolder, registry);
+      await npmUtils.publish(npm, tempFolder, pkgName, registry);
+      // publish 1.3.0
+      await npmUtils.bumbUp(npm, tempFolder, registry);
+      await npmUtils.publish(npm, tempFolder, pkgName, registry);
+      // // deprecate all version
+      await deprecate(tempFolder, pkgName, registry, message);
+      // verify is deprecated
+      for (let v of ['1.0.0', '1.1.0', '1.2.0', '1.3.0']) {
+        const infoResp = await npmUtils.getInfoVersions(npm, `${pkgName}@${v}`, registry);
+        expect(infoResp.deprecated).toEqual(message);
+      }
+      // publish normal version
+      // publish 1.4.0
+      await npmUtils.bumbUp(npm, tempFolder, registry);
+      await npmUtils.publish(npm, tempFolder, pkgName, registry);
+      const infoResp = await npmUtils.getInfoVersions(npm, `${pkgName}@1.4.0`, registry);
+      // must be not deprecated
+      expect(infoResp.deprecated).toBeUndefined();
+    }
+  );
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-npm10/dist-tags.spec.ts

@@ -0,0 +1,91 @@
+import {
+  addRegistry,
+  initialSetup,
+  npmUtils,
+  prepareGenericEmptyProject,
+} from '@verdaccio/test-cli-commons';
+
+import { npm } from './utils';
+
+describe('publish a package', () => {
+  jest.setTimeout(20000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test.each([['@foo/foo', 'foo']])('should list dist-tags for %s', async (pkgName) => {
+    const { tempFolder } = await prepareGenericEmptyProject(
+      pkgName,
+      '1.0.0',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl()
+    );
+    await npmUtils.publish(npm, tempFolder, pkgName, registry);
+    await npmUtils.bumbUp(npm, tempFolder, registry);
+    await npmUtils.publish(npm, tempFolder, pkgName, registry, ['--tag', 'beta']);
+    const resp2 = await npm(
+      { cwd: tempFolder },
+      'dist-tag',
+      'ls',
+      '--json',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    expect(resp2.stdout).toEqual('beta: 1.1.0latest: 1.0.0');
+  });
+
+  test.each([['@verdaccio/bar']])('should remove tag with dist-tags for %s', async (pkgName) => {
+    const { tempFolder } = await prepareGenericEmptyProject(
+      pkgName,
+      '1.0.0',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl()
+    );
+    await npmUtils.publish(npm, tempFolder, pkgName, registry);
+    await npmUtils.bumbUp(npm, tempFolder, registry);
+    await npmUtils.publish(npm, tempFolder, pkgName, registry, ['--tag', 'beta']);
+    const resp2 = await npm(
+      { cwd: tempFolder },
+      'dist-tag',
+      'rm',
+      `${pkgName}@1.1.0`,
+      'beta',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    expect(resp2.stdout).toEqual('-beta: @verdaccio/bar@1.1.0');
+  });
+
+  test.each([['@verdaccio/five']])(
+    'should add tag to package and version with dist-tags for %s',
+    async (pkgName) => {
+      const { tempFolder } = await prepareGenericEmptyProject(
+        pkgName,
+        '1.0.0',
+        registry.port,
+        registry.getToken(),
+        registry.getRegistryUrl()
+      );
+      await npmUtils.publish(npm, tempFolder, pkgName, registry);
+      await npmUtils.bumbUp(npm, tempFolder, registry);
+      await npmUtils.publish(npm, tempFolder, pkgName, registry);
+      const resp2 = await npm(
+        { cwd: tempFolder },
+        'dist-tag',
+        'add',
+        `${pkgName}@1.1.0`,
+        'alfa',
+        ...addRegistry(registry.getRegistryUrl())
+      );
+      expect(resp2.stdout).toEqual(`+alfa: ${pkgName}@1.1.0`);
+    }
+  );
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-npm10/info.spec.ts

@@ -0,0 +1,31 @@
+import { addRegistry, initialSetup } from '@verdaccio/test-cli-commons';
+
+import { npm } from './utils';
+
+describe('install a package', () => {
+  jest.setTimeout(10000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test('should run npm info json body', async () => {
+    const resp = await npm(
+      {},
+      'info',
+      'verdaccio',
+      '--json',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    const parsedBody = JSON.parse(resp.stdout as string);
+    expect(parsedBody.name).toEqual('verdaccio');
+    expect(parsedBody.dependencies).toBeDefined();
+  });
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-npm10/install.spec.ts

@@ -0,0 +1,38 @@
+import { addRegistry, initialSetup, prepareGenericEmptyProject } from '@verdaccio/test-cli-commons';
+
+import { npm } from './utils';
+
+describe('install a project packages', () => {
+  jest.setTimeout(100000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test('should run npm install json body', async () => {
+    const { tempFolder } = await prepareGenericEmptyProject(
+      'something',
+      '1.0.0-patch',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl(),
+      { react: '18.2.0' }
+    );
+    const resp = await npm(
+      { cwd: tempFolder },
+      'install',
+      '--json',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    const parsedBody = JSON.parse(resp.stdout as string);
+    expect(parsedBody.added).toBeDefined();
+    expect(parsedBody.audit).toBeDefined();
+  });
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-npm10/jest.config.js

@@ -0,0 +1,3 @@
+const config = require('../jest.config');
+
+module.exports = { ...config };

e2e/cli/e2e-npm10/package.json

@@ -0,0 +1,12 @@
+{
+  "private": true,
+  "name": "@verdaccio/e2e-cli-npm9",
+  "version": "1.0.1",
+  "dependencies": {
+    "@verdaccio/test-cli-commons": "workspace:1.1.0",
+    "npm": "10.4.0"
+  },
+  "scripts": {
+    "test": "jest"
+  }
+}

e2e/cli/e2e-npm10/ping.spec.ts

@@ -0,0 +1,24 @@
+import { addRegistry, initialSetup } from '@verdaccio/test-cli-commons';
+
+import { npm } from './utils';
+
+describe('ping registry', () => {
+  jest.setTimeout(10000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test('should ping registry', async () => {
+    const resp = await npm({}, 'ping', '--json', ...addRegistry(registry.getRegistryUrl()));
+    const parsedBody = JSON.parse(resp.stdout as string);
+    expect(parsedBody.registry).toEqual(registry.getRegistryUrl() + '/');
+  });
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-npm10/publish.spec.ts

@@ -0,0 +1,41 @@
+import { addRegistry, initialSetup, prepareGenericEmptyProject } from '@verdaccio/test-cli-commons';
+
+import { npm } from './utils';
+
+describe('install a package', () => {
+  jest.setTimeout(10000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test.each([['verdaccio-memory', 'verdaccio', '@verdaccio/foo', '@verdaccio/some-foo']])(
+    'should publish a package %s',
+    async (pkgName) => {
+      const { tempFolder } = await prepareGenericEmptyProject(
+        pkgName,
+        '1.0.0-patch',
+        registry.port,
+        registry.getToken(),
+        registry.getRegistryUrl()
+      );
+      const resp = await npm(
+        { cwd: tempFolder },
+        'publish',
+        '--json',
+        ...addRegistry(registry.getRegistryUrl())
+      );
+      const parsedBody = JSON.parse(resp.stdout as string);
+      expect(parsedBody.name).toEqual(pkgName);
+      expect(parsedBody.files).toBeDefined();
+      expect(parsedBody.files).toBeDefined();
+    }
+  );
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-npm10/search.spec.ts

@@ -0,0 +1,33 @@
+import { addRegistry, initialSetup } from '@verdaccio/test-cli-commons';
+
+import { npm } from './utils';
+
+describe('search a package', () => {
+  jest.setTimeout(10000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test('should search a package', async () => {
+    const resp = await npm(
+      {},
+      'search',
+      '@verdaccio/cli',
+      '--json',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    const parsedBody = JSON.parse(resp.stdout as string);
+    const pkgFind = parsedBody.find((item) => {
+      return item.name === '@verdaccio/cli';
+    });
+    expect(pkgFind.name).toEqual('@verdaccio/cli');
+  });
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-npm10/star.spec.ts

@@ -0,0 +1,85 @@
+import {
+  addRegistry,
+  initialSetup,
+  npmUtils,
+  prepareGenericEmptyProject,
+} from '@verdaccio/test-cli-commons';
+
+import { npm } from './utils';
+
+describe('star a package', () => {
+  jest.setTimeout(20000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test.each([['@verdaccio/foo']])('should star a package %s', async (pkgName) => {
+    const { tempFolder } = await prepareGenericEmptyProject(
+      pkgName,
+      '1.0.0-patch',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl()
+    );
+
+    await npmUtils.publish(npm, tempFolder, pkgName, registry);
+    const resp = await npm(
+      { cwd: tempFolder },
+      'star',
+      pkgName,
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    expect(resp.stdout).toEqual(`★  ${pkgName}`);
+  });
+
+  test.each([['@verdaccio/bar']])('should unstar a package %s', async (pkgName) => {
+    const { tempFolder } = await prepareGenericEmptyProject(
+      pkgName,
+      '1.0.0-patch',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl()
+    );
+
+    await npmUtils.publish(npm, tempFolder, pkgName, registry);
+    const resp = await npm(
+      { cwd: tempFolder },
+      'star',
+      pkgName,
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    expect(resp.stdout).toEqual(`★  ${pkgName}`);
+
+    const resp1 = await npm(
+      { cwd: tempFolder },
+      'unstar',
+      pkgName,
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    expect(resp1.stdout).toEqual(`☆  ${pkgName}`);
+  });
+
+  test('should list stars of a user %s', async () => {
+    const pkgName = '@verdaccio/stars';
+    const { tempFolder } = await prepareGenericEmptyProject(
+      pkgName,
+      '1.0.0-patch',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl()
+    );
+    await npmUtils.publish(npm, tempFolder, pkgName, registry);
+    await npm({ cwd: tempFolder }, 'star', pkgName, ...addRegistry(registry.getRegistryUrl()));
+    const resp = await npm({ cwd: tempFolder }, 'stars', ...addRegistry(registry.getRegistryUrl()));
+    // side effects: this result is affected the the package published in the previous step
+    expect(resp.stdout).toEqual(`@verdaccio/foo@verdaccio/stars`);
+  });
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-npm10/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "../../../tsconfig.reference.json",
+  "references": [
+    {
+      "path": "../cli-commons"
+    }
+  ]
+}

e2e/cli/e2e-npm10/utils.ts

@@ -0,0 +1,41 @@
+import { SpawnOptions } from 'child_process';
+import { join } from 'path';
+
+import { exec } from '@verdaccio/test-cli-commons';
+import { addRegistry } from '@verdaccio/test-cli-commons';
+
+export function getCommand() {
+  return join(__dirname, './node_modules/.bin/npm');
+}
+
+export function npm(options: SpawnOptions, ...args: string[]) {
+  return exec(options, getCommand(), args);
+}
+
+export async function bumbUp(tempFolder, registry) {
+  await npm({ cwd: tempFolder }, 'version', 'minor', ...addRegistry(registry.getRegistryUrl()));
+}
+
+export async function publish(tempFolder, pkgName, registry, arg: string[] = []) {
+  const resp = await npm(
+    { cwd: tempFolder },
+    'publish',
+    ...arg,
+    '--json',
+    ...addRegistry(registry.getRegistryUrl())
+  );
+  const parsedBody = JSON.parse(resp.stdout as string);
+  expect(parsedBody.name).toEqual(pkgName);
+}
+
+export async function getInfoVersions(pkgName, registry) {
+  const infoResp = await npm(
+    {},
+    'info',
+    pkgName,
+    '--json',
+    ...addRegistry(registry.getRegistryUrl())
+  );
+  const infoBody = JSON.parse(infoResp.stdout as string);
+  return infoBody;
+}

e2e/cli/e2e-npm6/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.7.1"
+    "npm": "9.9.2"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm7/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.7.1"
+    "npm": "9.9.2"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm8/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.7.1"
+    "npm": "9.9.2"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm9/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.7.1"
+    "npm": "9.9.2"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn1/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "yarn": "1.22.19"
+    "yarn": "1.22.21"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn2/audit.spec.ts

@@ -18,7 +18,7 @@ describe('audit a package yarn 2', () => {
       {
         packageName: '@scope/name',
         version: '1.0.0',
-        dependencies: { jquery: '3.0.0' },
+        dependencies: { aaa: 'latest' },
         devDependencies: {},
       }
     );
@@ -27,6 +27,9 @@ describe('audit a package yarn 2', () => {
 
   test('should run yarn npm audit info json body', async () => {
     await yarn(projectFolder, 'install');
+    // this might fails if the dependency used above has vulnerabilities
+    // always try to use ar real dependency that does not have such issues
+    // yarn berry uses exit 1 if has error https://github.com/yarnpkg/berry/pull/4358
     const resp = await yarn(projectFolder, 'npm', 'audit', '--json');
     const parsedBody = JSON.parse(resp.stdout as string);
     expect(parsedBody.advisories).toBeDefined();

e2e/cli/e2e-yarn3/audit.spec.ts

@@ -12,13 +12,13 @@ describe('audit a package yarn 3', () => {
     registry = setup.registry;
     await registry.init();
     const { tempFolder } = await yarnModernUtils.prepareYarnModernProject(
-      'yarn-2',
+      'yarn-3',
       registry.getRegistryUrl(),
       getYarnCommand(),
       {
         packageName: '@scope/name',
         version: '1.0.0',
-        dependencies: { jquery: '3.0.0' },
+        dependencies: { aaa: 'latest' },
         devDependencies: {},
       }
     );
@@ -27,6 +27,9 @@ describe('audit a package yarn 3', () => {
 
   test('should run yarn npm audit info json body', async () => {
     await yarn(projectFolder, 'install');
+    // this might fails if the dependency used above has vulnerabilities
+    // always try to use ar real dependency that does not have such issues
+    // yarn berry uses exit 1 if has error https://github.com/yarnpkg/berry/pull/4358
     const resp = await yarn(projectFolder, 'npm', 'audit', '--json');
     const parsedBody = JSON.parse(resp.stdout as string);
     expect(parsedBody.advisories).toBeDefined();

e2e/cli/e2e-yarn3/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "@yarnpkg/cli-dist": "3.4.1"
+    "@yarnpkg/cli-dist": "3.8.0"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn4/package.json

@@ -3,7 +3,7 @@
   "name": "@verdaccio/e2e-cli-yarn4",
   "version": "1.0.1",
   "dependencies": {
-    "@yarnpkg/cli-dist": "4.0.0-rc.39",
+    "@yarnpkg/cli-dist": "4.1.0",
     "@verdaccio/test-cli-commons": "workspace:1.1.0"
   },
   "scripts": {

e2e/ui/README.md

@@ -8,6 +8,12 @@
   - Check sidebar
   - Check protected packages works
 
+## Running test locally
+
+- Ensure no other verdaccio server is running, cypress will spawn it's own registry instance
+- To run all test: `pnpm test`
+- To run single test: `pnpm test -- --spec 'cypress/e2e/home.cy.ts'`
+
 ## Contribute
 
 More tests could be added to verify UI works as expected.

e2e/ui/cypress.config.ts

@@ -9,6 +9,14 @@ import { generatePackageMetadata } from '@verdaccio/test-helper';
 
 let registry1;
 export default defineConfig({
+  retries: {
+    runMode: 5,
+    openMode: 0,
+  },
+  // Enable this to see debug screenshots on test failure
+  // screenshotOnRunFailure: true,
+  // Enable this to see debug video on test failure
+  // video: true,
   e2e: {
     setupNodeEvents(on) {
       on('before:run', async () => {

e2e/ui/cypress/e2e/home.cy.ts

@@ -32,4 +32,49 @@ describe('home spec', () => {
     cy.visit(`${ctx.url}/-/web/detail/@verdaccio/not-found`);
     cy.getByTestId('404').contains(`Sorry, we couldn't find it.`);
   });
+
+  it('should open dialog settings tabs are present', () => {
+    cy.visit(ctx.url);
+    cy.getByTestId('header--tooltip-settings').click();
+
+    cy.contains('Package Managers');
+    cy.contains('Translations');
+  });
+
+  it('should close dialog settings tabs are present', () => {
+    cy.visit(ctx.url);
+    cy.getByTestId('header--tooltip-settings').click();
+    cy.get('#registryInfo--dialog-close').click();
+    // check for content at the dialog should not be there
+    cy.get('#panel1a-header').should('not.exist');
+  });
+
+  it('should expand npm dialog registry details', () => {
+    cy.visit(ctx.url);
+    cy.getByTestId('header--tooltip-settings').click();
+    cy.get('#panel1a-header').click();
+    cy.contains(/npm set registry/);
+    cy.contains(/npm adduser --registry/);
+    cy.contains(/npm profile set password/);
+  });
+
+  it('should expand pnpm dialog registry details', () => {
+    cy.visit(ctx.url);
+    cy.getByTestId('header--tooltip-settings').click();
+    cy.get('#panel3a-header').click();
+    cy.contains(/pnpm set registry/);
+    cy.contains(/pnpm adduser --registry/);
+    cy.contains(/pnpm profile set password/);
+  });
+
+  it('should expand yarn dialog registry details', () => {
+    cy.visit(ctx.url);
+    cy.getByTestId('header--tooltip-settings').click();
+    cy.get('#panel2a-header').click();
+    // some initial explanation
+    cy.contains(/Yarn classic configuration differs from Yarn/);
+    // smoke test matches, (this is deelpy tested in the unit test)
+    cy.contains(/.yarnrc.yml/);
+    cy.contains(/npmRegistryServer:/);
+  });
 });

e2e/ui/package.json

@@ -3,12 +3,12 @@
   "name": "@verdaccio/e2e-ui",
   "version": "2.0.0",
   "devDependencies": {
-    "verdaccio": "workspace:7.0.0-next.1",
-    "@verdaccio/core": "workspace:7.0.0-next.1",
-    "@verdaccio/config": "workspace:7.0.0-next.1",
-    "@verdaccio/test-helper": "workspace:3.0.0-next.0",
+    "verdaccio": "workspace:7.0.0-next-7.11",
+    "@verdaccio/core": "workspace:7.0.0-next-7.11",
+    "@verdaccio/config": "workspace:7.0.0-next-7.11",
+    "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
     "debug": "4.3.4",
-    "cypress": "^11.2.0",
+    "cypress": "^13.6.0",
     "get-port": "5.1.1"
   },
   "scripts": {

jest/config.js

@@ -4,7 +4,7 @@ module.exports = {
     '^.+\\.(js|ts)$': 'babel-jest',
   },
   verbose: false,
-  collectCoverage: true,
+  collectCoverage: false,
   coverageReporters: ['text', 'html'],
   collectCoverageFrom: ['src/**/*.ts', '!**/node_modules/**', '!**/partials/**', '!**/fixture/**'],
   coveragePathIgnorePatterns: ['node_modules', 'fixtures'],

netlify.toml

@@ -1,19 +1,7 @@
-[build]
-  command = "pnpm build"
-  publish = "build/"
-
-[build.environment]
-  NPM_FLAGS="--prefix=/dev/null"
-  NODE_VERSION = "14"
-
-[context.production]
-  command = "pnpm netlify:build:production"
-
-[context.deploy-preview]
-  command = "pnpm netlify:build:deployPreview"
-
-[context.branch-deploy]
-  command = "pnpm netlify:build:deployPreview"
-
-[[plugins]]
-package = "../.netlify/netlify-plugin-pnpm"
+[[headers]]
+for = "/*"
+[headers.values]
+X-Frame-Options = "DENY"
+X-XSS-Protection = "1; mode=block"
+X-Content-Type-Options = "nosniff"
+Referrer-Policy = "no-referrer"

package.json

@@ -15,115 +15,119 @@
     "url": "https://opencollective.com/verdaccio"
   },
   "devDependencies": {
-    "@babel/cli": "7.22.10",
-    "@babel/core": "7.22.10",
-    "@babel/eslint-parser": "7.22.10",
-    "@babel/node": "7.22.10",
+    "@babel/cli": "7.23.9",
+    "@babel/core": "7.23.9",
+    "@babel/eslint-parser": "7.23.3",
+    "@babel/node": "7.23.9",
     "@babel/plugin-proposal-class-properties": "7.18.6",
-    "@babel/plugin-proposal-decorators": "7.22.10",
+    "@babel/plugin-proposal-decorators": "7.23.9",
     "@babel/plugin-proposal-export-namespace-from": "7.18.9",
-    "@babel/plugin-proposal-function-sent": "7.22.5",
+    "@babel/plugin-proposal-function-sent": "7.23.3",
     "@babel/plugin-proposal-json-strings": "7.18.6",
     "@babel/plugin-proposal-nullish-coalescing-operator": "7.18.6",
     "@babel/plugin-proposal-numeric-separator": "7.18.6",
     "@babel/plugin-proposal-object-rest-spread": "7.20.7",
     "@babel/plugin-proposal-optional-chaining": "7.21.0",
-    "@babel/plugin-proposal-throw-expressions": "7.22.5",
+    "@babel/plugin-proposal-throw-expressions": "7.23.3",
     "@babel/plugin-syntax-dynamic-import": "7.8.3",
     "@babel/plugin-syntax-import-meta": "7.10.4",
-    "@babel/plugin-transform-async-to-generator": "7.22.5",
-    "@babel/plugin-transform-classes": "7.22.6",
-    "@babel/plugin-transform-runtime": "7.22.10",
-    "@babel/preset-env": "7.22.10",
-    "@babel/preset-react": "7.22.5",
-    "@babel/preset-typescript": "7.22.5",
-    "@babel/register": "7.22.5",
-    "@babel/runtime": "7.22.10",
-    "@changesets/changelog-github": "0.4.8",
-    "@changesets/cli": "2.24.4",
+    "@babel/plugin-transform-async-to-generator": "7.23.3",
+    "@babel/plugin-transform-classes": "7.23.8",
+    "@babel/plugin-transform-runtime": "7.23.9",
+    "@babel/preset-env": "7.23.9",
+    "@babel/preset-react": "7.23.3",
+    "@babel/preset-typescript": "7.23.3",
+    "@babel/register": "7.23.7",
+    "@babel/runtime": "7.23.9",
+    "@changesets/changelog-github": "0.5.0",
+    "@changesets/cli": "2.27.1",
     "@changesets/get-dependents-graph": "1.3.6",
-    "@crowdin/cli": "3.10.1",
+    "@crowdin/cli": "3.16.1",
     "@dianmora/contributors": "5.0.0",
     "@emotion/react": "11.10.6",
     "@emotion/styled": "11.10.6",
-    "@testing-library/dom": "8.19.1",
-    "@testing-library/jest-dom": "5.16.5",
-    "@testing-library/react": "12.1.5",
-    "@trivago/prettier-plugin-sort-imports": "^4.0.0",
-    "@types/async": "3.2.20",
-    "@types/body-parser": "1.19.2",
-    "@types/connect": "3.4.35",
-    "@types/cookiejar": "2.1.2",
-    "@types/debug": "^4.1.7",
-    "@types/express": "4.17.15",
-    "@types/express-serve-static-core": "4.17.31",
-    "@types/http-errors": "1.8.2",
-    "@types/jest": "27.5.2",
-    "@types/jsonwebtoken": "8.5.9",
-    "@types/lodash": "4.14.197",
-    "@types/mime": "2.0.3",
-    "@types/minimatch": "3.0.5",
-    "@types/node": "16.18.40",
-    "@types/node-fetch": "2.6.4",
-    "@types/qs": "6.9.7",
-    "@types/range-parser": "1.2.4",
-    "@types/react": "18.0.26",
-    "@types/react-dom": "18.0.9",
+    "@testing-library/dom": "9.3.4",
+    "@testing-library/jest-dom": "6.4.2",
+    "@testing-library/user-event": "14.5.2",
+    "aria-query": "5.1.3",
+    "@testing-library/react": "14.2.1",
+    "@trivago/prettier-plugin-sort-imports": "4.3.0",
+    "@types/body-parser": "1.19.5",
+    "@types/connect": "3.4.38",
+    "@types/cookiejar": "2.1.5",
+    "@types/debug": "4.1.12",
+    "@types/express": "4.17.21",
+    "@types/express-serve-static-core": "4.17.42",
+    "@types/http-errors": "2.0.4",
+    "@types/jest": "29.5.11",
+    "@types/jsonwebtoken": "9.0.5",
+    "@types/lodash": "4.14.202",
+    "@types/mime": "3.0.4",
+    "@types/minimatch": "5.1.2",
+    "@types/node": "20.11.7",
+    "@types/node-fetch": "2.6.11",
+    "@types/qs": "6.9.11",
+    "@types/range-parser": "1.2.7",
+    "@types/react": "18.2.48",
+    "@types/react-dom": "18.2.18",
     "@types/react-router-dom": "5.3.3",
-    "@types/react-virtualized": "9.21.21",
+    "@types/react-virtualized": "9.21.29",
     "@types/redux": "3.6.0",
-    "@types/request": "2.48.8",
-    "@types/semver": "7.5.0",
-    "@types/serve-static": "1.13.10",
-    "@types/superagent": "4.1.18",
-    "@types/supertest": "2.0.12",
-    "@types/testing-library__jest-dom": "5.14.9",
-    "@types/validator": "13.7.17",
-    "@types/webpack": "5.28.1",
-    "@types/webpack-env": "1.18.1",
-    "@typescript-eslint/eslint-plugin": "5.59.8",
-    "@typescript-eslint/parser": "5.59.8",
+    "@types/semver": "7.5.6",
+    "@types/send": "0.17.4",
+    "@types/serve-static": "1.15.5",
+    "@types/superagent": "4.1.24",
+    "@types/supertest": "2.0.16",
+    "@types/testing-library__jest-dom": "6.0.0",
+    "@types/validator": "13.11.8",
+    "@types/webpack": "5.28.5",
+    "@types/webpack-env": "1.18.4",
+    "@typescript-eslint/eslint-plugin": "6.19.1",
+    "@typescript-eslint/parser": "6.19.1",
     "@verdaccio/crowdin-translations": "workspace:*",
     "@verdaccio/eslint-config": "workspace:*",
     "@verdaccio/types": "workspace:*",
     "@verdaccio/ui-theme": "workspace:*",
+    "@vitest/coverage-v8": "0.34.6",
     "babel-core": "7.0.0-bridge.0",
-    "babel-jest": "29.4.3",
+    "babel-jest": "29.7.0",
     "babel-plugin-dynamic-import-node": "2.3.3",
-    "babel-plugin-emotion": "10.2.2",
-    "concurrently": "6.5.1",
+    "babel-plugin-emotion": "11.0.0",
+    "concurrently": "8.2.2",
     "cross-env": "7.0.3",
     "debug": "4.3.4",
     "detect-secrets": "1.0.6",
-    "eslint": "8.42.0",
-    "fs-extra": "10.1.0",
+    "eslint": "8.56.0",
+    "fs-extra": "11.2.0",
     "got": "11.8.6",
-    "husky": "7.0.4",
+    "husky": "8.0.3",
     "in-publish": "2.0.1",
-    "jest": "29.4.3",
-    "jest-diff": "29.4.3",
-    "jest-environment-jsdom": "29.4.3",
-    "jest-environment-jsdom-global": "3.1.2",
-    "jest-environment-node": "29.3.1",
-    "jest-junit": "12.3.0",
+    "jest": "29.7.0",
+    "jest-diff": "29.7.0",
+    "jest-environment-jsdom": "29.7.0",
+    "jest-environment-jsdom-global": "4.0.0",
+    "jest-environment-node": "29.7.0",
+    "jest-junit": "16.0.0",
     "kleur": "4.1.5",
     "lint-staged": "11.2.6",
-    "nock": "13.2.9",
-    "nodemon": "2.0.20",
-    "npm-run-all": "4.1.5",
-    "prettier": "2.8.8",
+    "nock": "13.5.1",
+    "nodemon": "3.0.3",
+    "npm-run-all2": "5.0.2",
+    "prettier": "3.2.2",
     "react": "18.2.0",
     "react-dom": "18.2.0",
-    "rimraf": "3.0.2",
-    "selfsigned": "1.10.14",
-    "supertest": "6.3.3",
-    "ts-node": "10.9.1",
-    "typescript": "4.9.4",
-    "update-ts-references": "2.4.1",
+    "rimraf": "5.0.5",
+    "selfsigned": "2.4.1",
+    "supertest": "6.3.4",
+    "ts-node": "10.9.2",
+    "typescript": "5.3.3",
+    "undici-types": "5.28.2",
+    "update-ts-references": "3.2.1",
     "verdaccio-audit": "workspace:*",
     "verdaccio-auth-memory": "workspace:*",
     "verdaccio-htpasswd": "workspace:*",
-    "verdaccio-memory": "workspace:*"
+    "verdaccio-memory": "workspace:*",
+    "vitest": "0.34.6"
   },
   "scripts": {
     "prepare": "husky install",
@@ -133,7 +137,7 @@
     "docker": "docker build -t verdaccio/verdaccio:local . --no-cache",
     "format": "prettier --write \"**/*.{js,jsx,ts,tsx,json,yml,yaml,md}\"",
     "format:check": "prettier --check \"**/*.{js,jsx,ts,tsx,json,yml,yaml,md}\"",
-    "lint": "eslint --max-warnings 100 \"**/*.{js,jsx,ts,tsx}\"",
+    "lint": "eslint --max-warnings 70 \"**/*.{js,jsx,ts,tsx}\"",
     "test": "pnpm --filter \"./packages/**\" test",
     "test:e2e:cli": "pnpm --filter ...@verdaccio/e2e-cli-* test -- --coverage=false",
     "test:e2e:ui": "pnpm --filter ...@verdaccio/e2e-ui test",
@@ -169,18 +173,13 @@
     "local:publish": "cross-env npm_config_registry=http://localhost:4873 changeset publish --no-git-tag",
     "local:publish:release": "concurrently \"pnpm local:registry\" \"pnpm local:publish\""
   },
-  "pnpm": {
-    "overrides": {
-      "got": "11.8.5",
-      "p-cancelable": "2.1.1"
-    }
-  },
   "engines": {
-    "node": ">=16.5"
+    "node": ">=18"
   },
   "license": "MIT",
   "lint-staged": {
     "*.{js,jsx,ts,tsx,json,yml,yaml,md}": "prettier --write",
     "*.{js,jsx,ts,tsx}": "eslint --cache --fix"
-  }
+  },
+  "packageManager": "pnpm@8.14.0+sha256.9cebf61abd83f68177b29484da72da9751390eaad46dfc3072d266bfbb1ba7bf"
 }

packages/api/CHANGELOG.md

@@ -1,5 +1,141 @@
 # @verdaccio/api
 
+## 7.0.0-next-7.11
+
+### Patch Changes
+
+- Updated dependencies [c9962fe]
+  - @verdaccio/config@7.0.0-next-7.11
+  - @verdaccio/auth@7.0.0-next-7.11
+  - @verdaccio/middleware@7.0.0-next-7.11
+  - @verdaccio/store@7.0.0-next-7.11
+  - @verdaccio/core@7.0.0-next-7.11
+  - @verdaccio/utils@7.0.0-next-7.11
+  - @verdaccio/logger@7.0.0-next-7.11
+
+## 7.0.0-next-7.10
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.10
+- @verdaccio/config@7.0.0-next-7.10
+- @verdaccio/auth@7.0.0-next-7.10
+- @verdaccio/middleware@7.0.0-next-7.10
+- @verdaccio/store@7.0.0-next-7.10
+- @verdaccio/utils@7.0.0-next-7.10
+- @verdaccio/logger@7.0.0-next-7.10
+
+## 7.0.0-next-7.9
+
+### Patch Changes
+
+- Updated dependencies [c807f0c]
+  - @verdaccio/store@7.0.0-next-7.9
+  - @verdaccio/core@7.0.0-next-7.9
+  - @verdaccio/config@7.0.0-next-7.9
+  - @verdaccio/auth@7.0.0-next-7.9
+  - @verdaccio/middleware@7.0.0-next-7.9
+  - @verdaccio/utils@7.0.0-next-7.9
+  - @verdaccio/logger@7.0.0-next-7.9
+
+## 7.0.0-next-7.8
+
+### Patch Changes
+
+- 74cd588: fix: bug on change password npm profile
+  - @verdaccio/core@7.0.0-next-7.8
+  - @verdaccio/config@7.0.0-next-7.8
+  - @verdaccio/auth@7.0.0-next-7.8
+  - @verdaccio/middleware@7.0.0-next-7.8
+  - @verdaccio/store@7.0.0-next-7.8
+  - @verdaccio/utils@7.0.0-next-7.8
+  - @verdaccio/logger@7.0.0-next-7.8
+
+## 7.0.0-next-7.7
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.7
+- @verdaccio/config@7.0.0-next-7.7
+- @verdaccio/auth@7.0.0-next-7.7
+- @verdaccio/middleware@7.0.0-next-7.7
+- @verdaccio/store@7.0.0-next-7.7
+- @verdaccio/utils@7.0.0-next-7.7
+- @verdaccio/logger@7.0.0-next-7.7
+
+## 7.0.0-next.6
+
+### Patch Changes
+
+- Updated dependencies [e14b064]
+- Updated dependencies [4d96324]
+  - @verdaccio/store@7.0.0-next.6
+  - @verdaccio/config@7.0.0-next.6
+  - @verdaccio/auth@7.0.0-next.6
+  - @verdaccio/middleware@7.0.0-next.6
+  - @verdaccio/core@7.0.0-next.6
+  - @verdaccio/utils@7.0.0-next.6
+  - @verdaccio/logger@7.0.0-next.6
+
+## 7.0.0-next.5
+
+### Minor Changes
+
+- f047cc8: refactor: auth with legacy sign support
+
+### Patch Changes
+
+- Updated dependencies [f047cc8]
+  - @verdaccio/middleware@7.0.0-next.5
+  - @verdaccio/core@7.0.0-next.5
+  - @verdaccio/config@7.0.0-next.5
+  - @verdaccio/auth@7.0.0-next.5
+  - @verdaccio/store@7.0.0-next.5
+  - @verdaccio/logger@7.0.0-next.5
+  - @verdaccio/utils@7.0.0-next.5
+
+## 7.0.0-next.4
+
+### Patch Changes
+
+- @verdaccio/auth@7.0.0-next.4
+- @verdaccio/core@7.0.0-next.4
+- @verdaccio/config@7.0.0-next.4
+- @verdaccio/middleware@7.0.0-next.4
+- @verdaccio/store@7.0.0-next.4
+- @verdaccio/utils@7.0.0-next.4
+- @verdaccio/logger@7.0.0-next.4
+
+## 7.0.0-next.3
+
+### Major Changes
+
+- e7ebccb61: update major dependencies, remove old nodejs support
+
+### Patch Changes
+
+- Updated dependencies [daceb6d87]
+- Updated dependencies [e7ebccb61]
+  - @verdaccio/config@7.0.0-next.3
+  - @verdaccio/core@7.0.0-next.3
+  - @verdaccio/middleware@7.0.0-next.3
+  - @verdaccio/utils@7.0.0-next.3
+  - @verdaccio/auth@7.0.0-next.3
+  - @verdaccio/logger@7.0.0-next.3
+  - @verdaccio/store@7.0.0-next.3
+
+## 7.0.0-next.2
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next.2
+- @verdaccio/config@7.0.0-next.2
+- @verdaccio/auth@7.0.0-next.2
+- @verdaccio/middleware@7.0.0-next.2
+- @verdaccio/store@7.0.0-next.2
+- @verdaccio/utils@7.0.0-next.2
+- @verdaccio/logger@7.0.0-next.2
+
 ## 7.0.0-next.1
 
 ### Patch Changes

packages/api/jest.config.js

@@ -1,10 +1,3 @@
 const config = require('../../jest/config');
 
-module.exports = Object.assign({}, config, {
-  coverageThreshold: {
-    global: {
-      // FIXME: increase to 90
-      lines: 60,
-    },
-  },
-});
+module.exports = Object.assign({}, config, {});

packages/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/api",
-  "version": "7.0.0-next.1",
+  "version": "7.0.0-next-7.11",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -25,8 +25,7 @@
     "verdaccio"
   ],
   "engines": {
-    "node": ">=14",
-    "npm": ">=6"
+    "node": ">=18"
   },
   "scripts": {
     "clean": "rimraf ./build",
@@ -39,29 +38,28 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next.1",
-    "@verdaccio/config": "workspace:7.0.0-next.1",
-    "@verdaccio/core": "workspace:7.0.0-next.1",
-    "@verdaccio/logger": "workspace:7.0.0-next.1",
-    "@verdaccio/middleware": "workspace:7.0.0-next.1",
-    "@verdaccio/store": "workspace:7.0.0-next.1",
-    "@verdaccio/utils": "workspace:7.0.0-next.1",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.11",
+    "@verdaccio/config": "workspace:7.0.0-next-7.11",
+    "@verdaccio/core": "workspace:7.0.0-next-7.11",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.11",
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.11",
+    "@verdaccio/store": "workspace:7.0.0-next-7.11",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.11",
     "abortcontroller-polyfill": "1.7.5",
-    "cookies": "0.8.0",
-    "debug": "4.3.4",
     "body-parser": "1.20.2",
+    "cookies": "0.9.0",
+    "debug": "4.3.4",
     "express": "4.18.2",
     "lodash": "4.17.21",
     "mime": "2.6.0",
-    "semver": "7.5.4"
+    "semver": "7.6.0"
   },
   "devDependencies": {
-    "@verdaccio/server": "workspace:7.0.0-next.1",
-    "@verdaccio/types": "workspace:12.0.0-next.0",
-    "@verdaccio/test-helper": "workspace:3.0.0-next.0",
-    "supertest": "6.3.3",
-    "nock": "13.2.9",
-    "mockdate": "3.0.5"
+    "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
+    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "mockdate": "3.0.5",
+    "nock": "13.5.1",
+    "supertest": "6.3.4"
   },
   "funding": {
     "type": "opencollective",

packages/api/src/index.ts

@@ -43,7 +43,6 @@ export default function (config: Config, auth: Auth, storage: Storage): Router {
   app.param('org_couchdb_user', match(/^org\.couchdb\.user:/));
   app.use(auth.apiJWTmiddleware());
   app.use(express.json({ strict: false, limit: config.max_body_size || '10mb' }));
-  // @ts-ignore
   app.use(antiLoop(config));
   // encode / in a scoped package name to be matched as a single parameter in routes
   app.use(encodeScopePackage);

packages/api/src/publish.ts

@@ -196,10 +196,10 @@ export function publishPackage(storage: Storage): any {
         requestOptions: {
           host: req.hostname,
           protocol: req.protocol,
-          // @ts-ignore
-          headers: req.headers,
+          headers: req.headers as { [key: string]: string },
           username,
         },
+        uplinksLook: false,
       });
 
       res.status(HTTP_STATUS.CREATED);

packages/api/src/v1/profile.ts

@@ -81,15 +81,17 @@ export default function (route: Router, auth: Auth, config: Config): void {
           /* eslint new-cap:off */
         }
 
+        if (_.isEmpty(password.old)) {
+          return next(errorUtils.getBadRequest('old password is required'));
+        }
+
         auth.changePassword(
           name,
           password.old,
           password.new,
           (err, isUpdated): $NextFunctionVer => {
             if (_.isNull(err) === false) {
-              return next(
-                errorUtils.getCode(err.status, err.message) || errorUtils.getConflict(err.message)
-              );
+              return next(errorUtils.getForbidden(err.message));
             }
 
             if (isUpdated) {

packages/api/test/integration/config/profile.yaml

@@ -0,0 +1,27 @@
+auth:
+  htpasswd:
+    file: ./htpasswd-profile
+web:
+  enable: true
+  title: verdaccio
+
+uplinks:
+
+log: { type: stdout, format: pretty, level: trace }
+
+packages:
+  '@*/*':
+    access: $all
+    publish: $all
+    unpublish: $all
+    proxy: npmjs
+  'verdaccio':
+    access: $all
+    publish: $all
+  '**':
+    access: $all
+    publish: $all
+    unpublish: $all
+    proxy: npmjs
+
+_debug: true

packages/api/test/integration/config/user.jwt.yaml

@@ -10,7 +10,7 @@ auth:
 
 uplinks:
   ver:
-    url: https://registry.verdaccio.org
+    url: https://registry.npmjs.org
 
 security:
   api:

packages/api/test/integration/config/user.yaml

@@ -7,7 +7,7 @@ web:
 
 uplinks:
   ver:
-    url: https://registry.verdaccio.org
+    url: https://registry.npmjs.org
 
 log: { type: stdout, format: pretty, level: trace }
 

packages/api/test/integration/package.spec.ts

@@ -26,8 +26,8 @@ describe('package', () => {
     });
 
     test.each([
-      ['foo', 'foo-1.0.0.tgz'],
-      ['@scope/foo', 'foo-1.0.0.tgz'],
+      ['foo2', 'foo2-1.0.0.tgz'],
+      ['@scope/foo2', 'foo2-1.0.0.tgz'],
     ])('should fails if tarball does not exist', async (pkg, fileName) => {
       await publishVersion(app, pkg, '1.0.1');
       return await supertest(app)

packages/api/test/integration/profile.spec.ts

@@ -0,0 +1,111 @@
+import supertest from 'supertest';
+
+import { HEADERS, HEADER_TYPE, HTTP_STATUS, TOKEN_BEARER } from '@verdaccio/core';
+import { buildToken } from '@verdaccio/utils';
+
+import { createUser, initializeServer } from './_helper';
+
+describe('profile ', () => {
+  describe('get profile ', () => {
+    test('should return Unauthorized if header token is missing', async () => {
+      const app = await initializeServer('profile.yaml');
+      return supertest(app)
+        .get('/-/npm/v1/user')
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.UNAUTHORIZED);
+    });
+
+    test('should return user details', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .get('/-/npm/v1/user')
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.OK);
+    });
+  });
+  describe('post profile ', () => {
+    test('should return Unauthorized if header token is missing', async () => {
+      const app = await initializeServer('profile.yaml');
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({})
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.UNAUTHORIZED);
+    });
+
+    test('should return handle to short new password', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ password: { new: '_' } })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.UNAUTHORIZED);
+    });
+
+    test('should return handle to missing old password', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ password: { new: 'fooooo', old: undefined } })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.BAD_REQUEST);
+    });
+
+    test('should return handle to missing password', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ another: '_' })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.INTERNAL_ERROR);
+    });
+
+    test('should return handle change password', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ password: { new: 'good password_.%#@$@#$@#', old: 'test' } })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.OK);
+    });
+
+    test('should return handle change password failure', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ password: { new: 'good password_.%#@$@#$@#', old: 'test_do_not_match' } })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.FORBIDDEN);
+    });
+
+    test('should handle tfa ( two factor auth) disabled', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ tfa: '_' })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.SERVICE_UNAVAILABLE);
+    });
+  });
+});

packages/auth/CHANGELOG.md

@@ -1,5 +1,139 @@
 # @verdaccio/auth
 
+## 7.0.0-next-7.11
+
+### Patch Changes
+
+- Updated dependencies [c9962fe]
+  - @verdaccio/config@7.0.0-next-7.11
+  - @verdaccio/loaders@7.0.0-next-7.11
+  - verdaccio-htpasswd@12.0.0-next-7.11
+  - @verdaccio/signature@7.0.0-next.3
+  - @verdaccio/core@7.0.0-next-7.11
+  - @verdaccio/utils@7.0.0-next-7.11
+  - @verdaccio/logger@7.0.0-next-7.11
+
+## 7.0.0-next-7.10
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.10
+- @verdaccio/config@7.0.0-next-7.10
+- @verdaccio/loaders@7.0.0-next-7.10
+- verdaccio-htpasswd@12.0.0-next-7.10
+- @verdaccio/utils@7.0.0-next-7.10
+- @verdaccio/signature@7.0.0-next.3
+- @verdaccio/logger@7.0.0-next-7.10
+
+## 7.0.0-next-7.9
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.9
+- @verdaccio/config@7.0.0-next-7.9
+- @verdaccio/loaders@7.0.0-next-7.9
+- verdaccio-htpasswd@12.0.0-next-7.9
+- @verdaccio/utils@7.0.0-next-7.9
+- @verdaccio/signature@7.0.0-next.3
+- @verdaccio/logger@7.0.0-next-7.9
+
+## 7.0.0-next-7.8
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.8
+- @verdaccio/config@7.0.0-next-7.8
+- @verdaccio/loaders@7.0.0-next-7.8
+- verdaccio-htpasswd@12.0.0-next-7.8
+- @verdaccio/utils@7.0.0-next-7.8
+- @verdaccio/signature@7.0.0-next.3
+- @verdaccio/logger@7.0.0-next-7.8
+
+## 7.0.0-next-7.7
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.7
+- @verdaccio/config@7.0.0-next-7.7
+- @verdaccio/loaders@7.0.0-next-7.7
+- verdaccio-htpasswd@12.0.0-next-7.7
+- @verdaccio/utils@7.0.0-next-7.7
+- @verdaccio/signature@7.0.0-next.3
+- @verdaccio/logger@7.0.0-next-7.7
+
+## 7.0.0-next.6
+
+### Patch Changes
+
+- Updated dependencies [4d96324]
+  - @verdaccio/config@7.0.0-next.6
+  - @verdaccio/loaders@7.0.0-next.6
+  - verdaccio-htpasswd@12.0.0-next.6
+  - @verdaccio/signature@7.0.0-next.3
+  - @verdaccio/core@7.0.0-next.6
+  - @verdaccio/utils@7.0.0-next.6
+  - @verdaccio/logger@7.0.0-next.6
+
+## 7.0.0-next.5
+
+### Minor Changes
+
+- f047cc8: refactor: auth with legacy sign support
+
+### Patch Changes
+
+- Updated dependencies [f047cc8]
+  - @verdaccio/core@7.0.0-next.5
+  - @verdaccio/signature@7.0.0-next.3
+  - @verdaccio/config@7.0.0-next.5
+  - @verdaccio/loaders@7.0.0-next.5
+  - @verdaccio/logger@7.0.0-next.5
+  - verdaccio-htpasswd@12.0.0-next.5
+  - @verdaccio/utils@7.0.0-next.5
+
+## 7.0.0-next.4
+
+### Patch Changes
+
+- Updated dependencies [312bc100f]
+  - @verdaccio/signature@7.0.0-next.2
+  - @verdaccio/core@7.0.0-next.4
+  - @verdaccio/config@7.0.0-next.4
+  - @verdaccio/loaders@7.0.0-next.4
+  - verdaccio-htpasswd@12.0.0-next.4
+  - @verdaccio/utils@7.0.0-next.4
+  - @verdaccio/logger@7.0.0-next.4
+
+## 7.0.0-next.3
+
+### Major Changes
+
+- e7ebccb61: update major dependencies, remove old nodejs support
+
+### Patch Changes
+
+- Updated dependencies [daceb6d87]
+- Updated dependencies [e7ebccb61]
+  - @verdaccio/config@7.0.0-next.3
+  - @verdaccio/core@7.0.0-next.3
+  - verdaccio-htpasswd@12.0.0-next.3
+  - @verdaccio/signature@7.0.0-next.1
+  - @verdaccio/utils@7.0.0-next.3
+  - @verdaccio/loaders@7.0.0-next.3
+  - @verdaccio/logger@7.0.0-next.3
+
+## 7.0.0-next.2
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next.2
+- @verdaccio/config@7.0.0-next.2
+- @verdaccio/loaders@7.0.0-next.2
+- verdaccio-htpasswd@12.0.0-next.2
+- @verdaccio/utils@7.0.0-next.2
+- @verdaccio/signature@7.0.0-next.0
+- @verdaccio/logger@7.0.0-next.2
+
 ## 7.0.0-next.1
 
 ### Patch Changes

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/auth",
-  "version": "7.0.0-next.1",
+  "version": "7.0.0-next-7.11",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -25,8 +25,7 @@
     "verdaccio"
   ],
   "engines": {
-    "node": ">=14",
-    "npm": ">=6"
+    "node": ">=18"
   },
   "scripts": {
     "clean": "rimraf ./build",
@@ -39,19 +38,21 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next.1",
-    "@verdaccio/config": "workspace:7.0.0-next.1",
-    "@verdaccio/loaders": "workspace:7.0.0-next.1",
-    "@verdaccio/logger": "workspace:7.0.0-next.1",
-    "@verdaccio/signature": "workspace:7.0.0-next.0",
-    "@verdaccio/utils": "workspace:7.0.0-next.1",
+    "@verdaccio/core": "workspace:7.0.0-next-7.11",
+    "@verdaccio/config": "workspace:7.0.0-next-7.11",
+    "@verdaccio/loaders": "workspace:7.0.0-next-7.11",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.11",
+    "@verdaccio/signature": "workspace:7.0.0-next.3",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.11",
     "debug": "4.3.4",
-    "express": "4.18.2",
     "lodash": "4.17.21",
-    "verdaccio-htpasswd": "workspace:12.0.0-next.1"
+    "verdaccio-htpasswd": "workspace:12.0.0-next-7.11"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.0"
+    "express": "4.18.2",
+    "supertest": "6.3.4",
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.11",
+    "@verdaccio/types": "workspace:12.0.0-next.2"
   },
   "funding": {
     "type": "opencollective",

packages/auth/src/auth.ts

@@ -1,5 +1,4 @@
 import buildDebug from 'debug';
-import { NextFunction, Request, RequestHandler, Response } from 'express';
 import _ from 'lodash';
 import { HTPasswd } from 'verdaccio-htpasswd';
 
@@ -12,22 +11,36 @@ import {
   VerdaccioError,
   errorUtils,
   pluginUtils,
+  warningUtils,
 } from '@verdaccio/core';
+import '@verdaccio/core';
 import { asyncLoadPlugin } from '@verdaccio/loaders';
 import { logger } from '@verdaccio/logger';
-import { aesEncrypt, parseBasicPayload, signPayload } from '@verdaccio/signature';
+import {
+  aesEncrypt,
+  aesEncryptDeprecated,
+  parseBasicPayload,
+  signPayload,
+} from '@verdaccio/signature';
 import {
   AllowAccess,
   Callback,
   Config,
   JWTSignOptions,
-  Logger,
   PackageAccess,
   RemoteUser,
   Security,
 } from '@verdaccio/types';
 import { getMatchedPackagesSpec, isFunction, isNil } from '@verdaccio/utils';
 
+import {
+  $RequestExtend,
+  $ResponseExtend,
+  AESPayload,
+  IAuthMiddleware,
+  NextFunction,
+  TokenEncryption,
+} from './types';
 import {
   convertPayloadToBase64,
   getDefaultPlugins,
@@ -40,25 +53,6 @@ import {
 
 const debug = buildDebug('verdaccio:auth');
 
-export interface TokenEncryption {
-  jwtEncrypt(user: RemoteUser, signOptions: JWTSignOptions): Promise<string>;
-  aesEncrypt(buf: string): string | void;
-}
-
-// remove
-export interface AESPayload {
-  user: string;
-  password: string;
-}
-export interface IAuthMiddleware {
-  apiJWTmiddleware(): $NextFunctionVer;
-  webUIJWTmiddleware(): $NextFunctionVer;
-}
-
-export type $RequestExtend = Request & { remote_user?: any; log: Logger };
-export type $ResponseExtend = Response & { cookies?: any };
-export type $NextFunctionVer = NextFunction & any;
-
 class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
   public config: Config;
   public secret: string;
@@ -75,6 +69,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
 
   public async init() {
     let plugins = (await this.loadPlugin()) as pluginUtils.Auth<unknown>[];
+
     debug('auth plugins found %s', plugins.length);
     if (!plugins || plugins.length === 0) {
       plugins = this.loadDefaultPlugin();
@@ -226,29 +221,32 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     debug('add user %o', user);
 
     (function next(): void {
+      let method = 'adduser';
       const plugin = plugins.shift() as pluginUtils.Auth<Config>;
-      if (typeof plugin.adduser !== 'function') {
+      // @ts-expect-error future major (7.x) should remove this section
+      if (typeof plugin.adduser === 'undefined' && typeof plugin.add_user === 'function') {
+        method = 'add_user';
+        warningUtils.emit(warningUtils.Codes.VERWAR006);
+      }
+      // @ts-ignore
+      if (typeof plugin[method] !== 'function') {
         next();
       } else {
-        // @ts-expect-error future major (7.x) should remove this section
-        if (typeof plugin.adduser === 'undefined' && typeof plugin.add_user === 'function') {
-          throw errorUtils.getInternalError(
-            'add_user method not longer supported, rename to adduser'
-          );
-        }
-
-        plugin.adduser(
+        // TODO: replace by adduser whenever add_user deprecation method has been removed
+        // @ts-ignore
+        plugin[method](
           user,
           password,
           function (err: VerdaccioError | null, ok?: boolean | string): void {
             if (err) {
-              debug('the user  %o could not being added. Error: %o', user, err?.message);
+              debug('the user %o could not being added. Error: %o', user, err?.message);
               return cb(err);
             }
             if (ok) {
               debug('the user %o has been added', user);
               return self.authenticate(user, password, cb);
             }
+            debug('user could not be added, skip to next auth plugin');
             next();
           }
         );
@@ -308,12 +306,11 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     debug('allow unpublish for %o', packageName);
 
     for (const plugin of this.plugins) {
-      if (_.isNil(plugin) || isFunction(plugin.allow_unpublish) === false) {
+      if (typeof plugin?.allow_unpublish !== 'function') {
         debug('allow unpublish for %o plugin does not implement allow_unpublish', packageName);
         continue;
       } else {
-        // @ts-ignore
-        plugin.allow_unpublish!(user, pkg, (err, ok: boolean): void => {
+        plugin.allow_unpublish(user, pkg, (err, ok): void => {
           if (err) {
             debug(
               'forbidden publish for %o, it will fallback on unpublish permissions',
@@ -324,9 +321,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
 
           if (_.isNil(ok) === true) {
             debug('bypass unpublish for %o, publish will handle the access', packageName);
-            // @ts-ignore
-            // eslint-disable-next-line
-            return this.allow_publish(...arguments);
+            return this.allow_publish({ packageName, packageVersion }, user, callback);
           }
 
           if (ok) {
@@ -350,7 +345,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     const pkg = Object.assign(
       { name: packageName, version: packageVersion },
       getMatchedPackagesSpec(packageName, this.config.packages)
-    ) as any;
+    );
     debug('allow publish for %o init | plugins: %o', packageName, plugins.length);
 
     (function next(): void {
@@ -378,7 +373,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     })();
   }
 
-  public apiJWTmiddleware(): RequestHandler {
+  public apiJWTmiddleware(): any {
     debug('jwt middleware');
     const plugins = this.plugins.slice(0);
     const helpers = { createAnonymousRemoteUser, createRemoteUser };
@@ -388,11 +383,9 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
       }
     }
 
-    // @ts-ignore
     return (req: $RequestExtend, res: $ResponseExtend, _next: NextFunction) => {
       req.pause();
-
-      const next = function (err?: VerdaccioError): any {
+      const next = function (err?: VerdaccioError): NextFunction {
         req.resume();
         // uncomment this to reject users with bad auth headers
         // return _next.apply(null, arguments)
@@ -402,13 +395,14 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
           req.remote_user.error = err.message;
         }
 
-        return _next();
+        return _next() as unknown as NextFunction;
       };
 
-      if (this._isRemoteUserValid(req.remote_user)) {
-        debug('jwt has a valid authentication header');
-        return next();
-      }
+      // FUTURE: disabled, not removed yet but seems unreacable code
+      // if (this._isRemoteUserValid(req.remote_user)) {
+      //   debug('jwt has a valid authentication header');
+      //   return next();
+      // }
 
       // in case auth header does not exist we return anonymous function
       const remoteUser = createAnonymousRemoteUser();
@@ -429,20 +423,20 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
 
       if (isAESLegacy(security)) {
         debug('api middleware using legacy auth token');
-        this._handleAESMiddleware(req, security, secret, authorization, next);
+        this.handleAESMiddleware(req, security, secret, authorization, next);
       } else {
         debug('api middleware using JWT auth token');
-        this._handleJWTAPIMiddleware(req, security, secret, authorization, next);
+        this.handleJWTAPIMiddleware(req, security, secret, authorization, next);
       }
     };
   }
 
-  private _handleJWTAPIMiddleware(
+  private handleJWTAPIMiddleware(
     req: $RequestExtend,
     security: Security,
     secret: string,
     authorization: string,
-    next: Function
+    next: any
   ): void {
     debug('handle JWT api middleware');
     const { scheme, token } = parseAuthTokenHeader(authorization);
@@ -479,7 +473,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     }
   }
 
-  private _handleAESMiddleware(
+  private handleAESMiddleware(
     req: $RequestExtend,
     security: Security,
     secret: string,
@@ -489,7 +483,12 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     debug('handle legacy api middleware');
     debug('api middleware secret %o', typeof secret === 'string');
     debug('api middleware authorization %o', typeof authorization === 'string');
-    const credentials: any = getMiddlewareCredentials(security, secret, authorization);
+    const credentials: any = getMiddlewareCredentials(
+      security,
+      secret,
+      authorization,
+      this.config?.getEnhancedLegacySignature()
+    );
     debug('api middleware credentials %o', credentials?.name);
     if (credentials) {
       const { user, password } = credentials;
@@ -519,8 +518,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
   /**
    * JWT middleware for WebUI
    */
-  public webUIJWTmiddleware(): RequestHandler {
-    // @ts-ignore
+  public webUIJWTmiddleware() {
     return (req: $RequestExtend, res: $ResponseExtend, _next: NextFunction): void => {
       if (this._isRemoteUserValid(req.remote_user)) {
         return _next();
@@ -530,7 +528,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
       const next = (err: VerdaccioError | void): void => {
         req.resume();
         if (err) {
-          // req.remote_user.error = err.message;
+          req.remote_user.error = err.message;
           res.status(err.statusCode).send(err.message);
         }
 
@@ -581,7 +579,6 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
       name,
       groups: groupedGroups,
     };
-
     const token: string = await signPayload(payload, this.secret, signOptions);
 
     return token;
@@ -591,7 +588,17 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
    * Encrypt a string.
    */
   public aesEncrypt(value: string): string | void {
-    return aesEncrypt(value, this.secret);
+    // enhancedLegacySignature enables modern aes192 algorithm signature
+    if (this.config?.getEnhancedLegacySignature()) {
+      debug('signing with enhaced aes legacy');
+      const token = aesEncrypt(value, this.secret);
+      return token;
+    } else {
+      debug('signing with enhaced aes deprecated legacy');
+      // deprecated aes (legacy) signature, only must be used for legacy version
+      const token = aesEncryptDeprecated(Buffer.from(value), this.secret).toString('base64');
+      return token;
+    }
   }
 }
 

packages/auth/src/index.ts

@@ -1,2 +1,3 @@
 export { Auth } from './auth';
 export * from './utils';
+export * from './types';

packages/auth/src/signature-legacy.ts

@@ -0,0 +1,66 @@
+import buildDebug from 'debug';
+import _ from 'lodash';
+
+import { TOKEN_BASIC, TOKEN_BEARER } from '@verdaccio/core';
+import { aesDecryptDeprecated as aesDecrypt, parseBasicPayload } from '@verdaccio/signature';
+import { Security } from '@verdaccio/types';
+
+import { AuthMiddlewarePayload } from './types';
+import {
+  convertPayloadToBase64,
+  isAESLegacy,
+  parseAuthTokenHeader,
+  verifyJWTPayload,
+} from './utils';
+
+const debug = buildDebug('verdaccio:auth:utils');
+
+export function parseAESCredentials(authorizationHeader: string, secret: string) {
+  debug('parseAESCredentials');
+  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
+
+  // basic is deprecated and should not be enforced
+  // basic is currently being used for functional test
+  if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
+    debug('legacy header basic');
+    const credentials = convertPayloadToBase64(token).toString();
+
+    return credentials;
+  } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
+    debug('legacy header bearer');
+    const credentials = aesDecrypt(Buffer.from(token), secret);
+
+    return credentials;
+  }
+}
+
+export function getMiddlewareCredentials(
+  security: Security,
+  secretKey: string,
+  authorizationHeader: string
+): AuthMiddlewarePayload {
+  debug('getMiddlewareCredentials');
+  // comment out for debugging purposes
+  if (isAESLegacy(security)) {
+    debug('is legacy');
+    const credentials = parseAESCredentials(authorizationHeader, secretKey);
+    if (typeof credentials !== 'string') {
+      debug('parse legacy credentials failed');
+      return;
+    }
+
+    const parsedCredentials = parseBasicPayload(credentials);
+    if (!parsedCredentials) {
+      debug('parse legacy basic payload credentials failed');
+      return;
+    }
+
+    return parsedCredentials;
+  }
+  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
+
+  debug('is jwt');
+  if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
+    return verifyJWTPayload(token, secretKey);
+  }
+}

packages/auth/src/signature.ts

@@ -0,0 +1,66 @@
+import buildDebug from 'debug';
+import _ from 'lodash';
+
+import { TOKEN_BASIC, TOKEN_BEARER } from '@verdaccio/core';
+import { aesDecrypt, parseBasicPayload } from '@verdaccio/signature';
+import { Security } from '@verdaccio/types';
+
+import { AuthMiddlewarePayload } from './types';
+import {
+  convertPayloadToBase64,
+  isAESLegacy,
+  parseAuthTokenHeader,
+  verifyJWTPayload,
+} from './utils';
+
+const debug = buildDebug('verdaccio:auth:utils');
+
+export function parseAESCredentials(authorizationHeader: string, secret: string) {
+  debug('parseAESCredentials');
+  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
+
+  // basic is deprecated and should not be enforced
+  // basic is currently being used for functional test
+  if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
+    debug('legacy header basic');
+    const credentials = convertPayloadToBase64(token).toString();
+
+    return credentials;
+  } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
+    debug('legacy header bearer');
+    const credentials = aesDecrypt(token, secret);
+
+    return credentials;
+  }
+}
+
+export function getMiddlewareCredentials(
+  security: Security,
+  secretKey: string,
+  authorizationHeader: string
+): AuthMiddlewarePayload {
+  debug('getMiddlewareCredentials');
+  // comment out for debugging purposes
+  if (isAESLegacy(security)) {
+    debug('is legacy');
+    const credentials = parseAESCredentials(authorizationHeader, secretKey);
+    if (!credentials) {
+      debug('parse legacy credentials failed');
+      return;
+    }
+
+    const parsedCredentials = parseBasicPayload(credentials);
+    if (!parsedCredentials) {
+      debug('parse legacy basic payload credentials failed');
+      return;
+    }
+
+    return parsedCredentials;
+  }
+  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
+
+  debug('is jwt');
+  if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
+    return verifyJWTPayload(token, secretKey);
+  }
+}

packages/auth/src/types.ts

@@ -0,0 +1,46 @@
+import { NextFunction, Request, Response } from 'express';
+
+import { VerdaccioError } from '@verdaccio/core';
+import { AuthPackageAllow, JWTSignOptions, Logger, RemoteUser } from '@verdaccio/types';
+
+export interface AESPayload {
+  user: string;
+  password: string;
+}
+
+export type BasicPayload = AESPayload | void;
+export type AuthMiddlewarePayload = RemoteUser | BasicPayload;
+
+export interface AuthTokenHeader {
+  scheme: string;
+  token: string;
+}
+export type AllowActionCallbackResponse = boolean | undefined;
+export type AllowActionCallback = (
+  error: VerdaccioError | null,
+  allowed?: AllowActionCallbackResponse
+) => void;
+
+export type AllowAction = (
+  user: RemoteUser,
+  pkg: AuthPackageAllow,
+  callback: AllowActionCallback
+) => void;
+
+export interface TokenEncryption {
+  jwtEncrypt(user: RemoteUser, signOptions: JWTSignOptions): Promise<string>;
+  aesEncrypt(buf: string): string | void;
+}
+
+export type ActionsAllowed = 'publish' | 'unpublish' | 'access';
+
+// remove
+export interface IAuthMiddleware {
+  apiJWTmiddleware(): $NextFunctionVer;
+  webUIJWTmiddleware(): $NextFunctionVer;
+}
+
+export type $RequestExtend = Request & { remote_user?: any; log: Logger };
+export type $ResponseExtend = Response & { cookies?: any };
+export type $NextFunctionVer = NextFunction & any;
+export { NextFunction };

packages/auth/src/utils.ts

@@ -7,36 +7,28 @@ import {
   HTTP_STATUS,
   TOKEN_BASIC,
   TOKEN_BEARER,
-  VerdaccioError,
   errorUtils,
   pluginUtils,
 } from '@verdaccio/core';
-import { aesDecrypt, parseBasicPayload, verifyPayload } from '@verdaccio/signature';
+import {
+  aesDecrypt,
+  aesDecryptDeprecated,
+  parseBasicPayload,
+  verifyPayload,
+} from '@verdaccio/signature';
 import { AuthPackageAllow, Config, Logger, RemoteUser, Security } from '@verdaccio/types';
 
-import { AESPayload, TokenEncryption } from './auth';
+import {
+  ActionsAllowed,
+  AllowAction,
+  AllowActionCallback,
+  AuthMiddlewarePayload,
+  AuthTokenHeader,
+  TokenEncryption,
+} from './types';
 
 const debug = buildDebug('verdaccio:auth:utils');
 
-export type BasicPayload = AESPayload | void;
-export type AuthMiddlewarePayload = RemoteUser | BasicPayload;
-
-export interface AuthTokenHeader {
-  scheme: string;
-  token: string;
-}
-export type AllowActionCallbackResponse = boolean | undefined;
-export type AllowActionCallback = (
-  error: VerdaccioError | null,
-  allowed?: AllowActionCallbackResponse
-) => void;
-
-export type AllowAction = (
-  user: RemoteUser,
-  pkg: AuthPackageAllow,
-  callback: AllowActionCallback
-) => void;
-
 /**
  * Split authentication header eg: Bearer [secret_token]
  * @param authorizationHeader auth token
@@ -48,7 +40,11 @@ export function parseAuthTokenHeader(authorizationHeader: string): AuthTokenHead
   return { scheme, token };
 }
 
-export function parseAESCredentials(authorizationHeader: string, secret: string) {
+export function parseAESCredentials(
+  authorizationHeader: string,
+  secret: string,
+  enhanced: boolean
+) {
   debug('parseAESCredentials');
   const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
 
@@ -61,7 +57,11 @@ export function parseAESCredentials(authorizationHeader: string, secret: string)
     return credentials;
   } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
     debug('legacy header bearer');
-    const credentials = aesDecrypt(token, secret);
+    debug('legacy header enhanced?', enhanced);
+    const credentials = enhanced
+      ? aesDecrypt(token.toString(), secret)
+      : // FUTURE: once deprecated legacy is removed this logic won't be longer need it
+        aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
 
     return credentials;
   }
@@ -70,13 +70,14 @@ export function parseAESCredentials(authorizationHeader: string, secret: string)
 export function getMiddlewareCredentials(
   security: Security,
   secretKey: string,
-  authorizationHeader: string
+  authorizationHeader: string,
+  enhanced: boolean = true
 ): AuthMiddlewarePayload {
   debug('getMiddlewareCredentials');
   // comment out for debugging purposes
   if (isAESLegacy(security)) {
     debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey);
+    const credentials = parseAESCredentials(authorizationHeader, secretKey, enhanced);
     if (!credentials) {
       debug('parse legacy credentials failed');
       return;
@@ -161,14 +162,15 @@ export function isAuthHeaderValid(authorization: string): boolean {
 export function getDefaultPlugins(logger: Logger): pluginUtils.Auth<Config> {
   return {
     authenticate(_user: string, _password: string, cb: pluginUtils.AuthCallback): void {
+      debug('triggered default authenticate method');
       cb(errorUtils.getForbidden(API_ERROR.BAD_USERNAME_PASSWORD));
     },
 
     adduser(_user: string, _password: string, cb: pluginUtils.AuthUserCallback): void {
+      debug('triggered default adduser method');
       return cb(errorUtils.getConflict(API_ERROR.BAD_USERNAME_PASSWORD));
     },
 
-    // FIXME: allow_action and allow_publish should be in the @verdaccio/types
     // @ts-ignore
     allow_access: allow_action('access', logger),
     // @ts-ignore
@@ -177,8 +179,6 @@ export function getDefaultPlugins(logger: Logger): pluginUtils.Auth<Config> {
   };
 }
 
-export type ActionsAllowed = 'publish' | 'unpublish' | 'access';
-
 export function allow_action(action: ActionsAllowed, logger: Logger): AllowAction {
   return function allowActionCallback(
     user: RemoteUser,
@@ -187,8 +187,13 @@ export function allow_action(action: ActionsAllowed, logger: Logger): AllowActio
   ): void {
     logger.trace({ remote: user.name }, `[auth/allow_action]: user: @{remote}`);
     const { name, groups } = user;
+    debug('allow_action "%s": groups %s', action, groups);
     const groupAccess = pkg[action] as string[];
-    const hasPermission = groupAccess.some((group) => name === group || groups.includes(group));
+    debug('allow_action "%s": groupAccess %s', action, groupAccess);
+    const hasPermission = groupAccess.some((group) => {
+      return name === group || groups.includes(group);
+    });
+    debug('package "%s" has permission "%s"', name, hasPermission);
     logger.trace(
       { pkgName: pkg.name, hasPermission, remote: user.name, groupAccess },
       `[auth/allow_action]: hasPermission? @{hasPermission} for user: @{remote}, package: @{pkgName}`
@@ -218,7 +223,8 @@ export function handleSpecialUnpublish(logger: Logger): any {
   return function (user: RemoteUser, pkg: AuthPackageAllow, callback: AllowActionCallback): void {
     const action = 'unpublish';
     // verify whether the unpublish prop has been defined
-    const isUnpublishMissing: boolean = _.isNil(pkg[action]);
+    const isUnpublishMissing: boolean = !pkg[action];
+    debug('is unpublish method missing ? %s', isUnpublishMissing);
     const hasGroups: boolean = isUnpublishMissing ? false : (pkg[action] as string[]).length > 0;
     logger.trace(
       { user: user.name, name: pkg.name, hasGroups },

packages/auth/test/auth.spec.ts

@@ -1,47 +1,79 @@
+import express from 'express';
 import path from 'path';
+import supertest from 'supertest';
 
-import { Config as AppConfig, ROLES, getDefaultConfig } from '@verdaccio/config';
-import { errorUtils } from '@verdaccio/core';
-import { setup } from '@verdaccio/logger';
+import { Config as AppConfig, ROLES, createRemoteUser, getDefaultConfig } from '@verdaccio/config';
+import {
+  API_ERROR,
+  HEADERS,
+  HTTP_STATUS,
+  SUPPORT_ERRORS,
+  TOKEN_BEARER,
+  errorUtils,
+} from '@verdaccio/core';
+import { logger, setup } from '@verdaccio/logger';
+import { errorReportingMiddleware, final, handleError } from '@verdaccio/middleware';
 import { Config } from '@verdaccio/types';
+import { buildToken } from '@verdaccio/utils';
 
-import { Auth } from '../src';
-import { authPluginFailureConf, authPluginPassThrougConf, authProfileConf } from './helper/plugin';
+import { $RequestExtend, Auth } from '../src';
+import {
+  authChangePasswordConf,
+  authPluginFailureConf,
+  authPluginPassThrougConf,
+  authProfileConf,
+} from './helper/plugin';
 
-setup({ level: 'debug', type: 'stdout' });
+setup({});
+
+// to avoid flaky test generate same ramdom key
+jest.mock('@verdaccio/utils', () => {
+  return {
+    ...jest.requireActual('@verdaccio/utils'),
+    // used by enhanced legacy aes signature (minimum 32 characters)
+    generateRandomSecretKey: () => 'GCYW/3IJzQI6GvPmy9sbMkFoiL7QLVw',
+    // used by legacy aes signature
+    generateRandomHexString: () =>
+      'ff065fcf7a8330ae37d3ea116328852f387ad7aa6defbe47fb68b1ea25f97446',
+  };
+});
 
 describe('AuthTest', () => {
-  test('should init correctly', async () => {
-    const config: Config = new AppConfig({ ...authProfileConf });
-    config.checkSecretKey('12345');
+  describe('default', () => {
+    test('should init correctly', async () => {
+      const config: Config = new AppConfig({ ...authProfileConf });
+      config.checkSecretKey('12345');
 
-    const auth: Auth = new Auth(config);
-    await auth.init();
-    expect(auth).toBeDefined();
-  });
-
-  test('should load default auth plugin', async () => {
-    const config: Config = new AppConfig({ ...authProfileConf, auth: undefined });
-    config.checkSecretKey('12345');
-
-    const auth: Auth = new Auth(config);
-    await auth.init();
-    expect(auth).toBeDefined();
-  });
-
-  test('should load custom algorithm', async () => {
-    const config: Config = new AppConfig({
-      ...authProfileConf,
-      auth: { htpasswd: { algorithm: 'sha1', file: './foo' } },
+      const auth: Auth = new Auth(config);
+      await auth.init();
+      expect(auth).toBeDefined();
     });
-    config.checkSecretKey('12345');
 
-    const auth: Auth = new Auth(config);
-    await auth.init();
-    expect(auth).toBeDefined();
+    test('should load default auth plugin', async () => {
+      const config: Config = new AppConfig({ ...authProfileConf, auth: undefined });
+      config.checkSecretKey('12345');
+
+      const auth: Auth = new Auth(config);
+      await auth.init();
+      expect(auth).toBeDefined();
+    });
   });
 
-  describe('test authenticate method', () => {
+  describe('utils', () => {
+    test('should load custom algorithm', async () => {
+      const config: Config = new AppConfig({
+        ...authProfileConf,
+        auth: { htpasswd: { algorithm: 'sha1', file: './foo' } },
+      });
+      config.checkSecretKey('12345');
+
+      const auth: Auth = new Auth(config);
+      await auth.init();
+      expect(auth).toBeDefined();
+    });
+  });
+
+  describe('authenticate', () => {
     describe('test authenticate states', () => {
       test('should be a success login', async () => {
         const config: Config = new AppConfig({ ...authProfileConf });
@@ -163,30 +195,519 @@ describe('AuthTest', () => {
         }
       });
     });
+
+    describe('test multiple authenticate methods', () => {
+      test('should skip falsy values', async () => {
+        const config: Config = new AppConfig({
+          ...getDefaultConfig(),
+          plugins: path.join(__dirname, './partials/plugin'),
+          auth: {
+            success: {},
+            'fail-invalid-method': {},
+          },
+        });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+
+        return new Promise((resolve) => {
+          auth.authenticate('foo', 'bar', (err, value) => {
+            expect(value).toEqual({
+              name: 'foo',
+              groups: ['test', ROLES.$ALL, '$authenticated', '@all', '@authenticated', 'all'],
+              real_groups: ['test'],
+            });
+            resolve(value);
+          });
+        });
+      });
+    });
   });
 
-  describe('test multiple authenticate methods', () => {
-    test('should skip falsy values', async () => {
+  describe('changePassword', () => {
+    test('should fail if the plugin does not provide implementation', async () => {
+      const config: Config = new AppConfig({ ...authProfileConf });
+      config.checkSecretKey('12345');
+      const auth: Auth = new Auth(config);
+      await auth.init();
+      expect(auth).toBeDefined();
+      const callback = jest.fn();
+
+      auth.changePassword('foo', 'bar', 'newFoo', callback);
+
+      expect(callback).toHaveBeenCalledTimes(1);
+      expect(callback).toHaveBeenCalledWith(
+        errorUtils.getInternalError(SUPPORT_ERRORS.PLUGIN_MISSING_INTERFACE)
+      );
+    });
+    test('should handle plugin does provide implementation', async () => {
+      const config: Config = new AppConfig({ ...authChangePasswordConf });
+      config.checkSecretKey('12345');
+      const auth: Auth = new Auth(config);
+      await auth.init();
+      expect(auth).toBeDefined();
+      const callback = jest.fn();
+      auth.add_user('foo', 'bar', jest.fn());
+      auth.changePassword('foo', 'bar', 'newFoo', callback);
+      expect(callback).toHaveBeenCalledTimes(1);
+      expect(callback).toHaveBeenCalledWith(null, true);
+    });
+  });
+
+  describe('allow_access', () => {
+    describe('no custom allow_access implementation provided', () => {
+      // when allow_access is not implemented, the groups must match
+      // exactly with the packages access group
+      test('should fails if groups do not match exactly', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        const groups = ['test'];
+
+        auth.allow_access(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(
+          errorUtils.getForbidden('user foo is not allowed to access package foo')
+        );
+      });
+
+      test('should success if groups do not match exactly', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        // $all comes from configuration file
+        const groups = [ROLES.$ALL];
+
+        auth.allow_access(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(null, true);
+      });
+    });
+  });
+
+  describe('allow_publish', () => {
+    describe('no custom allow_publish implementation provided', () => {
+      // when allow_access is not implemented, the groups must match
+      // exactly with the packages access group
+      test('should fails if groups do not match exactly', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        const groups = ['test'];
+
+        auth.allow_publish(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(
+          errorUtils.getForbidden('user foo is not allowed to publish package foo')
+        );
+      });
+
+      test('should success if groups do match exactly', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        // $all comes from configuration file
+        const groups = [ROLES.$AUTH];
+
+        auth.allow_publish(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(null, true);
+      });
+    });
+  });
+  describe('allow_unpublish', () => {
+    describe('no custom allow_unpublish implementation provided', () => {
+      test('should fails if groups do not match exactly', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+        config.checkSecretKey('12345');
+
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        const groups = ['test'];
+
+        auth.allow_unpublish(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(
+          errorUtils.getForbidden('user foo is not allowed to unpublish package foo')
+        );
+      });
+
+      test('should handle missing unpublish method (special case to handle legacy configurations)', async () => {
+        const config: Config = new AppConfig({
+          ...authProfileConf,
+          packages: {
+            ...authProfileConf.packages,
+            '**': {
+              access: ['$all'],
+              publish: ['$authenticated'],
+              // it forces publish handle the access
+              unpublish: undefined,
+              proxy: ['npmjs'],
+            },
+          },
+        });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        const groups = ['test'];
+
+        auth.allow_unpublish(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(
+          errorUtils.getForbidden('user foo is not allowed to publish package foo')
+        );
+      });
+
+      test('should success if groups do match exactly', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        // $all comes from configuration file
+        const groups = [ROLES.$AUTH];
+
+        auth.allow_unpublish(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(null, true);
+      });
+    });
+  });
+
+  describe('add_user', () => {
+    describe('error handling', () => {
+      // when allow_access is not implemented, the groups must match
+      // exactly with the packages access group
+      test('should fails with bad password if adduser is not implemented', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+
+        auth.add_user('juan', 'password', callback);
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(
+          errorUtils.getConflict(API_ERROR.BAD_USERNAME_PASSWORD)
+        );
+      });
+
+      test('should fails if adduser fails internally (exception)', async () => {
+        const config: Config = new AppConfig({
+          ...getDefaultConfig(),
+          plugins: path.join(__dirname, './partials/plugin'),
+          auth: {
+            adduser: {},
+          },
+        });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+
+        // note: fail uas username make plugin fails
+        auth.add_user('fail', 'password', callback);
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(new Error('bad username'));
+      });
+
+      test('should skip to the next plugin and fails', async () => {
+        const config: Config = new AppConfig({
+          ...getDefaultConfig(),
+          plugins: path.join(__dirname, './partials/plugin'),
+          auth: {
+            adduser: {},
+            // plugin implement adduser with fail auth
+            fail: {},
+          },
+        });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+
+        // note: fail uas username make plugin fails
+        auth.add_user('skip', 'password', callback);
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(
+          errorUtils.getConflict(API_ERROR.BAD_USERNAME_PASSWORD)
+        );
+      });
+    });
+    test('should success if adduser', async () => {
       const config: Config = new AppConfig({
         ...getDefaultConfig(),
         plugins: path.join(__dirname, './partials/plugin'),
         auth: {
-          success: {},
-          'fail-invalid-method': {},
+          adduser: {},
         },
       });
       config.checkSecretKey('12345');
       const auth: Auth = new Auth(config);
       await auth.init();
+      expect(auth).toBeDefined();
 
-      return new Promise((resolve) => {
-        auth.authenticate('foo', 'bar', (err, value) => {
-          expect(value).toEqual({
-            name: 'foo',
-            groups: ['test', '$all', '$authenticated', '@all', '@authenticated', 'all'],
-            real_groups: ['test'],
+      const callback = jest.fn();
+
+      auth.add_user('something', 'password', callback);
+
+      expect(callback).toHaveBeenCalledTimes(1);
+      expect(callback).toHaveBeenCalledWith(null, {
+        groups: ['test', '$all', '$authenticated', '@all', '@authenticated', 'all'],
+        name: 'something',
+        real_groups: ['test'],
+      });
+    });
+    test('should handle legacy add_user method', async () => {
+      const config: Config = new AppConfig({
+        ...getDefaultConfig(),
+        plugins: path.join(__dirname, './partials/plugin'),
+        auth: {
+          'adduser-legacy': {},
+        },
+      });
+      config.checkSecretKey('12345');
+      const auth: Auth = new Auth(config);
+      await auth.init();
+      expect(auth).toBeDefined();
+
+      const callback = jest.fn();
+
+      auth.add_user('something', 'password', callback);
+
+      expect(callback).toHaveBeenCalledTimes(1);
+      expect(callback).toHaveBeenCalledWith(null, {
+        groups: ['test', '$all', '$authenticated', '@all', '@authenticated', 'all'],
+        name: 'something',
+        real_groups: ['test'],
+      });
+    });
+  });
+  describe('middlewares', () => {
+    describe('apiJWTmiddleware', () => {
+      const secret = '12345';
+      const getServer = async function (auth) {
+        const app = express();
+        app.use(express.json({ strict: false, limit: '10mb' }));
+        // @ts-expect-error
+        app.use(errorReportingMiddleware(logger));
+        app.use(auth.apiJWTmiddleware());
+        app.get('/*', (req, res, next) => {
+          if ((req as $RequestExtend).remote_user.error) {
+            next(new Error((req as $RequestExtend).remote_user.error));
+          } else {
+            // @ts-expect-error
+            next({ user: req?.remote_user });
+          }
+        });
+        // @ts-expect-error
+        app.use(handleError(logger));
+        // @ts-expect-error
+        app.use(final);
+        return app;
+      };
+      describe('legacy signature', () => {
+        describe('error cases', () => {
+          test('should handle invalid auth token', async () => {
+            const config: Config = new AppConfig({ ...authProfileConf });
+            config.checkSecretKey(secret);
+            const auth = new Auth(config);
+            await auth.init();
+            const app = await getServer(auth);
+            return supertest(app)
+              .get(`/`)
+              .set(HEADERS.AUTHORIZATION, 'Bearer foo')
+              .expect(HTTP_STATUS.INTERNAL_ERROR);
+          });
+
+          test('should handle missing auth header', async () => {
+            const config: Config = new AppConfig({ ...authProfileConf });
+            config.checkSecretKey(secret);
+            const auth = new Auth(config);
+            await auth.init();
+            const app = await getServer(auth);
+            return supertest(app).get(`/`).expect(HTTP_STATUS.OK);
+          });
+        });
+
+        describe('deprecated legacy handling forceEnhancedLegacySignature=false', () => {
+          test('should handle valid auth token', async () => {
+            const payload = 'juan:password';
+            // const token = await signPayload(remoteUser, '12345');
+            const config: Config = new AppConfig(
+              { ...authProfileConf },
+              { forceEnhancedLegacySignature: false }
+            );
+            // intended to force key generator (associated with mocks above)
+            config.checkSecretKey(undefined);
+            const auth = new Auth(config);
+            await auth.init();
+            const token = auth.aesEncrypt(payload) as string;
+            const app = await getServer(auth);
+            const res = await supertest(app)
+              .get(`/`)
+              .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, token))
+              .expect(HTTP_STATUS.OK);
+            expect(res.body.user.name).toEqual('juan');
+          });
+
+          test('should handle invalid auth token', async () => {
+            const payload = 'juan:password';
+            const config: Config = new AppConfig(
+              { ...authPluginFailureConf },
+              { forceEnhancedLegacySignature: false }
+            );
+            // intended to force key generator (associated with mocks above)
+            config.checkSecretKey(undefined);
+            const auth = new Auth(config);
+            await auth.init();
+            const token = auth.aesEncrypt(payload) as string;
+            const app = await getServer(auth);
+            return await supertest(app)
+              .get(`/`)
+              .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, token))
+              .expect(HTTP_STATUS.INTERNAL_ERROR);
+          });
+        });
+      });
+      describe('jwt signature', () => {
+        describe('error cases', () => {
+          test('should handle invalid auth token and return anonymous', async () => {
+            // @ts-expect-error
+            const config: Config = new AppConfig({
+              ...authProfileConf,
+              ...{ security: { api: { jwt: { sign: { expiresIn: '29d' } } } } },
+            });
+            config.checkSecretKey(secret);
+            const auth = new Auth(config);
+            await auth.init();
+            const app = await getServer(auth);
+            const res = await supertest(app)
+              .get(`/`)
+              .set(HEADERS.AUTHORIZATION, 'Bearer foo')
+              .expect(HTTP_STATUS.OK);
+            expect(res.body.user.groups).toEqual([
+              ROLES.$ALL,
+              ROLES.$ANONYMOUS,
+              ROLES.DEPRECATED_ALL,
+              ROLES.DEPRECATED_ANONYMOUS,
+            ]);
+          });
+
+          test('should handle missing auth header', async () => {
+            // @ts-expect-error
+            const config: Config = new AppConfig({
+              ...authProfileConf,
+              ...{ security: { api: { jwt: { sign: { expiresIn: '29d' } } } } },
+            });
+            config.checkSecretKey(secret);
+            const auth = new Auth(config);
+            await auth.init();
+            const app = await getServer(auth);
+            const res = await supertest(app).get(`/`).expect(HTTP_STATUS.OK);
+            expect(res.body.user.groups).toEqual([
+              ROLES.$ALL,
+              ROLES.$ANONYMOUS,
+              ROLES.DEPRECATED_ALL,
+              ROLES.DEPRECATED_ANONYMOUS,
+            ]);
+          });
+        });
+        describe('valid signature handlers', () => {
+          test('should handle valid auth token', async () => {
+            const config: Config = new AppConfig(
+              // @ts-expect-error
+              {
+                ...authProfileConf,
+                ...{ security: { api: { jwt: { sign: { expiresIn: '29d' } } } } },
+              },
+              { forceEnhancedLegacySignature: false }
+            );
+            // intended to force key generator (associated with mocks above)
+            config.checkSecretKey(undefined);
+            const auth = new Auth(config);
+            await auth.init();
+            const token = (await auth.jwtEncrypt(
+              createRemoteUser('jwt_user', [ROLES.ALL]),
+              // @ts-expect-error
+              config.security.api.jwt.sign
+            )) as string;
+            const app = await getServer(auth);
+            const res = await supertest(app)
+              .get(`/`)
+              .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, token))
+              .expect(HTTP_STATUS.OK);
+            expect(res.body.user.name).toEqual('jwt_user');
           });
-          resolve(value);
         });
       });
     });

packages/auth/test/helper/plugin.ts

@@ -10,6 +10,14 @@ export const authProfileConf = {
   },
 };
 
+export const authChangePasswordConf = {
+  ...getDefaultConfig(),
+  plugins: path.join(__dirname, '../partials/plugin'),
+  auth: {
+    'change-password': {},
+  },
+};
+
 export const authPluginFailureConf = {
   ...getDefaultConfig(),
   plugins: path.join(__dirname, '../partials/plugin'),