chore: update versions (next-8) (#4761)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.babelrc

@@ -10,9 +10,5 @@
     ],
     "@babel/typescript"
   ],
-  "ignore": ["**/*.d.ts"],
-  "plugins": [
-    "@babel/plugin-proposal-optional-chaining",
-    "@babel/plugin-proposal-nullish-coalescing-operator"
-  ]
+  "ignore": ["**/*.d.ts"]
 }

.changeset/big-cameras-invent.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/store': patch
+---
+
+chore: fix types for some store tests

.changeset/chilly-rivers-chew.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/cli': patch
+---
+
+chore: add config location and loglevel to startup log

.changeset/cuddly-camels-relax.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/middleware': patch
+---
+
+fix(middleware): custom favicon

.changeset/dirty-dolphins-try.md

@@ -0,0 +1,10 @@
+---
+'@verdaccio/ui-components': minor
+'@verdaccio/ui-theme': patch
+'@verdaccio/types': patch
+'@verdaccio/middleware': patch
+'@verdaccio/config': patch
+'@verdaccio/cli': patch
+---
+
+feat: complete overhaul of web user interface

.changeset/dirty-islands-push.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/ui-components': patch
+'@verdaccio/ui-theme': patch
+---
+
+chore: fix type for country flags

.changeset/dry-mirrors-roll.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/ui-theme': patch
+---
+
+fix: enable irish language on ui

.changeset/dry-shoes-report.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/logger-commons': patch
+'@verdaccio/logger-prettify': patch
+---
+
+fix: log spacing depending on the FORMAT and COLORS options

.changeset/eight-icons-heal.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/tarball': patch
+'@verdaccio/store': patch
+---
+
+feat: add tarball details for published packages

.changeset/fluffy-onions-act.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/middleware': patch
+---
+
+fix(middleware): link to favicon in template

.changeset/good-lions-rush.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/ui-components': patch
+---
+
+chore: sync dependency defs between ui-components and ui-theme

.changeset/grumpy-pots-watch.md

@@ -0,0 +1,9 @@
+---
+'@verdaccio/types': patch
+'@verdaccio/config': patch
+'@verdaccio/core': patch
+'@verdaccio/store': patch
+'@verdaccio/api': patch
+---
+
+feat: add support for npm owner

.changeset/itchy-mangos-wink.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/middleware': patch
+'@verdaccio/url': patch
+---
+
+Improved TS types for renderHTML() and related functions (by @tobbe in #4605)

.changeset/long-moles-attend.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/search-indexer': patch
+---
+
+fix: remove node engine restriction

.changeset/many-bees-tickle.md

@@ -0,0 +1,5 @@
+---
+'verdaccio-audit': minor
+---
+
+feat: verdaccio-audit support timeout option

.changeset/mighty-gorillas-fail.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/middleware': patch
+'@verdaccio/url': patch
+---
+
+fix(middleware): link to favicon in template

.changeset/moody-mugs-pay.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/config': patch
+---
+
+chore: improve debug code and refactor code

.changeset/nervous-fireants-design.md

@@ -0,0 +1,5 @@
+---
+'generator-verdaccio-plugin': major
+---
+
+feat: migration to monorepo

.changeset/pink-balloons-leave.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/local-storage': patch
+---
+
+chore: reduce log to info if database is not found

.changeset/poor-seals-turn.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/tarball': patch
+'@verdaccio/store': patch
+---
+
+revert #4600

.changeset/pre.json

@@ -1,6 +1,6 @@
 {
   "mode": "pre",
-  "tag": "next-7",
+  "tag": "next-8",
   "initialVersions": {
     "@verdaccio/test-cli-commons": "1.1.0",
     "@verdaccio/e2e-cli-npm6": "1.0.1",
@@ -57,21 +57,44 @@
     "@verdaccio/website": "5.20.2",
     "@verdaccio/local-publish": "0.0.1",
     "@verdaccio/search": "7.0.0-next.0",
-    "@verdaccio/e2e-cli-pnpm9": "1.0.1"
+    "@verdaccio/e2e-cli-pnpm9": "1.0.1",
+    "generator-verdaccio-plugin": "4.1.0"
   },
   "changesets": [
     "angry-trees-tie",
+    "big-cameras-invent",
     "breezy-mayflies-pull",
     "chilled-carrots-guess",
+    "chilly-rivers-chew",
+    "cuddly-camels-relax",
+    "dirty-dolphins-try",
+    "dirty-islands-push",
+    "dry-mirrors-roll",
+    "dry-shoes-report",
+    "eight-icons-heal",
     "eight-squids-judge",
     "eighty-lobsters-study",
+    "fluffy-onions-act",
     "good-cups-train",
+    "good-lions-rush",
+    "grumpy-pots-watch",
+    "itchy-mangos-wink",
     "long-jars-collect",
+    "long-moles-attend",
+    "many-bees-tickle",
+    "mighty-gorillas-fail",
+    "moody-mugs-pay",
+    "nervous-fireants-design",
     "old-turkeys-heal",
     "olive-bananas-wink",
     "perfect-chairs-act",
     "pink-apples-nail",
+    "pink-balloons-leave",
+    "poor-seals-turn",
+    "quick-buses-scream",
     "real-socks-vanish",
+    "rich-shrimps-check",
+    "sharp-wolves-carry",
     "shiny-worms-retire",
     "shy-carrots-compare",
     "shy-garlics-cry",
@@ -79,9 +102,20 @@
     "slow-wasps-glow",
     "spicy-birds-flow",
     "strange-points-repair",
+    "stupid-dancers-relate",
+    "swift-rabbits-vanish",
+    "ten-kids-tan",
+    "thick-avocados-provide",
+    "thin-snails-flow",
     "thirty-toes-swim",
+    "twenty-queens-protect",
+    "unlucky-cycles-sparkle",
     "weak-fans-explain",
+    "wet-balloons-give",
+    "wicked-kiwis-check",
+    "wicked-worms-wash",
     "wild-otters-talk",
+    "witty-meals-nail",
     "young-donuts-own"
   ]
 }

.changeset/quick-buses-scream.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/store': patch
+---
+
+fix: avoid warning "time for version x already exists"

.changeset/rich-shrimps-check.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/types': patch
+'@verdaccio/store': patch
+---
+
+fix: update fields for abbreviated manifest

.changeset/sharp-wolves-carry.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/signature': minor
+---
+
+support for createCipher backward compatible

.changeset/stupid-dancers-relate.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/url': patch
+---
+
+patch(core/url): Throw if VERDACCIO_FORWARDED_PROTO resolves to an array (#4613 by @Tobbe)

.changeset/swift-rabbits-vanish.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/config': patch
+---
+
+fix(config): test runs on Windows

.changeset/ten-kids-tan.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/ui-components': patch
+---
+
+chore(ui): update babel dependencies

.changeset/thick-avocados-provide.md

@@ -0,0 +1,13 @@
+---
+'@verdaccio/local-storage': patch
+'@verdaccio/server': patch
+'@verdaccio/core': patch
+'@verdaccio/node-api': patch
+'@verdaccio/loaders': patch
+'@verdaccio/store': patch
+'@verdaccio/auth': patch
+'@verdaccio/cli': patch
+'@verdaccio/web': patch
+---
+
+chore: improve startup logging

.changeset/thin-snails-flow.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/config': patch
+'@verdaccio/website': patch
+---
+
+fix: typo in config docs regarding check_owners

.changeset/twenty-queens-protect.md

@@ -0,0 +1,7 @@
+---
+'@verdaccio/ui-theme': patch
+'@verdaccio/ui-components': patch
+'@verdaccio/types': patch
+---
+
+fix: change bundleDependencies to array

.changeset/unlucky-cycles-sparkle.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/local-storage': patch
+---
+
+fix: error when writing tarball (missing folder)

.changeset/wet-balloons-give.md

@@ -0,0 +1,10 @@
+---
+'@verdaccio/types': minor
+'@verdaccio/core': minor
+'@verdaccio/signature': minor
+'@verdaccio/node-api': minor
+'@verdaccio/config': minor
+'@verdaccio/auth': minor
+---
+
+feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property

.changeset/wicked-kiwis-check.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/auth': patch
+---
+
+fix: adduser error message grammar (@tobbe in #4586)

.changeset/wicked-worms-wash.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/store': patch
+'@verdaccio/tarball': patch
+---
+
+feat: add tarball details for published packages

.changeset/witty-meals-nail.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/api': patch
+---
+
+chore(api): update comment about route parameters

.dockerignore

@@ -22,7 +22,6 @@ jest
 docs
 contrib
 docker-examples
-website
 systemd
 
 # output from test runs and similar things

.github/dependabot.yml

@@ -8,18 +8,11 @@ updates:
   # Maintain dependencies for GitHub Actions
   - package-ecosystem: 'github-actions'
     directory: '/'
-    schedule:
-      interval: 'weekly'
-
-  # Maintain dependencies for npm
-  - package-ecosystem: 'npm'
-    directory: '/'
-    schedule:
-      interval: 'daily'
-    allow:
-      - dependency-name: '@verdaccio/*'
-      - dependency-name: 'verdaccio-*'
+    open-pull-requests-limit: 1
+    prefix: "[github-actions] "
     assignees:
-      - 'verdacciobot'
+      - 'verdacciobot'    
+    schedule:
+      interval: 'monthly'
     labels:
       - 'bot: dependencies'

.github/disabled/ci-windows.yml

@@ -18,25 +18,23 @@ jobs:
         env:
           NODE_ENV: production          
     steps:
-    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
     - name: Node
       uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
       with:
         node-version-file: '.nvmrc'
     - name: Install pnpm
-      run: npm i pnpm@latest-8 -g
+      run: |
+        corepack enable
+        corepack install
     - name: set store
       run: |
         mkdir ~/.pnpm-store
         pnpm config set store-dir ~/.pnpm-store
-    - name: set store
-      run: |
-        mkdir ~/.pnpm-store
-        pnpm config set store-dir ~/.pnpm-store            
     - name: Install
-      run: pnpm install --registry http://localhost:4873
+      run: pnpm install  --registry http://localhost:4873
     - name: Cache .pnpm-store
-      uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
       with:
         path: ~/.pnpm-store
         key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -47,14 +45,14 @@ jobs:
     name: Lint
     needs: prepare
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -71,14 +69,14 @@ jobs:
     name: Format
     needs: prepare
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -100,14 +98,14 @@ jobs:
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - name: Use Node ${{ matrix.node_version }}
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node_version }}
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -126,13 +124,13 @@ jobs:
     runs-on: windows-latest
     name: UI Test E2E
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/disabled/docker-plugins-e2e.yml

@@ -18,7 +18,7 @@ jobs:
       uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3
       
     - name: Start containers
-      run: docker-compose -f "./e2e/docker/docker-build-install-plugin/docker-compose.yaml" up -d --build
+      run: docker compose -f "./e2e/docker/docker-build-install-plugin/docker-compose.yaml" up -d --build
 
     - name: Install node
       uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
@@ -36,4 +36,4 @@ jobs:
 
     - name: Stop containers
       if: always()
-      run: docker-compose -f "./e2e/docker/docker-build-install-plugin/docker-compose.yaml" down
+      run: docker compose -f "./e2e/docker/docker-build-install-plugin/docker-compose.yaml" down

.github/workflows/changesets.yml

@@ -20,12 +20,12 @@ jobs:
     if: github.ref == 'refs/heads/master' && github.repository == 'verdaccio/verdaccio'
     steps:
       - name: checkout code repository
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           fetch-depth: 0
 
       - name: setup node.js
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version-file: '.nvmrc'
         env:

.github/workflows/ci.yml

@@ -30,9 +30,9 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Node
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
@@ -46,7 +46,7 @@ jobs:
       - name: Install
         run: pnpm install  --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -57,16 +57,16 @@ jobs:
     name: Lint
     needs: prepare
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Node
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -82,16 +82,16 @@ jobs:
     name: Format
     needs: prepare
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -108,20 +108,20 @@ jobs:
       fail-fast: true
       matrix:
         os: [ubuntu-latest]
-        node_version: [18, 20, 21]
+        node_version: [18, 20, 21, 22]
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node ${{ matrix.node_version }}
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version: ${{ matrix.node_version }}
       - name: Install pnpm
         run: |
           corepack enable
           corepack prepare
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -138,17 +138,17 @@ jobs:
     needs: [test]
     runs-on: ubuntu-latest
     name: synchronize translations
-    if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
+    if: (github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'verdaccio/verdaccio') || github.event_name == 'workflow_dispatch'
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/workflows/codeql-analysis.yml

@@ -11,6 +11,10 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: code-${{ github.ref }}
+  cancel-in-progress: true    
+
 jobs:
   CodeQL-Build:
     permissions:
@@ -21,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           # We must fetch at least the immediate parents so that if this is
           # a pull request then we can checkout the head.
@@ -34,7 +38,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v2
+        uses: github/codeql-action/init@be8b74c09c1778bcdbea38e1a45efea2cb73e18c # v2
 
       # Override language selection by uncommenting this and choosing your languages
       # with:
@@ -42,7 +46,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v2
+        uses: github/codeql-action/autobuild@be8b74c09c1778bcdbea38e1a45efea2cb73e18c # v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -56,4 +60,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v2
+        uses: github/codeql-action/analyze@be8b74c09c1778bcdbea38e1a45efea2cb73e18c # v2

.github/workflows/docker-proxy-apache-e2e.yml

@@ -1,5 +1,9 @@
 name: E2E Docker Proxy Apache Test
 
+concurrency:
+  group: docker-apache-${{ github.ref }}
+  cancel-in-progress: true  
+
 on:
   workflow_dispatch:
   push:
@@ -11,18 +15,18 @@ on:
 jobs:
   docker:
     timeout-minutes: 10
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
-      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       
     - name: Start containers
-      run: docker-compose -f "./e2e/docker/apache-verdaccio/docker-compose.yaml" up -d --build
+      run: docker compose -f "./e2e/docker/apache-verdaccio/docker-compose.yaml" up -d --build
 
     - name: Install node
-      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+      uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
       with:
         node-version-file: '.nvmrc'
     - name: npm setup
@@ -42,4 +46,4 @@ jobs:
 
     - name: Stop containers
       if: always()
-      run: docker-compose -f "./e2e/docker/apache-verdaccio/docker-compose.yaml" down
+      run: docker compose -f "./e2e/docker/apache-verdaccio/docker-compose.yaml" down

.github/workflows/docker-proxy-nginx-e2e.yml

@@ -1,5 +1,10 @@
 name: E2E Docker Proxy Nginx Test
 
+concurrency:
+  group: docker-nginx-${{ github.ref }}
+  cancel-in-progress: true  
+
+
 on:
   workflow_dispatch:
   push:
@@ -8,18 +13,18 @@ on:
 jobs:
   docker:
     timeout-minutes: 10
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
-      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       
     - name: Start containers
-      run: docker-compose -f "./e2e/docker/proxy-nginx/docker-compose.yaml" up -d --build
+      run: docker compose -f "./e2e/docker/proxy-nginx/docker-compose.yaml" up -d --build
 
     - name: Install node
-      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+      uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
       with:
         node-version-file: '.nvmrc'
     - name: npm setup
@@ -39,4 +44,4 @@ jobs:
 
     - name: Stop containers
       if: always()
-      run: docker-compose -f "./e2e/docker/proxy-nginx/docker-compose.yaml" down
+      run: docker compose -f "./e2e/docker/proxy-nginx/docker-compose.yaml" down

.github/workflows/docker-publish.yml

@@ -22,9 +22,10 @@ permissions:
 jobs:
   docker:
     runs-on: ubuntu-latest
+    if: github.repository == 'verdaccio/verdaccio'
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
-      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # tag=v1
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # tag=v1
       - uses: docker/setup-buildx-action@v1
         with:
           driver-opts: network=host
@@ -45,7 +46,7 @@ jobs:
             {{major}}
             {{major}}.{{minor}}
       - name: Build & Push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile

.github/workflows/e2e-ci.yml

@@ -18,9 +18,9 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
@@ -34,7 +34,7 @@ jobs:
       - name: Install
         run: pnpm install --reporter=silence --ignore-scripts --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -44,16 +44,16 @@ jobs:
     needs: [prepare]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node 16
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -65,7 +65,7 @@ jobs:
       - name: build
         run: pnpm build
       - name: Cache packages
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         id: cache-packages
         with:
           path: ./packages/
@@ -97,15 +97,15 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version: ${{ matrix.node }}
       - name: Install pnpm
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -114,7 +114,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -141,15 +141,15 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version: ${{ matrix.node }}
       - name: Install pnpm
         run: |
           corepack enable
           corepack prepare
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -158,7 +158,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --loglevel debug --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -186,15 +186,15 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version: ${{ matrix.node }}
       - name: Install pnpm
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -203,7 +203,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}

.github/workflows/e2e-ui.yml

@@ -18,9 +18,9 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm

.github/workflows/plugin-generator-e2e.yaml

@@ -0,0 +1,52 @@
+name: E2E Generator Verdaccio Plugin
+
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+
+concurrency:
+  group: generator-plugin-${{ github.ref }}
+  cancel-in-progress: true  
+
+jobs:
+  e2e-plugin-generator:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18,20, 21]
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Install pnpm
+        run: |
+          corepack enable
+          corepack install
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        with:
+          path: ~/.pnpm-store
+          key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
+      - name: install
+        run: pnpm install
+      - name: build
+        run: pnpm build
+      - name: install verdaccio
+        run: npm install -g verdaccio@5
+      - name: Start server
+        run: verdaccio -c e2e/docker/generator-e2e/generator.yaml &
+      - name: ping server
+        run: curl http://localhost:4873/-/ping
+      - name: login
+        run: npx npm-cli-login -u test -p test -e test@domain.test -r http://localhost:4873
+      - name: publish
+        run: pnpm local:publish
+      - name: install yeoman
+        run: npm install -g yo@4 --loglevel=info
+      - name: install generator
+        run: npm install -g generator-verdaccio-plugin --loglevel=info --registry http://localhost:4873
+# Future: add a test to verify the plugin is working with prompt 

.github/workflows/static-data.yml

@@ -18,12 +18,13 @@ jobs:
   prepare:
     name: Run script
     runs-on: ubuntu-latest
+    if: github.repository == 'verdaccio/verdaccio'
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           persist-credentials: false
           fetch-depth: 0
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+      - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version: 18.x
       - name: install pnpm
@@ -45,7 +46,7 @@ jobs:
       - name: format
         run: pnpm format
       - name: Commit & Push changes
-        uses: actions-js/push@156f2b10c3aa000c44dbe75ea7018f32ae999772 # tag=v1.4
+        uses: actions-js/push@5a7cbd780d82c0c937b5977586e641b2fd94acc5 # tag=v1.5
         with:
           github_token: ${{ secrets.TOKEN_VERDACCIOBOT_GITHUB }}
           message: "chore: updated static data"

.github/workflows/ui-components.yml

@@ -19,18 +19,19 @@ jobs:
       pull-requests: write  #  to comment on pull-requests
 
     runs-on: ubuntu-latest
+    if: github.repository == 'verdaccio/verdaccio'
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
       - name: Use Node
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version-file: '.nvmrc'
 
       - name: Cache pnpm modules
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         env:
           cache-name: cache-pnpm-modules
         with:

.github/workflows/website.yml

@@ -2,12 +2,14 @@ name: Verdaccio Website CI
 
 on:
   workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * *' 
 
 permissions:
   contents: read  #  to fetch code (actions/checkout)
 
+concurrency:
+  group: website-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     permissions:
@@ -16,6 +18,7 @@ jobs:
       pull-requests: write  #  to comment on pull-requests
 
     runs-on: ubuntu-latest
+    if: github.repository == 'verdaccio/verdaccio'
     name: setup verdaccio
     services:
       verdaccio:
@@ -23,14 +26,14 @@ jobs:
         ports:
           - 4873:4873
         env:
-          NODE_ENV: production    
+          NODE_ENV: production
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
       - name: Node
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
@@ -44,18 +47,18 @@ jobs:
       - name: Install
         run: pnpm install  --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
           restore-keys: |
-            pnpm-          
-      - name: Build 
+            pnpm-
+      - name: Build
         run: pnpm build
       - name: Build Translations percentage
         run: pnpm --filter @verdaccio/crowdin-translations build
       - name: Cache Docusaurus Build
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: website/node_modules/.cache/webpack
           key: cache/webpack-${{github.ref}}-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -68,8 +71,9 @@ jobs:
           CONTEXT: production
         run: pnpm --filter @verdaccio/website netlify:build
       - name: Deploy to Netlify
+        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
         env:
           NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-        run: pnpm --filter ...@verdaccio/website netlify:deploy 
+        run: pnpm --filter ...@verdaccio/website netlify:deploy
 

.gitignore

@@ -41,7 +41,7 @@ packages/plugins/ui-theme/static
 # CI Pnpm cache
 .pnpm-store/
 
-#docs 
+#docs
 website/docs/api/**/*.md
 website/docs/api/**/*.yml
 !website/docs/api/index.md
@@ -53,3 +53,6 @@ e2e/ui/cypress/screenshots/**/*
 
 # storybook
 packages/ui-components/storybook-static
+
+# plugin generator
+packages/tools/generator-verdaccio-plugin/generators/

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=${BUILDPLATFORM:-linux/amd64} node:21-alpine as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} node:21-alpine AS builder
 
 ENV NODE_ENV=development \
     VERDACCIO_BUILD_REGISTRY=https://registry.npmjs.org

README.md

@@ -43,7 +43,7 @@ Google Cloud Storage** or create your own plugin.
 Install with npm:
 
 ```bash
-npm install --location=global verdaccio@next
+npm install -g verdaccio@next
 ```
 
 With `yarn`
@@ -79,8 +79,8 @@ Furthermore, you can read the [**Debugging Guidelines**](https://github.com/verd
 You can develop your own [plugins](https://verdaccio.org/docs/plugins) with the [verdaccio generator](https://github.com/verdaccio/generator-verdaccio-plugin). Installing [Yeoman](https://yeoman.io/) is required.
 
 ```
-npm install --location=global yo
-npm install --location=global generator-verdaccio-plugin
+npm install -g yo
+npm install -g generator-verdaccio-plugin
 ```
 
 Learn more [here](https://verdaccio.org/docs/dev-plugins) how to develop plugins. Share your plugins with the community.
@@ -251,7 +251,7 @@ Verdaccio aims to support all features of a standard npm client that make sense
 
 - Registering new users (`npm adduser {newuser}`) - **supported**
 - Change password (`npm profile set password`) - **supported**
-- Transferring ownership (`npm owner add {user} {pkg}`) - not supported, _PR-welcome_
+- Transferring ownership (`npm owner`) - **supported**
 - Token (`npm token`) - **supported**
 
 ### Miscellaneous

docker-examples/v5/plugins/docker-local-plugin/Dockerfile

@@ -1,7 +1,7 @@
 # Docs based on https://github.com/xlts-dev/verdaccio-prometheus-middleware#installation
 # Docker multi-stage build - https://docs.docker.com/develop/develop-images/multistage-build/
 # Use an alpine node image to install the plugin
-FROM node:lts-alpine as builder
+FROM node:lts-alpine AS builder
 
 RUN mkdir -p /verdaccio/plugins
 

docker-examples/v6/plugins/docker-build-install-plugin/Dockerfile

@@ -2,7 +2,7 @@
 
 # Docker multi-stage build - https://docs.docker.com/develop/develop-images/multistage-build/
 # Use an alpine node image to install the plugin
-FROM node:lts-alpine as builder
+FROM node:lts-alpine AS builder
 
 # Install the metrics middleware plugin
 # npm docs

docker-examples/v6/plugins/docker-local-plugin/Dockerfile

@@ -1,7 +1,7 @@
 # Docs based on https://github.com/xlts-dev/verdaccio-prometheus-middleware#installation
 # Docker multi-stage build - https://docs.docker.com/develop/develop-images/multistage-build/
 # Use an alpine node image to install the plugin
-FROM node:lts-alpine as builder
+FROM node:lts-alpine AS builder
 
 RUN mkdir -p /verdaccio/plugins
 

docs/env.variables.md

@@ -5,12 +5,13 @@ internal features.
 
 #### VERDACCIO_LEGACY_ALGORITHM
 
-Allows to define the specific algorithm for the token
-signature which by default is `aes-256-ctr`
+Allows to define the specific algorithm for the token signature which by default is `aes-256-ctr`. The algorithm must be supported by `crypto.createCipheriv` and `crypto.createDecipheriv`.
+Read more here: https://nodejs.org/api/crypto.html#crypto_crypto_createcipheriv_algorithm_key_iv_options
 
 #### VERDACCIO_LEGACY_ENCRYPTION_KEY
 
-By default, the token stores in the database, but using this variable allows to get it from memory
+By default, the token stores in the database, but using this variable allows to get it from memory, the length must be 32 characters otherwise will throw an error.
+Read more here: https://nodejs.org/api/crypto.html#crypto_crypto_createcipheriv_algorithm_key_iv_options
 
 #### VERDACCIO_PUBLIC_URL
 

docs/migration-v5-to-v6.md

@@ -1,14 +1,14 @@
-# Migration guide from Verdaccio 5 to Verdaccio 6
+# Migration Guide from Verdaccio 5 to Verdaccio 6
 
 Notes regarding breaking changes for next major release.
 
-> This list might growth over the development.
+> This list might growth over the course of development.
 
-## Breaking changes
+## Breaking Changes
 
 ### New node-api interface [#2165](https://github.com/verdaccio/verdaccio/pull/2165)
 
-If you are using the node-api, the new structure is Promise based and less arguments.
+If you are using the `node-api`, the new structure is Promise based and less arguments.
 
 ```js
 import { runServer } from '@verdaccio/node-api';
@@ -22,7 +22,7 @@ app.listen(4000, (event) => {
 });
 ```
 
-### allow other password hashing algorithms [#1917](https://github.com/verdaccio/verdaccio/pull/1917)
+### Allow other password hashing algorithms [#1917](https://github.com/verdaccio/verdaccio/pull/1917)
 
 The current implementation of the `htpasswd` module supports multiple hash formats on verify, but only `crypt` on sign in.
 `crypt` is an insecure old format, so to improve the security of the new `verdaccio` release we introduce the support of multiple hash algorithms on sign in step.
@@ -53,21 +53,28 @@ htpasswd:
 
 - The `experiments` configuration is renamed to `flags`. The functionality is exactly the same.
 
-```js
-flags: token: false;
-search: false;
+```yaml
+flags:
+  token: false;
+  search: false;
 ```
 
 - The `self_path` property from the config file is being removed in favor of `config_file` full path.
 - Refactor `config` module, better types and utilities
 
-### legacy token signature by removing crypto.createDecipher is deprecated [#1953](https://github.com/verdaccio/verdaccio/pull/1953)
+### Legacy token signature by removing crypto.createDecipher is deprecated [#1953](https://github.com/verdaccio/verdaccio/pull/1953)
 
 - Replace signature handler for legacy tokens by removing deprecated crypto.createDecipher by createCipheriv
 - **The new signature invalidates all previous tokens generated by Verdaccio 5 or previous versions**.
 - The secret key must have 32 characters long
   > Remediation, update `.verdaccio-db.json` secret field with a secret key with 32 characters.
 
+### Legacy token secret length
+
+If the migration to v6 include an update to node 22 or higher, be aware that token secrets with a length other than 32 are not
+supported anymore. A new secret will be generated. See [docs](https://verdaccio.org/docs/6.x/configuration#legacy-token-signature)
+for more details.
+
 #### New environment variables
 
 Introduce environment variables for legacy tokens.

e2e/cli/cli-commons/package.json

@@ -5,16 +5,16 @@
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
   "devDependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
-    "debug": "4.3.4",
+    "@verdaccio/config": "workspace:7.0.0-next-8.21",
+    "@verdaccio/core": "workspace:7.0.0-next-8.21",
+    "@verdaccio/types": "workspace:12.0.0-next-7.5",
+    "debug": "4.3.6",
     "fs-extra": "11.2.0",
     "get-port": "5.1.1",
     "got": "11.8.6",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",
-    "verdaccio": "workspace:7.0.0-next-7.13"
+    "verdaccio": "workspace:7.0.0-next-8.21"
   },
   "scripts": {
     "test": "jest",

e2e/cli/e2e-npm10/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "10.4.0"
+    "npm": "10.8.2"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm6/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.9.2"
+    "npm": "9.9.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm7/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.9.2"
+    "npm": "9.9.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm8/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.9.2"
+    "npm": "9.9.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm9/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.9.2"
+    "npm": "9.9.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn1/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "yarn": "1.22.21"
+    "yarn": "1.22.22"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn3/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "@yarnpkg/cli-dist": "3.8.0"
+    "@yarnpkg/cli-dist": "3.8.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn4/package.json

@@ -3,7 +3,7 @@
   "name": "@verdaccio/e2e-cli-yarn4",
   "version": "1.0.1",
   "dependencies": {
-    "@yarnpkg/cli-dist": "4.1.0",
+    "@yarnpkg/cli-dist": "4.4.0",
     "@verdaccio/test-cli-commons": "workspace:1.1.0"
   },
   "scripts": {

e2e/docker/generator-e2e/generator.yaml

@@ -0,0 +1,43 @@
+storage: ./storage
+
+web:
+  title: Verdaccio E2E Local
+auth:
+  htpasswd:
+    file: ./htpasswd
+uplinks:
+  npmjs:
+    url: https://registry.npmjs.org/
+packages:
+  '@verdaccio/*':
+    access: $all
+    publish: $all
+    unpublish: $all
+  '@*/*':
+    access: $all
+    publish: $authenticated
+    unpublish: $authenticated
+    proxy: npmjs
+  'verdaccio-*':
+    access: $all
+    publish: $all
+    unpublish: $all
+  'generator-verdaccio-plugin':
+    access: $all
+    publish: $all
+    unpublish: $all
+  'verdaccio':
+    access: $all
+    publish: $all
+    unpublish: $all
+  '**':
+    access: $all
+    publish: $authenticated
+    unpublish: $authenticated
+    proxy: npmjs
+
+middlewares:
+  audit:
+    enabled: false
+
+log: { type: stdout, format: json, level: http }

e2e/ui/package.json

@@ -3,11 +3,11 @@
   "name": "@verdaccio/e2e-ui",
   "version": "2.0.0",
   "devDependencies": {
-    "verdaccio": "workspace:7.0.0-next-7.13",
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
+    "verdaccio": "workspace:7.0.0-next-8.21",
+    "@verdaccio/core": "workspace:7.0.0-next-8.21",
+    "@verdaccio/config": "workspace:7.0.0-next-8.21",
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
-    "debug": "4.3.4",
+    "debug": "4.3.6",
     "cypress": "^13.6.0",
     "get-port": "5.1.1"
   },

package.json

@@ -15,89 +15,90 @@
     "url": "https://opencollective.com/verdaccio"
   },
   "devDependencies": {
-    "@babel/cli": "7.23.9",
-    "@babel/core": "7.23.9",
-    "@babel/eslint-parser": "7.23.3",
-    "@babel/node": "7.23.9",
-    "@babel/plugin-proposal-class-properties": "7.18.6",
-    "@babel/plugin-proposal-decorators": "7.23.9",
-    "@babel/plugin-proposal-export-namespace-from": "7.18.9",
-    "@babel/plugin-proposal-function-sent": "7.23.3",
-    "@babel/plugin-proposal-json-strings": "7.18.6",
-    "@babel/plugin-proposal-nullish-coalescing-operator": "7.18.6",
-    "@babel/plugin-proposal-numeric-separator": "7.18.6",
-    "@babel/plugin-proposal-object-rest-spread": "7.20.7",
-    "@babel/plugin-proposal-optional-chaining": "7.21.0",
-    "@babel/plugin-proposal-throw-expressions": "7.23.3",
+    "@babel/cli": "7.24.8",
+    "@babel/core": "7.24.9",
+    "@babel/eslint-parser": "7.25.1",
+    "@babel/node": "7.25.0",
+    "@babel/plugin-proposal-decorators": "7.24.7",
+    "@babel/plugin-proposal-function-sent": "7.24.7",
+    "@babel/plugin-proposal-throw-expressions": "7.24.7",
     "@babel/plugin-syntax-dynamic-import": "7.8.3",
     "@babel/plugin-syntax-import-meta": "7.10.4",
-    "@babel/plugin-transform-async-to-generator": "7.23.3",
-    "@babel/plugin-transform-classes": "7.23.8",
-    "@babel/plugin-transform-runtime": "7.23.9",
-    "@babel/preset-env": "7.23.9",
-    "@babel/preset-react": "7.23.3",
-    "@babel/preset-typescript": "7.23.3",
-    "@babel/register": "7.23.7",
-    "@babel/runtime": "7.23.9",
+    "@babel/plugin-transform-async-to-generator": "7.24.7",
+    "@babel/plugin-transform-class-properties": "7.24.7",
+    "@babel/plugin-transform-classes": "7.25.0",
+    "@babel/plugin-transform-export-namespace-from": "7.24.7",
+    "@babel/plugin-transform-json-strings": "7.24.7",
+    "@babel/plugin-transform-nullish-coalescing-operator": "7.24.7",
+    "@babel/plugin-transform-numeric-separator": "7.24.7",
+    "@babel/plugin-transform-object-rest-spread": "7.24.7",
+    "@babel/plugin-transform-optional-chaining": "7.24.8",
+    "@babel/plugin-transform-runtime": "7.24.7",
+    "@babel/preset-env": "7.25.0",
+    "@babel/preset-react": "7.24.7",
+    "@babel/preset-typescript": "7.24.7",
+    "@babel/register": "7.24.6",
+    "@babel/runtime": "7.25.0",
     "@changesets/changelog-github": "0.5.0",
-    "@changesets/cli": "2.27.1",
-    "@changesets/get-dependents-graph": "1.3.6",
-    "@crowdin/cli": "3.16.1",
+    "@changesets/cli": "2.27.7",
+    "@changesets/get-dependents-graph": "2.1.1",
+    "@crowdin/cli": "4.1.1",
     "@dianmora/contributors": "5.0.0",
     "@emotion/react": "11.10.6",
     "@emotion/styled": "11.10.6",
-    "@testing-library/dom": "9.3.4",
-    "@testing-library/jest-dom": "6.4.2",
+    "@testing-library/dom": "10.4.0",
+    "@testing-library/jest-dom": "6.4.8",
+    "@testing-library/react": "16.0.0",
     "@testing-library/user-event": "14.5.2",
-    "aria-query": "5.1.3",
-    "@testing-library/react": "14.2.1",
     "@trivago/prettier-plugin-sort-imports": "4.3.0",
     "@types/body-parser": "1.19.5",
     "@types/connect": "3.4.38",
     "@types/cookiejar": "2.1.5",
     "@types/debug": "4.1.12",
     "@types/express": "4.17.21",
-    "@types/express-serve-static-core": "4.17.42",
+    "@types/express-serve-static-core": "4.19.5",
     "@types/http-errors": "2.0.4",
-    "@types/jest": "29.5.11",
-    "@types/jsonwebtoken": "9.0.5",
-    "@types/lodash": "4.14.202",
+    "@types/jest": "29.5.12",
+    "@types/jsonwebtoken": "9.0.6",
+    "@types/lodash": "4.17.7",
     "@types/mime": "3.0.4",
     "@types/minimatch": "5.1.2",
-    "@types/node": "20.11.7",
+    "@types/node": "20.14.12",
     "@types/node-fetch": "2.6.11",
-    "@types/qs": "6.9.11",
+    "@types/qs": "6.9.15",
     "@types/range-parser": "1.2.7",
-    "@types/react": "18.2.48",
-    "@types/react-dom": "18.2.18",
+    "@types/react": "18.3.3",
+    "@types/react-dom": "18.3.0",
     "@types/react-router-dom": "5.3.3",
-    "@types/react-virtualized": "9.21.29",
-    "@types/redux": "3.6.0",
-    "@types/semver": "7.5.6",
+    "@types/react-virtualized": "9.21.30",
+    "@types/semver": "7.5.8",
     "@types/send": "0.17.4",
-    "@types/serve-static": "1.15.5",
+    "@types/serve-static": "1.15.7",
     "@types/superagent": "4.1.24",
     "@types/supertest": "2.0.16",
-    "@types/testing-library__jest-dom": "6.0.0",
-    "@types/validator": "13.11.8",
+    "@types/validator": "13.12.0",
     "@types/webpack": "5.28.5",
-    "@types/webpack-env": "1.18.4",
-    "@typescript-eslint/eslint-plugin": "6.19.1",
-    "@typescript-eslint/parser": "6.19.1",
+    "@types/webpack-env": "1.18.5",
+    "@types/yeoman-environment": "2.10.11",
+    "@types/yeoman-generator": "5.2.14",
+    "@types/yeoman-test": "4.0.6",
+    "@typescript-eslint/eslint-plugin": "6.21.0",
+    "@typescript-eslint/parser": "6.21.0",
     "@verdaccio/crowdin-translations": "workspace:*",
     "@verdaccio/eslint-config": "workspace:*",
     "@verdaccio/types": "workspace:*",
     "@verdaccio/ui-theme": "workspace:*",
-    "@vitest/coverage-v8": "0.34.6",
+    "@vitest/coverage-v8": "2.0.5",
+    "aria-query": "5.1.3",
     "babel-core": "7.0.0-bridge.0",
     "babel-jest": "29.7.0",
     "babel-plugin-dynamic-import-node": "2.3.3",
     "babel-plugin-emotion": "11.0.0",
     "concurrently": "8.2.2",
     "cross-env": "7.0.3",
-    "debug": "4.3.4",
+    "debug": "4.3.6",
     "detect-secrets": "1.0.6",
-    "eslint": "8.56.0",
+    "eslint": "8.57.0",
     "fs-extra": "11.2.0",
     "got": "11.8.6",
     "husky": "8.0.3",
@@ -113,21 +114,21 @@
     "nock": "13.5.1",
     "nodemon": "3.0.3",
     "npm-run-all2": "5.0.2",
-    "prettier": "3.2.2",
+    "prettier": "3.3.3",
     "react": "18.2.0",
     "react-dom": "18.2.0",
-    "rimraf": "5.0.5",
+    "rimraf": "5.0.10",
     "selfsigned": "2.4.1",
-    "supertest": "6.3.4",
+    "supertest": "7.0.0",
     "ts-node": "10.9.2",
     "typescript": "5.3.3",
     "undici-types": "5.28.2",
-    "update-ts-references": "3.2.1",
+    "update-ts-references": "3.3.0",
     "verdaccio-audit": "workspace:*",
     "verdaccio-auth-memory": "workspace:*",
     "verdaccio-htpasswd": "workspace:*",
     "verdaccio-memory": "workspace:*",
-    "vitest": "0.34.6"
+    "vitest": "2.0.4"
   },
   "scripts": {
     "prepare": "husky install",

packages/api/CHANGELOG.md

@@ -1,5 +1,121 @@
 # @verdaccio/api
 
+## 7.0.0-next-8.21
+
+### Patch Changes
+
+- Updated dependencies [8c10a3e]
+- Updated dependencies [a05a7d8]
+- Updated dependencies [7c9f3cf]
+  - @verdaccio/config@7.0.0-next-8.21
+  - @verdaccio/core@7.0.0-next-8.21
+  - @verdaccio/store@7.0.0-next-8.21
+  - @verdaccio/auth@7.0.0-next-8.21
+  - @verdaccio/middleware@7.0.0-next-8.21
+  - @verdaccio/utils@7.0.0-next-8.21
+  - @verdaccio/logger@7.0.0-next-8.21
+
+## 7.0.0-next-7.20
+
+### Patch Changes
+
+- Updated dependencies [ccc7bd1]
+  - @verdaccio/middleware@7.0.0-next-7.20
+  - @verdaccio/auth@7.0.0-next-7.20
+  - @verdaccio/store@7.0.0-next-7.20
+  - @verdaccio/core@7.0.0-next-7.20
+  - @verdaccio/config@7.0.0-next-7.20
+  - @verdaccio/utils@7.0.0-next-7.20
+  - @verdaccio/logger@7.0.0-next-7.20
+
+## 7.0.0-next-7.19
+
+### Patch Changes
+
+- 19df355: chore(api): update comment about route parameters
+- Updated dependencies [2a6ee33]
+- Updated dependencies [6c5f7a4]
+- Updated dependencies [c31aec8]
+  - @verdaccio/middleware@7.0.0-next-7.19
+  - @verdaccio/config@7.0.0-next-7.19
+  - @verdaccio/auth@7.0.0-next-7.19
+  - @verdaccio/store@7.0.0-next-7.19
+  - @verdaccio/core@7.0.0-next-7.19
+  - @verdaccio/utils@7.0.0-next-7.19
+  - @verdaccio/logger@7.0.0-next-7.19
+
+## 7.0.0-next-7.18
+
+### Patch Changes
+
+- Updated dependencies [10dd81f]
+  - @verdaccio/middleware@7.0.0-next-7.18
+  - @verdaccio/config@7.0.0-next-7.18
+  - @verdaccio/auth@7.0.0-next-7.18
+  - @verdaccio/core@7.0.0-next-7.18
+  - @verdaccio/logger@7.0.0-next-7.18
+  - @verdaccio/store@7.0.0-next-7.18
+  - @verdaccio/utils@7.0.0-next-7.18
+
+## 7.0.0-next-7.17
+
+### Patch Changes
+
+- 6e764e3: feat: add support for npm owner
+- Updated dependencies [6e764e3]
+- Updated dependencies [de6ff5c]
+  - @verdaccio/config@7.0.0-next-7.17
+  - @verdaccio/core@7.0.0-next-7.17
+  - @verdaccio/store@7.0.0-next-7.17
+  - @verdaccio/auth@7.0.0-next-7.17
+  - @verdaccio/logger@7.0.0-next-7.17
+  - @verdaccio/middleware@7.0.0-next-7.17
+  - @verdaccio/utils@7.0.0-next-7.17
+
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- Updated dependencies [e5624e1]
+- Updated dependencies [5bfab62]
+  - @verdaccio/store@7.0.0-next-7.16
+  - @verdaccio/logger@7.0.0-next-7.16
+  - @verdaccio/middleware@7.0.0-next-7.16
+  - @verdaccio/auth@7.0.0-next-7.16
+  - @verdaccio/core@7.0.0-next-7.16
+  - @verdaccio/config@7.0.0-next-7.16
+  - @verdaccio/utils@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [7400830]
+- Updated dependencies [bd8703e]
+  - @verdaccio/store@7.0.0-next-7.15
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/auth@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/middleware@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- Updated dependencies [b0946b2]
+- Updated dependencies [f967a69]
+- Updated dependencies [4dc62a8]
+- Updated dependencies [253cc13]
+  - @verdaccio/middleware@7.0.0-next-7.14
+  - @verdaccio/store@7.0.0-next-7.14
+  - @verdaccio/auth@7.0.0-next-7.14
+  - @verdaccio/core@7.0.0-next-7.14
+  - @verdaccio/config@7.0.0-next-7.14
+  - @verdaccio/utils@7.0.0-next-7.14
+  - @verdaccio/logger@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/api/jest.config.js

@@ -1,3 +0,0 @@
-const config = require('../../jest/config');
-
-module.exports = Object.assign({}, config, {});

packages/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/api",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-8.21",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -29,7 +29,7 @@
   },
   "scripts": {
     "clean": "rimraf ./build",
-    "test": "jest",
+    "test": "vitest run",
     "type-check": "tsc --noEmit -p tsconfig.build.json",
     "build:types": "tsc --emitDeclarationOnly -p tsconfig.build.json",
     "build:js": "babel src/ --out-dir build/ --copy-files --extensions \".ts,.tsx\" --source-maps",
@@ -38,28 +38,28 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.13",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.13",
-    "@verdaccio/store": "workspace:7.0.0-next-7.13",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.13",
+    "@verdaccio/auth": "workspace:7.0.0-next-8.21",
+    "@verdaccio/config": "workspace:7.0.0-next-8.21",
+    "@verdaccio/core": "workspace:7.0.0-next-8.21",
+    "@verdaccio/logger": "workspace:7.0.0-next-8.21",
+    "@verdaccio/middleware": "workspace:7.0.0-next-8.21",
+    "@verdaccio/store": "workspace:7.0.0-next-8.21",
+    "@verdaccio/utils": "workspace:7.0.0-next-8.21",
     "abortcontroller-polyfill": "1.7.5",
     "body-parser": "1.20.2",
     "cookies": "0.9.0",
-    "debug": "4.3.4",
-    "express": "4.18.3",
+    "debug": "4.3.6",
+    "express": "4.19.2",
     "lodash": "4.17.21",
     "mime": "2.6.0",
-    "semver": "7.6.0"
+    "semver": "7.6.3"
   },
   "devDependencies": {
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.5",
     "mockdate": "3.0.5",
     "nock": "13.5.1",
-    "supertest": "6.3.4"
+    "supertest": "7.0.0"
   },
   "funding": {
     "type": "opencollective",

packages/api/src/index.ts

@@ -37,10 +37,11 @@ export default function (config: Config, auth: Auth, storage: Storage): Router {
   app.param('revision', validateName);
   app.param('token', validateName);
 
-  // these can't be safely put into express url for some reason
-  // TODO: For some reason? what reason?
+  // Express route parameter names must be valid JavaScript identifiers, which means
+  // they cannot start with a hyphen (-) or contain special characters like dots (.)
   app.param('_rev', match(/^-rev$/));
   app.param('org_couchdb_user', match(/^org\.couchdb\.user:/));
+
   app.use(auth.apiJWTmiddleware());
   app.use(express.json({ strict: false, limit: config.max_body_size || '10mb' }));
   app.use(antiLoop(config));

packages/api/src/package.ts

@@ -28,6 +28,7 @@ export default function (route: Router, auth: Auth, storage: Storage): void {
       const name = req.params.package;
       let version = req.params.version;
       const write = req.query.write === 'true';
+      const username = req?.remote_user?.name;
       const abbreviated =
         stringUtils.getByQualityPriorityValue(req.get('Accept')) === Storage.ABBREVIATED_HEADER;
       const requestOptions = {
@@ -37,6 +38,7 @@ export default function (route: Router, auth: Auth, storage: Storage): void {
         host: req.host,
         remoteAddress: req.socket.remoteAddress,
         byPassCache: write,
+        username,
       };
 
       try {

packages/api/src/publish.ts

@@ -76,11 +76,11 @@ const debug = buildDebug('verdaccio:api:publish');
    * 
    * 3. Star a package
    *
-   * Permissions: start a package depends of the publish and unpublish permissions, there is no
-   * specific flag for star or un start.
+   * Permissions: staring a package depends of the publish and unpublish permissions, there is no
+   * specific flag for star or unstar.
    * The URL for star is similar to the unpublish (change package format)
    *
-   * npm has no endpoint for star a package, rather mutate the metadata and acts as, the difference
+   * npm has no endpoint for staring a package, rather mutate the metadata and acts as, the difference
    * is the users property which is part of the payload and the body only includes
    *
    * {
@@ -89,7 +89,24 @@ const debug = buildDebug('verdaccio:api:publish');
 		  "users": {
 		    [username]: boolean value (true, false)
 		  }
-	}
+	   }
+   *
+   * 4. Change owners of a package
+   *
+   * Similar to staring a package, changing owners (maintainers) of a package uses the publish
+   * endpoint. 
+   *
+   * The body includes a list of the new owners with the following format
+   *
+   * {
+		  "_id": pkgName,
+	  	"_rev": "4-b0cdaefc9bdb77c8",
+		  "maintainers": [
+        { "name": "first owner", "email": "me@verdaccio.org" },
+        { "name": "second owner", "email": "you@verdaccio.org" },
+        ...
+		  ]
+	   }
    *
    */
 export default function publish(router: Router, auth: Auth, storage: Storage): void {
@@ -127,10 +144,11 @@ export default function publish(router: Router, auth: Auth, storage: Storage): v
     async function (req: $RequestExtend, res: $ResponseExtend, next: $NextFunctionVer) {
       const packageName = req.params.package;
       const rev = req.params.revision;
+      const username = req?.remote_user?.name;
 
       logger.debug({ packageName }, `unpublishing @{packageName}`);
       try {
-        await storage.removePackage(packageName, rev);
+        await storage.removePackage(packageName, rev, username);
         debug('package %s unpublished', packageName);
         res.status(HTTP_STATUS.CREATED);
         return next({ ok: API_MESSAGE.PKG_REMOVED });
@@ -155,13 +173,14 @@ export default function publish(router: Router, auth: Auth, storage: Storage): v
     ): Promise<void> {
       const packageName = req.params.package;
       const { filename, revision } = req.params;
+      const username = req?.remote_user?.name;
 
       logger.debug(
         { packageName, filename, revision },
         `removing a tarball for @{packageName}-@{tarballName}-@{revision}`
       );
       try {
-        await storage.removeTarball(packageName, filename, revision);
+        await storage.removeTarball(packageName, filename, revision, username);
         res.status(HTTP_STATUS.CREATED);
 
         logger.debug(
@@ -188,6 +207,12 @@ export function publishPackage(storage: Storage): any {
     const metadata = req.body;
     const username = req?.remote_user?.name;
 
+    debug('publishing package %o for user %o', packageName, username);
+    logger.debug(
+      { packageName, username },
+      'publishing package @{packageName} for user @{username}'
+    );
+
     try {
       const message = await storage.updateManifest(metadata, {
         name: packageName,

packages/api/src/user.ts

@@ -27,10 +27,22 @@ export default function (route: Router, auth: Auth, config: Config): void {
     rateLimit(config?.userRateLimit),
     function (req: $RequestExtend, res: Response, next: $NextFunctionVer): void {
       debug('verifying user');
+
+      if (typeof req.remote_user.name !== 'string' || req.remote_user.name === '') {
+        debug('user not logged in');
+        res.status(HTTP_STATUS.OK);
+        return next({ ok: false });
+      }
+
+      const username = req.params.org_couchdb_user.split(':')[1];
       const message = getAuthenticatedMessage(req.remote_user.name);
       debug('user authenticated message %o', message);
       res.status(HTTP_STATUS.OK);
       next({
+        // 'npm owner' requires user info
+        // TODO: we don't have the email
+        name: username,
+        email: '',
         ok: message,
       });
     }
@@ -61,6 +73,10 @@ export default function (route: Router, auth: Auth, config: Config): void {
       debug('login or adduser');
       const remoteName = req?.remote_user?.name;
 
+      if (!validatioUtils.validateUserName(req.params.org_couchdb_user, name)) {
+        return next(errorUtils.getBadRequest(API_ERROR.USERNAME_MISMATCH));
+      }
+
       if (typeof remoteName !== 'undefined' && typeof name === 'string' && remoteName === name) {
         debug('login: no remote user detected');
         auth.authenticate(
@@ -97,6 +113,7 @@ export default function (route: Router, auth: Auth, config: Config): void {
           }
         );
       } else {
+        debug('adduser: %o', name);
         if (
           validatioUtils.validatePassword(
             password,

packages/api/test/integration/_helper.ts

@@ -2,6 +2,7 @@ import { Application } from 'express';
 import _ from 'lodash';
 import path from 'path';
 import supertest from 'supertest';
+import { expect } from 'vitest';
 
 import { parseConfigFile } from '@verdaccio/config';
 import { HEADERS, HEADER_TYPE, HTTP_STATUS, TOKEN_BEARER } from '@verdaccio/core';
@@ -11,7 +12,7 @@ import {
   generatePackageMetadata,
   initializeServer as initializeServerHelper,
 } from '@verdaccio/test-helper';
-import { GenericBody, PackageUsers } from '@verdaccio/types';
+import { Author, GenericBody, PackageUsers } from '@verdaccio/types';
 import { buildToken, generateRandomHexString } from '@verdaccio/utils';
 
 import apiMiddleware from '../../src';
@@ -142,6 +143,37 @@ export function starPackage(
   return test;
 }
 
+export function changeOwners(
+  app,
+  options: {
+    maintainers: Author[];
+    name: string;
+    _rev: string;
+    _id?: string;
+  },
+  token?: string
+): supertest.Test {
+  const { _rev, _id, maintainers } = options;
+  const ownerManifest = {
+    _rev,
+    _id,
+    maintainers,
+  };
+
+  const test = supertest(app)
+    .put(`/${encodeURIComponent(options.name)}`)
+    .set(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON)
+    .send(JSON.stringify(ownerManifest))
+    .set('accept', HEADERS.GZIP)
+    .set(HEADER_TYPE.ACCEPT_ENCODING, HEADERS.JSON);
+
+  if (typeof token === 'string') {
+    test.set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, token));
+  }
+
+  return test;
+}
+
 export function getDisTags(app, pkgName) {
   return supertest(app)
     .get(`/-/package/${encodeURIComponent(pkgName)}/dist-tags`)

packages/api/test/integration/config/owner.yaml

@@ -0,0 +1,24 @@
+storage: ./storage
+
+auth:
+  htpasswd:
+    file: ./htpasswd-owner
+
+web:
+  enable: true
+  title: verdaccio
+
+log: { type: stdout, format: pretty, level: info }
+
+# TODO: Add test case for $owner access
+packages:
+  '@*/*':
+    access: $all
+    publish: $authenticated
+    unpublish: $authenticated
+  '**':
+    access: $all
+    publish: $authenticated
+    unpublish: $authenticated
+
+_debug: true

packages/api/test/integration/distTag.spec.ts

@@ -1,4 +1,5 @@
 import supertest from 'supertest';
+import { beforeEach, describe, expect, test } from 'vitest';
 
 import { API_MESSAGE, HEADERS, HEADER_TYPE, HTTP_STATUS } from '@verdaccio/core';
 

packages/api/test/integration/owner.spec.ts

@@ -0,0 +1,119 @@
+/* eslint-disable jest/no-commented-out-tests */
+import nock from 'nock';
+import { describe, expect, test } from 'vitest';
+
+import { HTTP_STATUS } from '@verdaccio/core';
+
+import {
+  changeOwners,
+  createUser,
+  getPackage,
+  initializeServer,
+  publishVersionWithToken,
+} from './_helper';
+
+describe('owner', () => {
+  test.each([['foo', '@scope%2Ffoo']])('should get owner of package', async (pkgName) => {
+    nock('https://registry.npmjs.org').get(`/${pkgName}`).reply(404);
+    const app = await initializeServer('owner.yaml');
+    const credentials = { name: 'test', password: 'test' };
+    const response = await createUser(app, credentials.name, credentials.password);
+    expect(response.body.ok).toMatch(`user '${credentials.name}' created`);
+    await publishVersionWithToken(app, pkgName, '1.0.0', response.body.token).expect(
+      HTTP_STATUS.CREATED
+    );
+
+    // expect publish to set owner to logged in user
+    const manifest = await getPackage(app, '', decodeURIComponent(pkgName));
+    const maintainers = manifest.body.maintainers;
+    expect(maintainers).toHaveLength(1);
+    // TODO: This should eventually include the email of the user
+    expect(maintainers).toEqual([{ name: credentials.name, email: '' }]);
+  });
+
+  test.each([['foo', '@scope%2Ffoo']])('should add/remove owner to package', async (pkgName) => {
+    nock('https://registry.npmjs.org').get(`/${pkgName}`).reply(404);
+    const app = await initializeServer('owner.yaml');
+    const credentials = { name: 'test', password: 'test' };
+    const firstOwner = { name: 'test', email: '' };
+    const response = await createUser(app, credentials.name, credentials.password);
+    expect(response.body.ok).toMatch(`user '${credentials.name}' created`);
+    await publishVersionWithToken(app, pkgName, '1.0.0', response.body.token).expect(
+      HTTP_STATUS.CREATED
+    );
+
+    // publish sets owner to logged in user
+    const manifest = await getPackage(app, '', decodeURIComponent(pkgName));
+    const maintainers = manifest.body.maintainers;
+    expect(maintainers).toHaveLength(1);
+    expect(maintainers).toEqual([firstOwner]);
+
+    // add another owner
+    const secondOwner = { name: 'tester', email: 'test@verdaccio.org' };
+    const newOwners = [...maintainers, secondOwner];
+    await changeOwners(
+      app,
+      {
+        _rev: manifest.body._rev,
+        _id: manifest.body._id,
+        name: pkgName,
+        maintainers: newOwners,
+      },
+      response.body.token
+    ).expect(HTTP_STATUS.CREATED);
+
+    const manifest2 = await getPackage(app, '', decodeURIComponent(pkgName));
+    const maintainers2 = manifest2.body.maintainers;
+    expect(maintainers2).toHaveLength(2);
+    expect(maintainers2).toEqual([firstOwner, secondOwner]);
+
+    // remove original owner
+    await changeOwners(
+      app,
+      {
+        _rev: manifest2.body._rev,
+        _id: manifest2.body._id,
+        name: pkgName,
+        maintainers: [secondOwner],
+      },
+      response.body.token
+    ).expect(HTTP_STATUS.CREATED);
+
+    const manifest3 = await getPackage(app, '', decodeURIComponent(pkgName));
+    const maintainers3 = manifest3.body.maintainers;
+    expect(maintainers3).toHaveLength(1);
+    expect(maintainers3).toEqual([secondOwner]);
+  });
+
+  test.each([['foo', '@scope%2Ffoo']])('should fail if user is not logged in', async (pkgName) => {
+    nock('https://registry.npmjs.org').get(`/${pkgName}`).reply(404);
+    const app = await initializeServer('owner.yaml');
+    const credentials = { name: 'test', password: 'test' };
+    const firstOwner = { name: 'test', email: '' };
+    const response = await createUser(app, credentials.name, credentials.password);
+    expect(response.body.ok).toMatch(`user '${credentials.name}' created`);
+    await publishVersionWithToken(app, pkgName, '1.0.0', response.body.token).expect(
+      HTTP_STATUS.CREATED
+    );
+
+    // publish sets owner to logged in user
+    const manifest = await getPackage(app, '', decodeURIComponent(pkgName));
+    const maintainers = manifest.body.maintainers;
+    expect(maintainers).toHaveLength(1);
+    expect(maintainers).toEqual([firstOwner]);
+
+    // try adding another owner
+    const secondOwner = { name: 'tester', email: 'test@verdaccio.org' };
+    const newOwners = [...maintainers, secondOwner];
+    await changeOwners(
+      app,
+      {
+        _rev: manifest.body._rev,
+        _id: manifest.body._id,
+        name: pkgName,
+        maintainers: newOwners,
+      },
+      '' // no token
+    ).expect(HTTP_STATUS.UNAUTHORIZED);
+  });
+});

packages/api/test/integration/package.spec.ts

@@ -1,4 +1,5 @@
 import supertest from 'supertest';
+import { beforeEach, describe, expect, test } from 'vitest';
 
 import { DIST_TAGS, HEADERS, HEADER_TYPE, HTTP_STATUS } from '@verdaccio/core';
 import { Storage } from '@verdaccio/store';

packages/api/test/integration/ping.spec.ts

@@ -1,4 +1,5 @@
 import supertest from 'supertest';
+import { describe, expect, test } from 'vitest';
 
 import { HEADERS, HEADER_TYPE, HTTP_STATUS } from '@verdaccio/core';
 

packages/api/test/integration/profile.spec.ts

@@ -1,4 +1,5 @@
 import supertest from 'supertest';
+import { describe, test } from 'vitest';
 
 import { HEADERS, HEADER_TYPE, HTTP_STATUS, TOKEN_BEARER } from '@verdaccio/core';
 import { buildToken } from '@verdaccio/utils';

packages/api/test/integration/publish.spec.ts

@@ -1,6 +1,7 @@
 import nock from 'nock';
 import { basename } from 'path';
 import supertest from 'supertest';
+import { describe, expect, test } from 'vitest';
 
 import { HTTP_STATUS } from '@verdaccio/core';
 import { API_ERROR, API_MESSAGE, HEADERS, HEADER_TYPE } from '@verdaccio/core';

packages/api/test/integration/search.spec.ts

@@ -1,5 +1,6 @@
 import MockDate from 'mockdate';
 import supertest from 'supertest';
+import { beforeEach, describe, expect, test } from 'vitest';
 
 import { HEADERS, HEADER_TYPE, HTTP_STATUS } from '@verdaccio/core';
 
@@ -43,6 +44,12 @@ describe('search', () => {
               links: {
                 npm: '',
               },
+              maintainers: [
+                {
+                  email: '',
+                  name: 'test',
+                },
+              ],
               name: pkg,
               publisher: {},
               scope: '',
@@ -97,6 +104,12 @@ describe('search', () => {
               links: {
                 npm: '',
               },
+              maintainers: [
+                {
+                  email: '',
+                  name: 'test',
+                },
+              ],
               name: pkg,
               publisher: {},
               scope: '@scope',

packages/api/test/integration/star.spec.ts

@@ -1,5 +1,6 @@
 import nock from 'nock';
 import supertest from 'supertest';
+import { describe, expect, test } from 'vitest';
 
 import { HTTP_STATUS } from '@verdaccio/core';
 import { HEADERS, HEADER_TYPE } from '@verdaccio/core';

packages/api/test/integration/token.spec.ts

@@ -1,5 +1,6 @@
 import _ from 'lodash';
 import supertest from 'supertest';
+import { describe, expect, test } from 'vitest';
 
 import {
   API_ERROR,

packages/api/test/integration/user.spec.ts

@@ -1,4 +1,5 @@
 import supertest from 'supertest';
+import { describe, expect, test, vi } from 'vitest';
 
 import { API_ERROR, HEADERS, HEADER_TYPE, HTTP_STATUS, TOKEN_BEARER } from '@verdaccio/core';
 import { buildToken } from '@verdaccio/utils';
@@ -7,7 +8,7 @@ import { createUser, getPackage, initializeServer } from './_helper';
 
 const FORBIDDEN_VUE = 'authorization required to access package vue';
 
-jest.setTimeout(20000);
+vi.setConfig({ testTimeout: 20000 });
 
 describe('token', () => {
   describe('basics', () => {
@@ -148,6 +149,25 @@ describe('token', () => {
           .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
           .expect(HTTP_STATUS.OK);
         expect(response2.body.ok).toBe(`you are authenticated as '${credentials.name}'`);
+        expect(response2.body.name).toBe(credentials.name);
+      }
+    );
+
+    test.each([['user.yaml'], ['user.jwt.yaml']])(
+      'should return name of requested user',
+      async (conf) => {
+        const app = await initializeServer(conf);
+        const username = 'yeti';
+        const credentials = { name: 'jota', password: 'secretPass' };
+        const response = await createUser(app, credentials.name, credentials.password);
+        expect(response.body.ok).toMatch(`user '${credentials.name}' created`);
+        const response3 = await supertest(app)
+          .get(`/-/user/org.couchdb.user:${username}`)
+          .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+          .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+          .expect(HTTP_STATUS.OK);
+        expect(response3.body.ok).toBe(`you are authenticated as '${credentials.name}'`);
+        expect(response3.body.name).toBe(username);
       }
     );
 
@@ -165,5 +185,38 @@ describe('token', () => {
         .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
         .expect(HTTP_STATUS.OK);
     });
+
+    test.each([['user.yaml'], ['user.jwt.yaml']])(
+      'should return "false" if user is not logged in',
+      async (conf) => {
+        const app = await initializeServer(conf);
+        const credentials = { name: 'jota', password: '' };
+        const response = await supertest(app)
+          .get(`/-/user/org.couchdb.user:${credentials.name}`)
+          .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+          .expect(HTTP_STATUS.OK);
+        expect(response.body.ok).toBe(false);
+      }
+    );
+
+    test.each([['user.yaml'], ['user.jwt.yaml']])(
+      'should fail if URL does not match user in request body',
+      async (conf) => {
+        const app = await initializeServer(conf);
+        const credentials = { name: 'jota', password: 'secretPass' };
+        const response = await createUser(app, credentials.name, credentials.password);
+        expect(response.body.ok).toMatch(`user '${credentials.name}' created`);
+        const response2 = await supertest(app)
+          .put('/-/user/org.couchdb.user:yeti') // different user
+          .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+          .send({
+            name: credentials.name,
+            password: credentials.password,
+          })
+          .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+          .expect(HTTP_STATUS.BAD_REQUEST);
+        expect(response2.body.error).toBe(API_ERROR.USERNAME_MISMATCH);
+      }
+    );
   });
 });

packages/api/test/integration/whoami.spec.ts

@@ -1,4 +1,5 @@
 import supertest from 'supertest';
+import { describe, expect, test } from 'vitest';
 
 import { HEADERS, HTTP_STATUS, TOKEN_BEARER } from '@verdaccio/core';
 import { buildToken } from '@verdaccio/utils';

packages/api/test/unit/validate.api.params.middleware.spec.ts

@@ -2,6 +2,7 @@
 // ensure that all arguments are validated
 import fs from 'fs';
 import path from 'path';
+import { describe, expect, test } from 'vitest';
 
 /**
  * Validate.

packages/auth/CHANGELOG.md

@@ -1,5 +1,115 @@
 # @verdaccio/auth
 
+## 7.0.0-next-8.21
+
+### Patch Changes
+
+- 7c9f3cf: chore: improve startup logging
+- Updated dependencies [8c10a3e]
+- Updated dependencies [a05a7d8]
+- Updated dependencies [7c9f3cf]
+  - @verdaccio/config@7.0.0-next-8.21
+  - @verdaccio/core@7.0.0-next-8.21
+  - @verdaccio/loaders@7.0.0-next-8.21
+  - verdaccio-htpasswd@12.0.0-next-8.21
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/utils@7.0.0-next-8.21
+  - @verdaccio/logger@7.0.0-next-8.21
+
+## 7.0.0-next-7.20
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.20
+- @verdaccio/config@7.0.0-next-7.20
+- @verdaccio/loaders@7.0.0-next-7.20
+- verdaccio-htpasswd@12.0.0-next-7.20
+- @verdaccio/utils@7.0.0-next-7.20
+- @verdaccio/signature@7.0.0-next-7.5
+- @verdaccio/logger@7.0.0-next-7.20
+
+## 7.0.0-next-7.19
+
+### Patch Changes
+
+- Updated dependencies [c31aec8]
+  - @verdaccio/config@7.0.0-next-7.19
+  - @verdaccio/loaders@7.0.0-next-7.19
+  - verdaccio-htpasswd@12.0.0-next-7.19
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/core@7.0.0-next-7.19
+  - @verdaccio/utils@7.0.0-next-7.19
+  - @verdaccio/logger@7.0.0-next-7.19
+
+## 7.0.0-next-7.18
+
+### Patch Changes
+
+- Updated dependencies [10dd81f]
+  - @verdaccio/config@7.0.0-next-7.18
+  - @verdaccio/core@7.0.0-next-7.18
+  - @verdaccio/loaders@7.0.0-next-7.18
+  - @verdaccio/logger@7.0.0-next-7.18
+  - verdaccio-htpasswd@12.0.0-next-7.18
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/utils@7.0.0-next-7.18
+
+## 7.0.0-next-7.17
+
+### Patch Changes
+
+- Updated dependencies [6e764e3]
+  - @verdaccio/config@7.0.0-next-7.17
+  - @verdaccio/core@7.0.0-next-7.17
+  - @verdaccio/loaders@7.0.0-next-7.17
+  - @verdaccio/logger@7.0.0-next-7.17
+  - verdaccio-htpasswd@12.0.0-next-7.17
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/utils@7.0.0-next-7.17
+
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.16
+- @verdaccio/loaders@7.0.0-next-7.16
+- verdaccio-htpasswd@12.0.0-next-7.16
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/config@7.0.0-next-7.16
+- @verdaccio/utils@7.0.0-next-7.16
+- @verdaccio/signature@7.0.0-next-7.5
+
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/loaders@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - verdaccio-htpasswd@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- 4dc62a8: fix: adduser error message grammar (@tobbe in #4586)
+- Updated dependencies [b6d5652]
+  - @verdaccio/signature@7.0.0-next-7.4
+  - @verdaccio/core@7.0.0-next-7.14
+  - @verdaccio/config@7.0.0-next-7.14
+  - @verdaccio/loaders@7.0.0-next-7.14
+  - verdaccio-htpasswd@12.0.0-next-7.14
+  - @verdaccio/utils@7.0.0-next-7.14
+  - @verdaccio/logger@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/auth",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-8.21",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,21 +38,21 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/loaders": "workspace:7.0.0-next-7.13",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
-    "@verdaccio/signature": "workspace:7.0.0-next.3",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.13",
-    "debug": "4.3.4",
+    "@verdaccio/config": "workspace:7.0.0-next-8.21",
+    "@verdaccio/core": "workspace:7.0.0-next-8.21",
+    "@verdaccio/loaders": "workspace:7.0.0-next-8.21",
+    "@verdaccio/logger": "workspace:7.0.0-next-8.21",
+    "@verdaccio/signature": "workspace:7.0.0-next-7.5",
+    "@verdaccio/utils": "workspace:7.0.0-next-8.21",
+    "debug": "4.3.6",
     "lodash": "4.17.21",
-    "verdaccio-htpasswd": "workspace:12.0.0-next-7.13"
+    "verdaccio-htpasswd": "workspace:12.0.0-next-8.21"
   },
   "devDependencies": {
-    "express": "4.18.3",
-    "supertest": "6.3.4",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.13",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/middleware": "workspace:7.0.0-next-8.21",
+    "@verdaccio/types": "workspace:12.0.0-next-7.5",
+    "express": "4.19.2",
+    "supertest": "7.0.0"
   },
   "funding": {
     "type": "opencollective",

packages/auth/src/auth.ts

@@ -5,6 +5,7 @@ import { HTPasswd } from 'verdaccio-htpasswd';
 import { createAnonymousRemoteUser, createRemoteUser } from '@verdaccio/config';
 import {
   API_ERROR,
+  PLUGIN_CATEGORY,
   SUPPORT_ERRORS,
   TOKEN_BASIC,
   TOKEN_BEARER,
@@ -13,7 +14,6 @@ import {
   pluginUtils,
   warningUtils,
 } from '@verdaccio/core';
-import '@verdaccio/core';
 import { asyncLoadPlugin } from '@verdaccio/loaders';
 import { logger } from '@verdaccio/logger';
 import {
@@ -21,6 +21,7 @@ import {
   aesEncryptDeprecated,
   parseBasicPayload,
   signPayload,
+  utils as signatureUtils,
 } from '@verdaccio/signature';
 import {
   AllowAccess,
@@ -116,7 +117,8 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
           typeof allow_publish !== 'undefined'
         );
       },
-      this.config?.serverSettings?.pluginPrefix
+      this.config?.serverSettings?.pluginPrefix,
+      PLUGIN_CATEGORY.AUTHENTICATION
     );
   }
 
@@ -239,7 +241,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
           password,
           function (err: VerdaccioError | null, ok?: boolean | string): void {
             if (err) {
-              debug('the user %o could not being added. Error: %o', user, err?.message);
+              debug('the user %o could not be added. Error: %o', user, err?.message);
               return cb(err);
             }
             if (ok) {
@@ -481,14 +483,9 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     next: Function
   ): void {
     debug('handle legacy api middleware');
-    debug('api middleware secret %o', typeof secret === 'string');
+    debug('api middleware has a secret? %o', typeof secret === 'string');
     debug('api middleware authorization %o', typeof authorization === 'string');
-    const credentials: any = getMiddlewareCredentials(
-      security,
-      secret,
-      authorization,
-      this.config?.getEnhancedLegacySignature()
-    );
+    const credentials: any = getMiddlewareCredentials(security, secret, authorization);
     debug('api middleware credentials %o', credentials?.name);
     if (credentials) {
       const { user, password } = credentials;
@@ -588,13 +585,12 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
    * Encrypt a string.
    */
   public aesEncrypt(value: string): string | void {
-    // enhancedLegacySignature enables modern aes192 algorithm signature
-    if (this.config?.getEnhancedLegacySignature()) {
-      debug('signing with enhaced aes legacy');
+    if (this.secret.length === signatureUtils.TOKEN_VALID_LENGTH) {
+      debug('signing with enhanced aes legacy');
       const token = aesEncrypt(value, this.secret);
       return token;
     } else {
-      debug('signing with enhaced aes deprecated legacy');
+      debug('signing with enhanced aes deprecated legacy');
       // deprecated aes (legacy) signature, only must be used for legacy version
       const token = aesEncryptDeprecated(Buffer.from(value), this.secret).toString('base64');
       return token;

packages/auth/src/signature.ts

@@ -1,66 +0,0 @@
-import buildDebug from 'debug';
-import _ from 'lodash';
-
-import { TOKEN_BASIC, TOKEN_BEARER } from '@verdaccio/core';
-import { aesDecrypt, parseBasicPayload } from '@verdaccio/signature';
-import { Security } from '@verdaccio/types';
-
-import { AuthMiddlewarePayload } from './types';
-import {
-  convertPayloadToBase64,
-  isAESLegacy,
-  parseAuthTokenHeader,
-  verifyJWTPayload,
-} from './utils';
-
-const debug = buildDebug('verdaccio:auth:utils');
-
-export function parseAESCredentials(authorizationHeader: string, secret: string) {
-  debug('parseAESCredentials');
-  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
-
-  // basic is deprecated and should not be enforced
-  // basic is currently being used for functional test
-  if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
-    debug('legacy header basic');
-    const credentials = convertPayloadToBase64(token).toString();
-
-    return credentials;
-  } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
-    debug('legacy header bearer');
-    const credentials = aesDecrypt(token, secret);
-
-    return credentials;
-  }
-}
-
-export function getMiddlewareCredentials(
-  security: Security,
-  secretKey: string,
-  authorizationHeader: string
-): AuthMiddlewarePayload {
-  debug('getMiddlewareCredentials');
-  // comment out for debugging purposes
-  if (isAESLegacy(security)) {
-    debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey);
-    if (!credentials) {
-      debug('parse legacy credentials failed');
-      return;
-    }
-
-    const parsedCredentials = parseBasicPayload(credentials);
-    if (!parsedCredentials) {
-      debug('parse legacy basic payload credentials failed');
-      return;
-    }
-
-    return parsedCredentials;
-  }
-  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
-
-  debug('is jwt');
-  if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
-    return verifyJWTPayload(token, secretKey);
-  }
-}

packages/auth/src/utils.ts

@@ -40,12 +40,8 @@ export function parseAuthTokenHeader(authorizationHeader: string): AuthTokenHead
   return { scheme, token };
 }
 
-export function parseAESCredentials(
-  authorizationHeader: string,
-  secret: string,
-  enhanced: boolean
-) {
-  debug('parseAESCredentials');
+export function parseAESCredentials(authorizationHeader: string, secret: string) {
+  debug('parseAESCredentials init');
   const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
 
   // basic is deprecated and should not be enforced
@@ -57,27 +53,29 @@ export function parseAESCredentials(
     return credentials;
   } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
     debug('legacy header bearer');
-    debug('legacy header enhanced?', enhanced);
-    const credentials = enhanced
-      ? aesDecrypt(token.toString(), secret)
-      : // FUTURE: once deprecated legacy is removed this logic won't be longer need it
-        aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
-
-    return credentials;
+    debug('secret length %o', secret.length);
+    const isLegacyUnsecure = secret.length > 32;
+    debug('is legacy unsecure %o', isLegacyUnsecure);
+    if (isLegacyUnsecure) {
+      debug('legacy unsecure enabled');
+      return aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
+    } else {
+      debug('legacy secure enabled');
+      return aesDecrypt(token.toString(), secret);
+    }
   }
 }
 
 export function getMiddlewareCredentials(
   security: Security,
   secretKey: string,
-  authorizationHeader: string,
-  enhanced: boolean = true
+  authorizationHeader: string
 ): AuthMiddlewarePayload {
-  debug('getMiddlewareCredentials');
+  debug('getMiddlewareCredentials init');
   // comment out for debugging purposes
   if (isAESLegacy(security)) {
     debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey, enhanced);
+    const credentials = parseAESCredentials(authorizationHeader, secretKey);
     if (!credentials) {
       debug('parse legacy credentials failed');
       return;

packages/auth/test/auth.spec.ts

@@ -601,16 +601,14 @@ describe('AuthTest', () => {
           });
         });
 
-        describe('deprecated legacy handling forceEnhancedLegacySignature=false', () => {
+        describe('deprecated legacy handling', () => {
           test('should handle valid auth token', async () => {
             const payload = 'juan:password';
             // const token = await signPayload(remoteUser, '12345');
-            const config: Config = new AppConfig(
-              { ...authProfileConf },
-              { forceEnhancedLegacySignature: false }
-            );
+            const config: Config = new AppConfig({ ...authProfileConf });
             // intended to force key generator (associated with mocks above)
-            config.checkSecretKey(undefined);
+            // 64 characters secret long
+            config.checkSecretKey('35fabdd29b820d39125e76e6d85cc294');
             const auth = new Auth(config);
             await auth.init();
             const token = auth.aesEncrypt(payload) as string;
@@ -624,10 +622,7 @@ describe('AuthTest', () => {
 
           test('should handle invalid auth token', async () => {
             const payload = 'juan:password';
-            const config: Config = new AppConfig(
-              { ...authPluginFailureConf },
-              { forceEnhancedLegacySignature: false }
-            );
+            const config: Config = new AppConfig({ ...authPluginFailureConf });
             // intended to force key generator (associated with mocks above)
             config.checkSecretKey(undefined);
             const auth = new Auth(config);
@@ -691,8 +686,7 @@ describe('AuthTest', () => {
               {
                 ...authProfileConf,
                 ...{ security: { api: { jwt: { sign: { expiresIn: '29d' } } } } },
-              },
-              { forceEnhancedLegacySignature: false }
+              }
             );
             // intended to force key generator (associated with mocks above)
             config.checkSecretKey(undefined);
@@ -700,7 +694,6 @@ describe('AuthTest', () => {
             await auth.init();
             const token = (await auth.jwtEncrypt(
               createRemoteUser('jwt_user', [ROLES.ALL]),
-              // @ts-expect-error
               config.security.api.jwt.sign
             )) as string;
             const app = await getServer(auth);

packages/cli/CHANGELOG.md

@@ -1,5 +1,87 @@
 # @verdaccio/cli
 
+## 7.0.0-next-8.21
+
+### Patch Changes
+
+- 7c9f3cf: chore: improve startup logging
+- Updated dependencies [8c10a3e]
+- Updated dependencies [a05a7d8]
+- Updated dependencies [7c9f3cf]
+  - @verdaccio/config@7.0.0-next-8.21
+  - @verdaccio/core@7.0.0-next-8.21
+  - @verdaccio/node-api@7.0.0-next-8.21
+  - @verdaccio/logger@7.0.0-next-8.21
+
+## 7.0.0-next-7.20
+
+### Patch Changes
+
+- @verdaccio/node-api@7.0.0-next-7.20
+- @verdaccio/core@7.0.0-next-7.20
+- @verdaccio/config@7.0.0-next-7.20
+- @verdaccio/logger@7.0.0-next-7.20
+
+## 7.0.0-next-7.19
+
+### Patch Changes
+
+- Updated dependencies [c31aec8]
+  - @verdaccio/config@7.0.0-next-7.19
+  - @verdaccio/node-api@7.0.0-next-7.19
+  - @verdaccio/core@7.0.0-next-7.19
+  - @verdaccio/logger@7.0.0-next-7.19
+
+## 7.0.0-next-7.18
+
+### Patch Changes
+
+- 10dd81f: feat: complete overhaul of web user interface
+- Updated dependencies [10dd81f]
+  - @verdaccio/config@7.0.0-next-7.18
+  - @verdaccio/core@7.0.0-next-7.18
+  - @verdaccio/logger@7.0.0-next-7.18
+  - @verdaccio/node-api@7.0.0-next-7.18
+
+## 7.0.0-next-7.17
+
+### Patch Changes
+
+- 199aea3: chore: add config location and loglevel to startup log
+- Updated dependencies [6e764e3]
+  - @verdaccio/config@7.0.0-next-7.17
+  - @verdaccio/core@7.0.0-next-7.17
+  - @verdaccio/logger@7.0.0-next-7.17
+  - @verdaccio/node-api@7.0.0-next-7.17
+
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.16
+- @verdaccio/node-api@7.0.0-next-7.16
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/config@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/node-api@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/node-api@7.0.0-next-7.14
+- @verdaccio/core@7.0.0-next-7.14
+- @verdaccio/config@7.0.0-next-7.14
+- @verdaccio/logger@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/cli",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-8.21",
   "author": {
     "name": "Juan Picado",
     "email": "juanpicado19@gmail.com"
@@ -43,14 +43,14 @@
     "start": "ts-node src/index.ts"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
-    "@verdaccio/node-api": "workspace:7.0.0-next-7.13",
-    "clipanion": "3.2.1",
-    "envinfo": "7.11.0",
+    "@verdaccio/config": "workspace:7.0.0-next-8.21",
+    "@verdaccio/core": "workspace:7.0.0-next-8.21",
+    "@verdaccio/logger": "workspace:7.0.0-next-8.21",
+    "@verdaccio/node-api": "workspace:7.0.0-next-8.21",
+    "clipanion": "4.0.0-rc.3",
+    "envinfo": "7.13.0",
     "kleur": "4.1.5",
-    "semver": "7.6.0"
+    "semver": "7.6.3"
   },
   "devDependencies": {
     "ts-node": "10.9.2"