chore: update versions (next-7) (#4624)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.changeset/itchy-mangos-wink.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/middleware': patch
+'@verdaccio/url': patch
+---
+
+Improved TS types for renderHTML() and related functions (by @tobbe in #4605)

.changeset/long-moles-attend.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/search-indexer': patch
+---
+
+fix: remove node engine restriction

.changeset/pink-balloons-leave.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/local-storage': patch
+---
+
+chore: reduce log to info if database is not found

.changeset/poor-seals-turn.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/tarball': patch
+'@verdaccio/store': patch
+---
+
+revert #4600

.changeset/pre.json

@@ -66,12 +66,18 @@
     "eight-squids-judge",
     "eighty-lobsters-study",
     "good-cups-train",
+    "itchy-mangos-wink",
     "long-jars-collect",
+    "long-moles-attend",
     "old-turkeys-heal",
     "olive-bananas-wink",
     "perfect-chairs-act",
     "pink-apples-nail",
+    "pink-balloons-leave",
+    "poor-seals-turn",
+    "quick-buses-scream",
     "real-socks-vanish",
+    "sharp-wolves-carry",
     "shiny-worms-retire",
     "shy-carrots-compare",
     "shy-garlics-cry",
@@ -80,7 +86,11 @@
     "spicy-birds-flow",
     "strange-points-repair",
     "thirty-toes-swim",
+    "unlucky-cycles-sparkle",
     "weak-fans-explain",
+    "wet-balloons-give",
+    "wicked-kiwis-check",
+    "wicked-worms-wash",
     "wild-otters-talk",
     "young-donuts-own"
   ]

.changeset/quick-buses-scream.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/store': patch
+---
+
+fix: avoid warning "time for version x already exists"

.changeset/sharp-wolves-carry.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/signature': minor
+---
+
+support for createCipher backward compatible

.changeset/unlucky-cycles-sparkle.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/local-storage': patch
+---
+
+fix: error when writing tarball (missing folder)

.changeset/wet-balloons-give.md

@@ -0,0 +1,10 @@
+---
+'@verdaccio/types': minor
+'@verdaccio/core': minor
+'@verdaccio/signature': minor
+'@verdaccio/node-api': minor
+'@verdaccio/config': minor
+'@verdaccio/auth': minor
+---
+
+feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property

.changeset/wicked-kiwis-check.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/auth': patch
+---
+
+fix: adduser error message grammar (@tobbe in #4586)

.changeset/wicked-worms-wash.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/store': patch
+'@verdaccio/tarball': patch
+---
+
+feat: add tarball details for published packages

.github/workflows/changesets.yml

@@ -20,7 +20,7 @@ jobs:
     if: github.ref == 'refs/heads/master' && github.repository == 'verdaccio/verdaccio'
     steps:
       - name: checkout code repository
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           fetch-depth: 0
 

.github/workflows/ci-windows.yml

@@ -18,7 +18,7 @@ jobs:
         env:
           NODE_ENV: production          
     steps:
-    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
     - name: Node
       uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
       with:
@@ -29,14 +29,10 @@ jobs:
       run: |
         mkdir ~/.pnpm-store
         pnpm config set store-dir ~/.pnpm-store
-    - name: set store
-      run: |
-        mkdir ~/.pnpm-store
-        pnpm config set store-dir ~/.pnpm-store            
     - name: Install
       run: pnpm install --registry http://localhost:4873
     - name: Cache .pnpm-store
-      uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
       with:
         path: ~/.pnpm-store
         key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -47,14 +43,14 @@ jobs:
     name: Lint
     needs: prepare
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -71,14 +67,14 @@ jobs:
     name: Format
     needs: prepare
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -100,14 +96,14 @@ jobs:
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node ${{ matrix.node_version }}
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node_version }}
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -126,13 +122,13 @@ jobs:
     runs-on: windows-latest
     name: UI Test E2E
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/workflows/ci.yml

@@ -30,7 +30,7 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -46,7 +46,7 @@ jobs:
       - name: Install
         run: pnpm install  --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -57,7 +57,7 @@ jobs:
     name: Lint
     needs: prepare
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -66,7 +66,7 @@ jobs:
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -82,7 +82,7 @@ jobs:
     name: Format
     needs: prepare
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -91,7 +91,7 @@ jobs:
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -108,11 +108,11 @@ jobs:
       fail-fast: true
       matrix:
         os: [ubuntu-latest]
-        node_version: [18, 20, 21]
+        node_version: [18, 20, 21, 22]
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node ${{ matrix.node_version }}
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -121,7 +121,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -138,9 +138,9 @@ jobs:
     needs: [test]
     runs-on: ubuntu-latest
     name: synchronize translations
-    if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
+    if: (github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'verdaccio/verdaccio') || github.event_name == 'workflow_dispatch'
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
@@ -148,7 +148,7 @@ jobs:
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/workflows/codeql-analysis.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           # We must fetch at least the immediate parents so that if this is
           # a pull request then we can checkout the head.
@@ -34,7 +34,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v2
+        uses: github/codeql-action/init@ceaec5c11a131e0d282ff3b6f095917d234caace # v2
 
       # Override language selection by uncommenting this and choosing your languages
       # with:
@@ -42,7 +42,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v2
+        uses: github/codeql-action/autobuild@ceaec5c11a131e0d282ff3b6f095917d234caace # v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -56,4 +56,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v2
+        uses: github/codeql-action/analyze@ceaec5c11a131e0d282ff3b6f095917d234caace # v2

.github/workflows/docker-proxy-apache-e2e.yml

@@ -16,7 +16,7 @@ jobs:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
-      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       
     - name: Start containers
       run: docker-compose -f "./e2e/docker/apache-verdaccio/docker-compose.yaml" up -d --build

.github/workflows/docker-proxy-nginx-e2e.yml

@@ -13,7 +13,7 @@ jobs:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
-      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       
     - name: Start containers
       run: docker-compose -f "./e2e/docker/proxy-nginx/docker-compose.yaml" up -d --build

.github/workflows/docker-publish.yml

@@ -22,8 +22,9 @@ permissions:
 jobs:
   docker:
     runs-on: ubuntu-latest
+    if: github.repository == 'verdaccio/verdaccio'
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # tag=v1
       - uses: docker/setup-buildx-action@v1
         with:

.github/workflows/e2e-ci.yml

@@ -18,7 +18,7 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -34,7 +34,7 @@ jobs:
       - name: Install
         run: pnpm install --reporter=silence --ignore-scripts --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -44,7 +44,7 @@ jobs:
     needs: [prepare]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node 16
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -53,7 +53,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -65,7 +65,7 @@ jobs:
       - name: build
         run: pnpm build
       - name: Cache packages
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         id: cache-packages
         with:
           path: ./packages/
@@ -97,7 +97,7 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
@@ -105,7 +105,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -114,7 +114,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -141,7 +141,7 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
@@ -149,7 +149,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -158,7 +158,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --loglevel debug --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -186,7 +186,7 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
@@ -194,7 +194,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -203,7 +203,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}

.github/workflows/e2e-ui.yml

@@ -18,7 +18,7 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -33,7 +33,7 @@ jobs:
         run: pnpm build
       - name: Test UI
         run: pnpm test:e2e:ui
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
+      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v3
         with:
           name: videos
           path: /home/runner/work/verdaccio/verdaccio/e2e/ui/cypress/videos

.github/workflows/static-data.yml

@@ -18,8 +18,9 @@ jobs:
   prepare:
     name: Run script
     runs-on: ubuntu-latest
+    if: github.repository == 'verdaccio/verdaccio'
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -45,7 +46,7 @@ jobs:
       - name: format
         run: pnpm format
       - name: Commit & Push changes
-        uses: actions-js/push@156f2b10c3aa000c44dbe75ea7018f32ae999772 # tag=v1.4
+        uses: actions-js/push@5a7cbd780d82c0c937b5977586e641b2fd94acc5 # tag=v1.5
         with:
           github_token: ${{ secrets.TOKEN_VERDACCIOBOT_GITHUB }}
           message: "chore: updated static data"

.github/workflows/ui-components.yml

@@ -19,10 +19,11 @@ jobs:
       pull-requests: write  #  to comment on pull-requests
 
     runs-on: ubuntu-latest
+    if: github.repository == 'verdaccio/verdaccio'
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
@@ -30,7 +31,7 @@ jobs:
           node-version-file: '.nvmrc'
 
       - name: Cache pnpm modules
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         env:
           cache-name: cache-pnpm-modules
         with:

.github/workflows/website.yml

@@ -2,8 +2,6 @@ name: Verdaccio Website CI
 
 on:
   workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * *' 
 
 permissions:
   contents: read  #  to fetch code (actions/checkout)
@@ -16,6 +14,7 @@ jobs:
       pull-requests: write  #  to comment on pull-requests
 
     runs-on: ubuntu-latest
+    if: github.repository == 'verdaccio/verdaccio'
     name: setup verdaccio
     services:
       verdaccio:
@@ -27,7 +26,7 @@ jobs:
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
-      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
@@ -44,7 +43,7 @@ jobs:
       - name: Install
         run: pnpm install  --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -55,7 +54,7 @@ jobs:
       - name: Build Translations percentage
         run: pnpm --filter @verdaccio/crowdin-translations build
       - name: Cache Docusaurus Build
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: website/node_modules/.cache/webpack
           key: cache/webpack-${{github.ref}}-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -68,6 +67,7 @@ jobs:
           CONTEXT: production
         run: pnpm --filter @verdaccio/website netlify:build
       - name: Deploy to Netlify
+        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
         env:
           NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}

README.md

@@ -43,7 +43,7 @@ Google Cloud Storage** or create your own plugin.
 Install with npm:
 
 ```bash
-npm install --location=global verdaccio@next
+npm install -g verdaccio@next
 ```
 
 With `yarn`
@@ -79,8 +79,8 @@ Furthermore, you can read the [**Debugging Guidelines**](https://github.com/verd
 You can develop your own [plugins](https://verdaccio.org/docs/plugins) with the [verdaccio generator](https://github.com/verdaccio/generator-verdaccio-plugin). Installing [Yeoman](https://yeoman.io/) is required.
 
 ```
-npm install --location=global yo
-npm install --location=global generator-verdaccio-plugin
+npm install -g yo
+npm install -g generator-verdaccio-plugin
 ```
 
 Learn more [here](https://verdaccio.org/docs/dev-plugins) how to develop plugins. Share your plugins with the community.

docs/env.variables.md

@@ -5,12 +5,13 @@ internal features.
 
 #### VERDACCIO_LEGACY_ALGORITHM
 
-Allows to define the specific algorithm for the token
-signature which by default is `aes-256-ctr`
+Allows to define the specific algorithm for the token signature which by default is `aes-256-ctr`. The algorithm must be supported by `crypto.createCipheriv` and `crypto.createDecipheriv`.
+Read more here: https://nodejs.org/api/crypto.html#crypto_crypto_createcipheriv_algorithm_key_iv_options
 
 #### VERDACCIO_LEGACY_ENCRYPTION_KEY
 
-By default, the token stores in the database, but using this variable allows to get it from memory
+By default, the token stores in the database, but using this variable allows to get it from memory, the length must be 32 characters otherwise will throw an error.
+Read more here: https://nodejs.org/api/crypto.html#crypto_crypto_createcipheriv_algorithm_key_iv_options
 
 #### VERDACCIO_PUBLIC_URL
 

e2e/cli/cli-commons/package.json

@@ -5,16 +5,16 @@
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
   "devDependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "debug": "4.3.4",
     "fs-extra": "11.2.0",
     "get-port": "5.1.1",
     "got": "11.8.6",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",
-    "verdaccio": "workspace:7.0.0-next-7.13"
+    "verdaccio": "workspace:7.0.0-next-7.15"
   },
   "scripts": {
     "test": "jest",

e2e/cli/e2e-npm10/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "10.4.0"
+    "npm": "10.5.0"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm6/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.9.2"
+    "npm": "9.9.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm7/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.9.2"
+    "npm": "9.9.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm8/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.9.2"
+    "npm": "9.9.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm9/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.9.2"
+    "npm": "9.9.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn1/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "yarn": "1.22.21"
+    "yarn": "1.22.22"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn3/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "@yarnpkg/cli-dist": "3.8.0"
+    "@yarnpkg/cli-dist": "3.8.1"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn4/package.json

@@ -3,7 +3,7 @@
   "name": "@verdaccio/e2e-cli-yarn4",
   "version": "1.0.1",
   "dependencies": {
-    "@yarnpkg/cli-dist": "4.1.0",
+    "@yarnpkg/cli-dist": "4.1.1",
     "@verdaccio/test-cli-commons": "workspace:1.1.0"
   },
   "scripts": {

e2e/ui/package.json

@@ -3,9 +3,9 @@
   "name": "@verdaccio/e2e-ui",
   "version": "2.0.0",
   "devDependencies": {
-    "verdaccio": "workspace:7.0.0-next-7.13",
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
+    "verdaccio": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
     "debug": "4.3.4",
     "cypress": "^13.6.0",

packages/api/CHANGELOG.md

@@ -1,5 +1,35 @@
 # @verdaccio/api
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [7400830]
+- Updated dependencies [bd8703e]
+  - @verdaccio/store@7.0.0-next-7.15
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/auth@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/middleware@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- Updated dependencies [b0946b2]
+- Updated dependencies [f967a69]
+- Updated dependencies [4dc62a8]
+- Updated dependencies [253cc13]
+  - @verdaccio/middleware@7.0.0-next-7.14
+  - @verdaccio/store@7.0.0-next-7.14
+  - @verdaccio/auth@7.0.0-next-7.14
+  - @verdaccio/core@7.0.0-next-7.14
+  - @verdaccio/config@7.0.0-next-7.14
+  - @verdaccio/utils@7.0.0-next-7.14
+  - @verdaccio/logger@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/api",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,13 +38,13 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.13",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.13",
-    "@verdaccio/store": "workspace:7.0.0-next-7.13",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.13",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.15",
+    "@verdaccio/store": "workspace:7.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "abortcontroller-polyfill": "1.7.5",
     "body-parser": "1.20.2",
     "cookies": "0.9.0",
@@ -56,7 +56,7 @@
   },
   "devDependencies": {
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "mockdate": "3.0.5",
     "nock": "13.5.1",
     "supertest": "6.3.4"

packages/auth/CHANGELOG.md

@@ -1,5 +1,36 @@
 # @verdaccio/auth
 
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/loaders@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - verdaccio-htpasswd@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- 4dc62a8: fix: adduser error message grammar (@tobbe in #4586)
+- Updated dependencies [b6d5652]
+  - @verdaccio/signature@7.0.0-next-7.4
+  - @verdaccio/core@7.0.0-next-7.14
+  - @verdaccio/config@7.0.0-next-7.14
+  - @verdaccio/loaders@7.0.0-next-7.14
+  - verdaccio-htpasswd@12.0.0-next-7.14
+  - @verdaccio/utils@7.0.0-next-7.14
+  - @verdaccio/logger@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/auth",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,21 +38,21 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/loaders": "workspace:7.0.0-next-7.13",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
-    "@verdaccio/signature": "workspace:7.0.0-next.3",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.13",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/loaders": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/signature": "workspace:7.0.0-next-7.5",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "debug": "4.3.4",
     "lodash": "4.17.21",
-    "verdaccio-htpasswd": "workspace:12.0.0-next-7.13"
+    "verdaccio-htpasswd": "workspace:12.0.0-next-7.15"
   },
   "devDependencies": {
     "express": "4.18.3",
     "supertest": "6.3.4",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.13",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/auth/src/auth.ts

@@ -13,7 +13,6 @@ import {
   pluginUtils,
   warningUtils,
 } from '@verdaccio/core';
-import '@verdaccio/core';
 import { asyncLoadPlugin } from '@verdaccio/loaders';
 import { logger } from '@verdaccio/logger';
 import {
@@ -21,6 +20,7 @@ import {
   aesEncryptDeprecated,
   parseBasicPayload,
   signPayload,
+  utils as signatureUtils,
 } from '@verdaccio/signature';
 import {
   AllowAccess,
@@ -239,7 +239,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
           password,
           function (err: VerdaccioError | null, ok?: boolean | string): void {
             if (err) {
-              debug('the user %o could not being added. Error: %o', user, err?.message);
+              debug('the user %o could not be added. Error: %o', user, err?.message);
               return cb(err);
             }
             if (ok) {
@@ -481,14 +481,9 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     next: Function
   ): void {
     debug('handle legacy api middleware');
-    debug('api middleware secret %o', typeof secret === 'string');
+    debug('api middleware has a secret? %o', typeof secret === 'string');
     debug('api middleware authorization %o', typeof authorization === 'string');
-    const credentials: any = getMiddlewareCredentials(
-      security,
-      secret,
-      authorization,
-      this.config?.getEnhancedLegacySignature()
-    );
+    const credentials: any = getMiddlewareCredentials(security, secret, authorization);
     debug('api middleware credentials %o', credentials?.name);
     if (credentials) {
       const { user, password } = credentials;
@@ -588,13 +583,12 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
    * Encrypt a string.
    */
   public aesEncrypt(value: string): string | void {
-    // enhancedLegacySignature enables modern aes192 algorithm signature
-    if (this.config?.getEnhancedLegacySignature()) {
-      debug('signing with enhaced aes legacy');
+    if (this.secret.length === signatureUtils.TOKEN_VALID_LENGTH) {
+      debug('signing with enhanced aes legacy');
       const token = aesEncrypt(value, this.secret);
       return token;
     } else {
-      debug('signing with enhaced aes deprecated legacy');
+      debug('signing with enhanced aes deprecated legacy');
       // deprecated aes (legacy) signature, only must be used for legacy version
       const token = aesEncryptDeprecated(Buffer.from(value), this.secret).toString('base64');
       return token;

packages/auth/src/signature.ts

@@ -1,66 +0,0 @@
-import buildDebug from 'debug';
-import _ from 'lodash';
-
-import { TOKEN_BASIC, TOKEN_BEARER } from '@verdaccio/core';
-import { aesDecrypt, parseBasicPayload } from '@verdaccio/signature';
-import { Security } from '@verdaccio/types';
-
-import { AuthMiddlewarePayload } from './types';
-import {
-  convertPayloadToBase64,
-  isAESLegacy,
-  parseAuthTokenHeader,
-  verifyJWTPayload,
-} from './utils';
-
-const debug = buildDebug('verdaccio:auth:utils');
-
-export function parseAESCredentials(authorizationHeader: string, secret: string) {
-  debug('parseAESCredentials');
-  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
-
-  // basic is deprecated and should not be enforced
-  // basic is currently being used for functional test
-  if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
-    debug('legacy header basic');
-    const credentials = convertPayloadToBase64(token).toString();
-
-    return credentials;
-  } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
-    debug('legacy header bearer');
-    const credentials = aesDecrypt(token, secret);
-
-    return credentials;
-  }
-}
-
-export function getMiddlewareCredentials(
-  security: Security,
-  secretKey: string,
-  authorizationHeader: string
-): AuthMiddlewarePayload {
-  debug('getMiddlewareCredentials');
-  // comment out for debugging purposes
-  if (isAESLegacy(security)) {
-    debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey);
-    if (!credentials) {
-      debug('parse legacy credentials failed');
-      return;
-    }
-
-    const parsedCredentials = parseBasicPayload(credentials);
-    if (!parsedCredentials) {
-      debug('parse legacy basic payload credentials failed');
-      return;
-    }
-
-    return parsedCredentials;
-  }
-  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
-
-  debug('is jwt');
-  if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
-    return verifyJWTPayload(token, secretKey);
-  }
-}

packages/auth/src/utils.ts

@@ -40,12 +40,8 @@ export function parseAuthTokenHeader(authorizationHeader: string): AuthTokenHead
   return { scheme, token };
 }
 
-export function parseAESCredentials(
-  authorizationHeader: string,
-  secret: string,
-  enhanced: boolean
-) {
-  debug('parseAESCredentials');
+export function parseAESCredentials(authorizationHeader: string, secret: string) {
+  debug('parseAESCredentials init');
   const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
 
   // basic is deprecated and should not be enforced
@@ -57,27 +53,29 @@ export function parseAESCredentials(
     return credentials;
   } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
     debug('legacy header bearer');
-    debug('legacy header enhanced?', enhanced);
-    const credentials = enhanced
-      ? aesDecrypt(token.toString(), secret)
-      : // FUTURE: once deprecated legacy is removed this logic won't be longer need it
-        aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
-
-    return credentials;
+    debug('secret length %o', secret.length);
+    const isLegacyUnsecure = secret.length > 32;
+    debug('is legacy unsecure %o', isLegacyUnsecure);
+    if (isLegacyUnsecure) {
+      debug('legacy unsecure enabled');
+      return aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
+    } else {
+      debug('legacy secure enabled');
+      return aesDecrypt(token.toString(), secret);
+    }
   }
 }
 
 export function getMiddlewareCredentials(
   security: Security,
   secretKey: string,
-  authorizationHeader: string,
-  enhanced: boolean = true
+  authorizationHeader: string
 ): AuthMiddlewarePayload {
-  debug('getMiddlewareCredentials');
+  debug('getMiddlewareCredentials init');
   // comment out for debugging purposes
   if (isAESLegacy(security)) {
     debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey, enhanced);
+    const credentials = parseAESCredentials(authorizationHeader, secretKey);
     if (!credentials) {
       debug('parse legacy credentials failed');
       return;

packages/auth/test/auth.spec.ts

@@ -601,16 +601,14 @@ describe('AuthTest', () => {
           });
         });
 
-        describe('deprecated legacy handling forceEnhancedLegacySignature=false', () => {
+        describe('deprecated legacy handling', () => {
           test('should handle valid auth token', async () => {
             const payload = 'juan:password';
             // const token = await signPayload(remoteUser, '12345');
-            const config: Config = new AppConfig(
-              { ...authProfileConf },
-              { forceEnhancedLegacySignature: false }
-            );
+            const config: Config = new AppConfig({ ...authProfileConf });
             // intended to force key generator (associated with mocks above)
-            config.checkSecretKey(undefined);
+            // 64 characters secret long
+            config.checkSecretKey('35fabdd29b820d39125e76e6d85cc294');
             const auth = new Auth(config);
             await auth.init();
             const token = auth.aesEncrypt(payload) as string;
@@ -624,10 +622,7 @@ describe('AuthTest', () => {
 
           test('should handle invalid auth token', async () => {
             const payload = 'juan:password';
-            const config: Config = new AppConfig(
-              { ...authPluginFailureConf },
-              { forceEnhancedLegacySignature: false }
-            );
+            const config: Config = new AppConfig({ ...authPluginFailureConf });
             // intended to force key generator (associated with mocks above)
             config.checkSecretKey(undefined);
             const auth = new Auth(config);
@@ -691,8 +686,7 @@ describe('AuthTest', () => {
               {
                 ...authProfileConf,
                 ...{ security: { api: { jwt: { sign: { expiresIn: '29d' } } } } },
-              },
-              { forceEnhancedLegacySignature: false }
+              }
             );
             // intended to force key generator (associated with mocks above)
             config.checkSecretKey(undefined);
@@ -700,7 +694,6 @@ describe('AuthTest', () => {
             await auth.init();
             const token = (await auth.jwtEncrypt(
               createRemoteUser('jwt_user', [ROLES.ALL]),
-              // @ts-expect-error
               config.security.api.jwt.sign
             )) as string;
             const app = await getServer(auth);

packages/cli/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @verdaccio/cli
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/node-api@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/node-api@7.0.0-next-7.14
+- @verdaccio/core@7.0.0-next-7.14
+- @verdaccio/config@7.0.0-next-7.14
+- @verdaccio/logger@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/cli",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "author": {
     "name": "Juan Picado",
     "email": "juanpicado19@gmail.com"
@@ -43,10 +43,10 @@
     "start": "ts-node src/index.ts"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
-    "@verdaccio/node-api": "workspace:7.0.0-next-7.13",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/node-api": "workspace:7.0.0-next-7.15",
     "clipanion": "3.2.1",
     "envinfo": "7.11.0",
     "kleur": "4.1.5",

packages/config/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @verdaccio/config
 
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.14
+- @verdaccio/utils@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/config",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "logger",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,8 +38,8 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.13",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "debug": "4.3.4",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",

packages/config/src/config.ts

@@ -36,6 +36,13 @@ export const defaultUserRateLimiting = {
   max: 1000,
 };
 
+export function isNodeVersionGreaterThan21() {
+  const [major, minor] = process.versions.node.split('.').map(Number);
+  return major > 21 || (major === 21 && minor >= 0);
+}
+
+const TOKEN_VALID_LENGTH = 32;
+
 /**
  * Coordinates the application configuration
  */
@@ -56,21 +63,20 @@ class Config implements AppConfig {
   public plugins: string | void | null;
   public security: Security;
   public serverSettings: ServerSettingsConf;
+  private configOverrideOptions: { forceMigrateToSecureLegacySignature: boolean };
   // @ts-ignore
   public secret: string;
   public flags: FlagsConfig;
   public userRateLimit: RateLimit;
-  private configOptions: { forceEnhancedLegacySignature: boolean };
   public constructor(
     config: ConfigYaml & { config_path: string },
     // forceEnhancedLegacySignature is a property that
     // allows switch a new legacy aes signature token signature
     // for older versions do not want to have this new signature model
     // this property must be false
-    configOptions = { forceEnhancedLegacySignature: true }
+    configOverrideOptions = { forceMigrateToSecureLegacySignature: true }
   ) {
     const self = this;
-    this.configOptions = configOptions;
     this.storage = process.env.VERDACCIO_STORAGE_PATH || config.storage;
     if (!config.configPath) {
       // backport self_path for previous to version 6
@@ -80,11 +86,21 @@ class Config implements AppConfig {
         throw new Error('configPath property is required');
       }
     }
+    this.configOverrideOptions = configOverrideOptions;
     this.configPath = config.configPath;
     this.self_path = this.configPath;
     debug('config path: %s', this.configPath);
     this.plugins = config.plugins;
-    this.security = _.merge(defaultSecurity, config.security);
+    this.security = _.merge(
+      // override the default security configuration via constructor
+      _.merge(defaultSecurity, {
+        api: {
+          migrateToSecureLegacySignature:
+            this.configOverrideOptions.forceMigrateToSecureLegacySignature,
+        },
+      }),
+      config.security
+    );
     this.serverSettings = serverSettings;
     this.flags = {
       searchRemote: config.flags?.searchRemote ?? true,
@@ -135,14 +151,8 @@ class Config implements AppConfig {
     }
   }
 
-  public getEnhancedLegacySignature() {
-    if (typeof this?.security.enhancedLegacySignature !== 'undefined') {
-      if (this.security.enhancedLegacySignature === true) {
-        return true;
-      }
-      return false;
-    }
-    return this.configOptions.forceEnhancedLegacySignature;
+  public getMigrateToSecureLegacySignature() {
+    return this.security.api.migrateToSecureLegacySignature;
   }
 
   public getConfigPath() {
@@ -158,36 +168,70 @@ class Config implements AppConfig {
   }
 
   /**
-   * Store or create whether receive a secret key
+   * Verify if the secret complies with the required structure
+   *  - If the secret is not provided, it will generate a new one
+   *    - For any Node.js version the new secret will be 32 characters long (to allow compatibility with modern Node.js versions)
+   *  - If the secret is provided:
+   *    - If Node.js 22 or higher, the secret must be 32 characters long thus the application will fail on startup
+   *    - If Node.js 21 or lower, the secret will be used as is but will display a deprecation warning
+   *    - If the property `security.api.migrateToSecureLegacySignature` is provided and set to true, the secret will be
+   *      generated with the new signature model
    * @secret external secret key
    */
   public checkSecretKey(secret?: string): string {
-    debug('check secret key');
+    debug('checking secret key init');
     if (typeof secret === 'string' && _.isEmpty(secret) === false) {
+      debug('checking secret key length %s', secret.length);
+      if (secret.length > TOKEN_VALID_LENGTH) {
+        if (isNodeVersionGreaterThan21()) {
+          debug('is node version greater than 21');
+          if (this.getMigrateToSecureLegacySignature() === true) {
+            this.secret = generateRandomSecretKey();
+            debug('rewriting secret key with length %s', this.secret.length);
+            return this.secret;
+          }
+          // oops, user needs to generate a new secret key
+          debug(
+            'secret does not comply with the required length, current length  %d, application will fail on startup',
+            secret.length
+          );
+          throw new Error(
+            `Invalid storage secret key length, must be 32 characters long but is ${secret.length}. 
+            The secret length in Node.js 22 or higher must be 32 characters long. Please consider generate a new one. 
+            Learn more at https://verdaccio.org/docs/configuration/#.verdaccio-db`
+          );
+        } else {
+          debug('is node version lower than 22');
+          if (this.getMigrateToSecureLegacySignature() === true) {
+            this.secret = generateRandomSecretKey();
+            debug('rewriting secret key with length %s', this.secret.length);
+            return this.secret;
+          }
+          debug('triggering deprecation warning for secret key length %s', secret.length);
+          // still using Node.js versions previous to 22, but we need to emit a deprecation warning
+          // deprecation warning, secret key is too long and must be 32
+          // this will be removed in the next major release and will produce an error
+          warningUtils.emit(Codes.VERWAR007);
+          this.secret = secret;
+          return this.secret;
+        }
+      } else if (secret.length === TOKEN_VALID_LENGTH) {
+        debug('detected valid secret key length %s', secret.length);
+        this.secret = secret;
+        return this.secret;
+      }
+      debug('reusing previous key with length %s', secret.length);
       this.secret = secret;
-      debug('reusing previous key');
-      return secret;
-    }
-    // generate a new a secret key
-    // FUTURE: this might be an external secret key, perhaps within config file?
-    debug('generating a new secret key');
-
-    if (this.getEnhancedLegacySignature()) {
-      debug('key generated with "enhanced" legacy signature user config');
-      this.secret = generateRandomSecretKey();
+      return this.secret;
     } else {
-      debug('key generated with legacy signature user config');
-      this.secret = generateRandomHexString(32);
-    }
-    // set this to false allow use old token signature and is not recommended
-    // only use for migration reasons, major release will remove this property and
-    // set it by default
-    if (this.security?.enhancedLegacySignature === false) {
-      warningUtils.emit(Codes.VERWAR005);
-    }
+      // generate a new a secret key
+      // FUTURE: this might be an external secret key, perhaps within config file?
+      debug('generating a new secret key');
+      this.secret = generateRandomSecretKey();
+      debug('generated a new secret key length %s', this.secret?.length);
 
-    debug('generated a new secret key length %s', this.secret?.length);
-    return this.secret;
+      return this.secret;
+    }
   }
 }
 

packages/config/src/security.ts

@@ -13,6 +13,7 @@ const defaultWebTokenOptions: JWTOptions = {
 
 const defaultApiTokenConf: APITokenOptions = {
   legacy: true,
+  migrateToSecureLegacySignature: true,
 };
 
 export const defaultSecurity: Security = {

packages/config/src/token.ts

@@ -1,9 +1,11 @@
 import { randomBytes } from 'crypto';
 
+// TODO: code duplicated at @verdaccio/signature
 export const TOKEN_VALID_LENGTH = 32;
 
 /**
  * Secret key must have 32 characters.
+ * // TODO: code duplicated at @verdaccio/signature
  */
 export function generateRandomSecretKey(): string {
   return randomBytes(TOKEN_VALID_LENGTH).toString('base64').substring(0, TOKEN_VALID_LENGTH);

packages/config/test/config.spec.ts

@@ -6,9 +6,12 @@ import {
   DEFAULT_REGISTRY,
   DEFAULT_UPLINK,
   ROLES,
+  TOKEN_VALID_LENGTH,
   WEB_TITLE,
   defaultSecurity,
+  generateRandomSecretKey,
   getDefaultConfig,
+  isNodeVersionGreaterThan21,
   parseConfigFile,
 } from '../src';
 import { parseConfigurationFile } from './utils';
@@ -19,6 +22,8 @@ const resolveConf = (conf) => {
   return path.join(__dirname, `../src/conf/${name}${ext.startsWith('.') ? ext : '.yaml'}`);
 };
 
+const itif = (condition) => (condition ? it : it.skip);
+
 const checkDefaultUplink = (config) => {
   expect(_.isObject(config.uplinks[DEFAULT_UPLINK])).toBeTruthy();
   expect(config.uplinks[DEFAULT_UPLINK].url).toMatch(DEFAULT_REGISTRY);
@@ -94,32 +99,85 @@ describe('check basic content parsed file', () => {
 describe('checkSecretKey', () => {
   test('with default.yaml and pre selected secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(config.checkSecretKey('12345')).toEqual('12345');
+    expect(config.checkSecretKey(generateRandomSecretKey())).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
   test('with default.yaml and void secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
+    const secret = config.checkSecretKey();
+    expect(typeof secret === 'string').toBeTruthy();
+    expect(secret).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
-  test('with default.yaml and emtpy string secret', () => {
+  test('with default.yaml and empty string secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(typeof config.checkSecretKey('') === 'string').toBeTruthy();
+    const secret = config.checkSecretKey('');
+    expect(typeof secret === 'string').toBeTruthy();
+    expect(secret).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
-  test('with enhanced legacy signature', () => {
+  test('with default.yaml and valid string secret length', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    config.security.enhancedLegacySignature = true;
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
-    expect(config.secret.length).toBe(32);
+    expect(typeof config.checkSecretKey(generateRandomSecretKey()) === 'string').toBeTruthy();
   });
 
-  test('without enhanced legacy signature', () => {
-    const config = new Config(parseConfigFile(resolveConf('default')));
-    config.security.enhancedLegacySignature = false;
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
-    expect(config.secret.length).toBe(64);
+  test('with default.yaml migrate a valid string secret length', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: true,
+    });
+    expect(
+      // 64 characters secret long
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
   });
+
+  // only runs on Node.js 22 or higher
+  itif(isNodeVersionGreaterThan21())('with enhanced legacy signature Node 22 or higher', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: false,
+    });
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(() =>
+      // 64 characters secret long
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toThrow();
+  });
+
+  itif(isNodeVersionGreaterThan21())('with enhanced legacy signature Node 22 or higher', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: false,
+    });
+    config.security.api.migrateToSecureLegacySignature = true;
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
+  });
+
+  itif(isNodeVersionGreaterThan21() === false)(
+    'with old unsecure legacy signature Node 21 or lower',
+    () => {
+      const config = new Config(parseConfigFile(resolveConf('default')));
+      config.security.api.migrateToSecureLegacySignature = false;
+      // 64 characters secret long
+      // eslint-disable-next-line jest/no-standalone-expect
+      expect(
+        config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+      ).toHaveLength(64);
+    }
+  );
+
+  test('with migration to new legacy signature Node 21 or lower', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')));
+    config.security.api.migrateToSecureLegacySignature = true;
+    // 64 characters secret long
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
+  });
+
+  test.todo('test emit warning with secret key');
 });
 
 describe('getMatchedPackagesSpec', () => {

packages/core/core/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @verdaccio/core
 
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+## 7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ## 7.0.0-next-7.12

packages/core/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/core",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "core utilities",
   "keywords": [
     "private",
@@ -44,7 +44,7 @@
     "lodash": "4.17.21",
     "typedoc": "0.23.25",
     "typedoc-plugin-missing-exports": "latest",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/core/src/warning-utils.ts

@@ -9,17 +9,13 @@ export enum Codes {
   VERWAR002 = 'VERWAR002',
   VERWAR003 = 'VERWAR003',
   VERWAR004 = 'VERWAR004',
-  VERWAR005 = 'VERWAR005',
   // deprecation warnings
   VERDEP003 = 'VERDEP003',
   VERWAR006 = 'VERWAR006',
+  VERWAR007 = 'VERWAR007',
 }
 
-warningInstance.create(
-  verdaccioWarning,
-  Codes.VERWAR002,
-  `The configuration property "logs" has been deprecated, please rename to "log" for future compatibility`
-);
+/* general warnings */
 
 warningInstance.create(
   verdaccioWarning,
@@ -27,6 +23,12 @@ warningInstance.create(
   `Verdaccio doesn't need superuser privileges. don't run it under root`
 );
 
+warningInstance.create(
+  verdaccioWarning,
+  Codes.VERWAR002,
+  `The configuration property "logs" has been deprecated, please rename to "log" for future compatibility`
+);
+
 warningInstance.create(
   verdaccioWarning,
   Codes.VERWAR003,
@@ -42,23 +44,26 @@ https://verdaccio.org/docs/en/configuration#listen-port`
 );
 
 warningInstance.create(
-  verdaccioWarning,
-  Codes.VERWAR005,
-  'disable enhanced legacy signature is considered a security risk, please reconsider enable it'
+  verdaccioDeprecation,
+  Codes.VERWAR006,
+  'the auth plugin method "add_user" in the auth plugin is deprecated and will be removed in next major release, rename to "adduser"'
 );
 
+warningInstance.create(
+  verdaccioDeprecation,
+  Codes.VERWAR007,
+  `the secret length is too long, it must be 32 characters long, please consider generate a new one 
+  Learn more at https://verdaccio.org/docs/configuration/#.verdaccio-db`
+);
+
+/* deprecation warnings */
+
 warningInstance.create(
   verdaccioDeprecation,
   Codes.VERDEP003,
   'multiple addresses will be deprecated in the next major, only use one'
 );
 
-warningInstance.create(
-  verdaccioDeprecation,
-  Codes.VERWAR006,
-  'the auth plugin method "add_user" in the auth plugin is deprecated and will be removed in next major release, rename to "adduser"'
-);
-
 export function emit(code: string, a?: string, b?: string, c?: string) {
   warningInstance.emit(code, a, b, c);
 }

packages/core/file-locking/package.json

@@ -39,7 +39,7 @@
     "lockfile": "1.0.4"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/tarball/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- 7400830: revert #4600
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/url@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
+## 12.0.0-next-7.14
+
+### Patch Changes
+
+- 253cc13: feat: add tarball details for published packages
+- Updated dependencies [b0946b2]
+  - @verdaccio/url@12.0.0-next-7.14
+  - @verdaccio/core@7.0.0-next-7.14
+  - @verdaccio/utils@7.0.0-next-7.14
+
 ## 12.0.0-next-7.13
 
 ### Patch Changes

packages/core/tarball/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/tarball",
-  "version": "12.0.0-next-7.13",
+  "version": "12.0.0-next-7.15",
   "description": "tarball utilities resolver",
   "keywords": [
     "private",
@@ -24,7 +24,7 @@
   "repository": {
     "type": "https",
     "url": "https://github.com/verdaccio/verdaccio",
-    "directory": "packages/core/url-resolver"
+    "directory": "packages/core/tarball"
   },
   "bugs": {
     "url": "https://github.com/verdaccio/verdaccio/issues"
@@ -33,14 +33,14 @@
     "access": "public"
   },
   "dependencies": {
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/url": "workspace:12.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "debug": "4.3.4",
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/url": "workspace:12.0.0-next-7.13",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.13",
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "node-mocks-http": "1.14.1"
   },
   "scripts": {

packages/core/types/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log
 
+## 12.0.0-next-7.3
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
 ## 12.0.0-next.2
 
 ### Minor Changes

packages/core/types/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/types",
-  "version": "12.0.0-next.2",
+  "version": "12.0.0-next-7.3",
   "description": "verdaccio types definitions",
   "keywords": [
     "private",

packages/core/types/src/configuration.ts

@@ -182,11 +182,14 @@ export interface JWTVerifyOptions {
 
 export interface APITokenOptions {
   legacy: boolean;
+  /**
+   * Temporary flag to allow migration to the new legacy signature
+   */
+  migrateToSecureLegacySignature: boolean;
   jwt?: JWTOptions;
 }
 
 export interface Security {
-  enhancedLegacySignature?: boolean;
   web: JWTOptions;
   api: APITokenOptions;
 }

packages/core/url/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
+## 12.0.0-next-7.14
+
+### Patch Changes
+
+- b0946b2: Improved TS types for renderHTML() and related functions (by @tobbe in #4605)
+  - @verdaccio/core@7.0.0-next-7.14
+
 ## 12.0.0-next-7.13
 
 ### Patch Changes

packages/core/url/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/url",
-  "version": "12.0.0-next-7.13",
+  "version": "12.0.0-next-7.15",
   "description": "url utilities resolver",
   "keywords": [
     "private",
@@ -33,13 +33,13 @@
     "access": "public"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "debug": "4.3.4",
     "lodash": "4.17.21",
     "validator": "13.11.0"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "node-mocks-http": "1.14.1"
   },
   "scripts": {

packages/core/url/src/index.ts

@@ -1,4 +1,5 @@
 import buildDebug from 'debug';
+import type { IncomingHttpHeaders } from 'node:http';
 import { URL } from 'url';
 import validator from 'validator';
 
@@ -31,7 +32,7 @@ export function isHost(url: string = '', options = {}): boolean {
 /**
  * Detect running protocol (http or https)
  */
-export function getWebProtocol(headerProtocol: string | void, protocol: string): string {
+export function getWebProtocol(headerProtocol: string | undefined, protocol: string): string {
   let returnProtocol;
   const [, defaultProtocol] = validProtocols;
   // HAProxy variant might return http,http with X-Forwarded-Proto
@@ -101,7 +102,7 @@ export type RequestOptions = {
   /**
    * Request headers.
    */
-  headers: { [key: string]: string };
+  headers: IncomingHttpHeaders;
   remoteAddress?: string;
   /**
    * Logged username the request, usually after token verification.
@@ -119,10 +120,13 @@ export function getPublicUrl(url_prefix: string = '', requestOptions: RequestOpt
     if (!isHost(host)) {
       throw new Error('invalid host');
     }
-    const protoHeader =
+
+    const protoHeader: string =
       process.env.VERDACCIO_FORWARDED_PROTO?.toLocaleLowerCase() ??
       HEADERS.FORWARDED_PROTO.toLowerCase();
-    const protocol = getWebProtocol(requestOptions.headers[protoHeader], requestOptions.protocol);
+    const forwardedProtocolHeaderValue = requestOptions.headers[protoHeader] as string | undefined;
+
+    const protocol = getWebProtocol(forwardedProtocolHeaderValue, requestOptions.protocol);
     const combinedUrl = combineBaseUrl(protocol, host, url_prefix);
     debug('public url by request %o', combinedUrl);
     return combinedUrl;

packages/hooks/CHANGELOG.md

@@ -1,5 +1,20 @@
 # @verdaccio/hooks
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.14
+- @verdaccio/logger@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/hooks/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/hooks",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -29,17 +29,17 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
     "core-js": "3.35.0",
     "debug": "4.3.4",
     "got-cjs": "12.5.4",
     "handlebars": "4.7.8"
   },
   "devDependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.13",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "nock": "13.5.1"
   },
   "scripts": {

packages/loaders/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @verdaccio/loaders
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/loaders/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/loaders",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -13,14 +13,14 @@
     "url": "https://github.com/verdaccio/verdaccio"
   },
   "dependencies": {
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
     "debug": "4.3.4",
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "@verdaccio-scope/verdaccio-auth-foo": "0.0.2",
     "verdaccio-auth-memory": "workspace:*",
     "customprefix-auth": "2.0.0-next.0"

packages/logger/logger-7/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @verdaccio/logger-7
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- @verdaccio/logger-commons@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/logger-commons@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/logger/logger-7/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger-7",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "logger for verdaccio 5.x version",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,11 +38,11 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/logger-commons": "workspace:7.0.0-next-7.13",
+    "@verdaccio/logger-commons": "workspace:7.0.0-next-7.15",
     "pino": "7.11.0"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/logger/logger-commons/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @verdaccio/logger-commons
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/logger/logger-commons/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger-commons",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,14 +38,14 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "@verdaccio/logger-prettify": "workspace:7.0.0-next-7.2",
     "debug": "4.3.4",
     "colorette": "2.0.20"
   },
   "devDependencies": {
     "pino": "7.11.0",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/logger/logger/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @verdaccio/logger
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- @verdaccio/logger-commons@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/logger-commons@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/logger/logger/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,11 +38,11 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/logger-commons": "workspace:7.0.0-next-7.13",
+    "@verdaccio/logger-commons": "workspace:7.0.0-next-7.15",
     "pino": "8.17.2"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/middleware/CHANGELOG.md

@@ -1,5 +1,26 @@
 # @verdaccio/middleware
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/url@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- b0946b2: Improved TS types for renderHTML() and related functions (by @tobbe in #4605)
+- Updated dependencies [b0946b2]
+  - @verdaccio/url@12.0.0-next-7.14
+  - @verdaccio/core@7.0.0-next-7.14
+  - @verdaccio/config@7.0.0-next-7.14
+  - @verdaccio/utils@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/middleware/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/middleware",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "express middleware utils",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,10 +38,10 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.13",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/url": "workspace:12.0.0-next-7.13",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/url": "workspace:12.0.0-next-7.15",
     "debug": "4.3.4",
     "lru-cache": "7.18.3",
     "express": "4.18.3",
@@ -54,7 +54,7 @@
     "url": "https://opencollective.com/verdaccio"
   },
   "devDependencies": {
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
     "body-parser": "1.20.2",
     "supertest": "6.3.4"
   }

packages/middleware/src/middlewares/web/utils/renderHTML.ts

@@ -1,4 +1,5 @@
 import buildDebug from 'debug';
+import type { Response } from 'express';
 import LRU from 'lru-cache';
 import path from 'path';
 import { URL } from 'url';
@@ -6,10 +7,12 @@ import { URL } from 'url';
 import { WEB_TITLE } from '@verdaccio/config';
 import { HEADERS } from '@verdaccio/core';
 import { ConfigYaml, TemplateUIOptions } from '@verdaccio/types';
-import { isURLhasValidProtocol } from '@verdaccio/url';
-import { getPublicUrl } from '@verdaccio/url';
+import type { RequestOptions } from '@verdaccio/url';
+import { getPublicUrl, isURLhasValidProtocol } from '@verdaccio/url';
 
+import type { Manifest } from './manifest';
 import renderTemplate from './template';
+import type { WebpackManifest } from './template';
 import { hasLogin, validatePrimaryColor } from './web-utils';
 
 const DEFAULT_LANGUAGE = 'es-US';
@@ -17,19 +20,20 @@ const cache = new LRU({ max: 500, ttl: 1000 * 60 * 60 });
 
 const debug = buildDebug('verdaccio:web:render');
 
-const defaultManifestFiles = {
+const defaultManifestFiles: Manifest = {
   js: ['runtime.js', 'vendors.js', 'main.js'],
   ico: 'favicon.ico',
+  css: [],
 };
 
-export function resolveLogo(config: ConfigYaml, req) {
+export function resolveLogo(config: ConfigYaml, requestOptions: RequestOptions) {
   if (typeof config?.web?.logo !== 'string') {
     return '';
   }
   const isLocalFile = config?.web?.logo && !isURLhasValidProtocol(config?.web?.logo);
 
   if (isLocalFile) {
-    return `${getPublicUrl(config?.url_prefix, req)}-/static/${path.basename(config?.web?.logo)}`;
+    return `${getPublicUrl(config?.url_prefix, requestOptions)}-/static/${path.basename(config?.web?.logo)}`;
   } else if (isURLhasValidProtocol(config?.web?.logo)) {
     return config?.web?.logo;
   } else {
@@ -37,9 +41,15 @@ export function resolveLogo(config: ConfigYaml, req) {
   }
 }
 
-export default function renderHTML(config: ConfigYaml, manifest, manifestFiles, req, res) {
+export default function renderHTML(
+  config: ConfigYaml,
+  manifest: WebpackManifest,
+  manifestFiles: Manifest | null | undefined,
+  requestOptions: RequestOptions,
+  res: Response
+) {
   const { url_prefix } = config;
-  const base = getPublicUrl(config?.url_prefix, req);
+  const base = getPublicUrl(config?.url_prefix, requestOptions);
   const basename = new URL(base).pathname;
   const language = config?.i18n?.web ?? DEFAULT_LANGUAGE;
   const hideDeprecatedVersions = config?.web?.hideDeprecatedVersions ?? false;
@@ -51,7 +61,7 @@ export default function renderHTML(config: ConfigYaml, manifest, manifestFiles,
   const title = config?.web?.title ?? WEB_TITLE;
   const login = hasLogin(config);
   const scope = config?.web?.scope ?? '';
-  const logo = resolveLogo(config, req);
+  const logo = resolveLogo(config, requestOptions);
   const pkgManagers = config?.web?.pkgManagers ?? ['yarn', 'pnpm', 'npm'];
   const version = res.locals.app_version ?? '';
   const flags = {

packages/node-api/CHANGELOG.md

@@ -1,5 +1,30 @@
 # @verdaccio/node-api
 
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/server-fastify@7.0.0-next-7.15
+  - @verdaccio/server@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/server@7.0.0-next-7.14
+- @verdaccio/server-fastify@7.0.0-next-7.14
+- @verdaccio/core@7.0.0-next-7.14
+- @verdaccio/config@7.0.0-next-7.14
+- @verdaccio/logger@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/node-api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/node-api",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "node API",
   "main": "build/index.js",
   "types": "build/index.d.ts",
@@ -38,17 +38,17 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
-    "@verdaccio/server": "workspace:7.0.0-next-7.13",
-    "@verdaccio/server-fastify": "workspace:7.0.0-next-7.13",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/server": "workspace:7.0.0-next-7.15",
+    "@verdaccio/server-fastify": "workspace:7.0.0-next-7.15",
     "core-js": "3.35.0",
     "debug": "4.3.4",
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "jest": "29.7.0",
     "selfsigned": "2.4.1",
     "supertest": "6.3.4"

packages/node-api/test/run-server.spec.ts

@@ -15,7 +15,6 @@ describe('startServer via API', () => {
   });
 
   test('should fail on start with null as entry', async () => {
-    // @ts-expect-error
     await expect(runServer(null)).rejects.toThrow();
   });
 });

packages/plugins/audit/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+
+## 12.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.14
+- @verdaccio/config@7.0.0-next-7.14
+
 ## 12.0.0-next-7.13
 
 ### Patch Changes

packages/plugins/audit/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-audit",
-  "version": "12.0.0-next-7.13",
+  "version": "12.0.0-next-7.15",
   "description": "Verdaccio Middleware plugin to bypass npmjs audit",
   "keywords": [
     "private",
@@ -30,16 +30,16 @@
     "node": ">=12"
   },
   "dependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "express": "4.18.3",
     "https-proxy-agent": "5.0.1",
     "node-fetch": "cjs"
   },
   "devDependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.13",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "nock": "13.5.1",
     "supertest": "6.3.4"
   },

packages/plugins/auth-memory/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
+## 12.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.14
+
 ## 12.0.0-next-7.13
 
 ### Patch Changes

packages/plugins/auth-memory/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-auth-memory",
-  "version": "12.0.0-next-7.13",
+  "version": "12.0.0-next-7.15",
   "description": "Auth plugin for Verdaccio that keeps users in memory",
   "keywords": [
     "private",
@@ -30,13 +30,13 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "debug": "4.3.4"
   },
   "devDependencies": {
     "@types/debug": "^4.1.12",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/plugins/htpasswd/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/file-locking@12.0.0-next.1
+
+## 12.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.14
+
 ## 12.0.0-next-7.13
 
 ### Patch Changes

packages/plugins/htpasswd/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-htpasswd",
-  "version": "12.0.0-next-7.13",
+  "version": "12.0.0-next-7.15",
   "description": "htpasswd auth plugin for Verdaccio",
   "keywords": [
     "private",
@@ -33,7 +33,7 @@
     "node": ">=12"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "@verdaccio/file-locking": "workspace:12.0.0-next.1",
     "apache-md5": "1.1.8",
     "bcryptjs": "2.4.3",
@@ -44,9 +44,9 @@
   },
   "devDependencies": {
     "@types/bcryptjs": "2.4.6",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
     "mockdate": "3.0.5"
   },
   "scripts": {

packages/plugins/local-storage/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/file-locking@12.0.0-next.1
+  - @verdaccio/utils@7.0.0-next-7.15
+
+## 12.0.0-next-7.14
+
+### Patch Changes
+
+- 4ac3aea: chore: reduce log to info if database is not found
+- 1bae121: fix: error when writing tarball (missing folder)
+  - @verdaccio/core@7.0.0-next-7.14
+  - @verdaccio/utils@7.0.0-next-7.14
+
 ## 12.0.0-next-7.13
 
 ### Patch Changes

packages/plugins/local-storage/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/local-storage",
-  "version": "12.0.0-next-7.13",
+  "version": "12.0.0-next-7.15",
   "description": "Local storage implementation",
   "keywords": [
     "private",
@@ -36,9 +36,9 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "@verdaccio/file-locking": "workspace:12.0.0-next.1",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.13",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "core-js": "3.35.0",
     "debug": "4.3.4",
     "globby": "11.1.0",
@@ -50,10 +50,10 @@
   },
   "devDependencies": {
     "@types/minimatch": "5.1.2",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "minimatch": "9.0.3"
   },
   "scripts": {

packages/plugins/local-storage/src/local-database.ts

@@ -287,7 +287,7 @@ class LocalDatabase extends pluginUtils.Plugin<{}> implements Storage {
     } catch (err: any) {
       // readFileSync is platform specific, macOS, Linux and Windows thrown an error
       // Only recreate if file not found to prevent data loss
-      this.logger.warn(
+      this.logger.info(
         { path: this.path },
         'no private database found, recreating new one on @{path}'
       );

packages/plugins/local-storage/src/local-fs.ts

@@ -237,6 +237,7 @@ export default class LocalFS implements ILocalFSPackageManager {
   public async writeTarball(fileName: string, { signal }): Promise<Writable> {
     debug('write a tarball %o', fileName);
     const pathName: string = this._getStorage(fileName);
+    await this.checkCreateFolder(pathName);
     // create a temporary file to avoid conflicts or prev corruption files
     const temporalName = path.join(
       this.path,
@@ -352,8 +353,8 @@ export default class LocalFS implements ILocalFSPackageManager {
   private async writeTempFileAndRename(dest: string, fileContent: string): Promise<any> {
     const tempFilePath = tempFile(dest);
     try {
-      // write file on temp locatio
-      // TODO: we need to handle when directory does not exist
+      // write file on temp location
+      await this.checkCreateFolder(tempFilePath);
       await writeFilePromise(tempFilePath, fileContent);
       debug('creating a new file:: %o', dest);
       // rename tmp file to original
@@ -370,10 +371,7 @@ export default class LocalFS implements ILocalFSPackageManager {
       debug('write file success %s', destiny);
     } catch (err: any) {
       if (err && err.code === noSuchFile) {
-        const dir = path.dirname(destiny);
-        // if fails, we create the folder for the package
-        debug('write file has failed, creating folder %s', dir);
-        await mkdirPromise(dir, { recursive: true });
+        await this.checkCreateFolder(destiny);
         // we try again create the temp file
         debug('writing a temp file %s', destiny);
         await this.writeTempFileAndRename(destiny, fileContent);
@@ -385,6 +383,23 @@ export default class LocalFS implements ILocalFSPackageManager {
     }
   }
 
+  private async checkCreateFolder(pathName: string): Promise<void> {
+    // Check if folder exists and create it if not
+    const dir = path.dirname(pathName);
+    try {
+      await accessPromise(dir);
+    } catch (err: any) {
+      if (err.code === noSuchFile) {
+        debug('folder does not exist %o', dir);
+        await mkdirPromise(dir, { recursive: true });
+        debug('folder %o created', dir);
+      } else {
+        debug('error on check folder %o', dir);
+        throw err;
+      }
+    }
+  }
+
   private async _lockAndReadJSON(name: string): Promise<Manifest> {
     const fileName: string = this._getStorage(name);
     debug('lock and read a file %o', fileName);

packages/plugins/local-storage/tests/local-fs.test.ts

@@ -93,6 +93,21 @@ describe('Local FS test', () => {
     });
   });
 
+  describe('writeTarballNextNoFolder', () => {
+    test('should write a tarball even if folder does not exist', (done) => {
+      const abort = new AbortController();
+      const tmp = path.join(localTempStorage, 'local-fs-write-tarball-new-folder');
+      const localFs = new LocalDriver(tmp, logger);
+      const readableStream = Readable.from('foooo');
+      localFs.writeTarball('juan-1.0.0.tgz', { signal: abort.signal }).then((stream) => {
+        stream.on('finish', () => {
+          done();
+        });
+        readableStream.pipe(stream);
+      });
+    });
+  });
+
   describe('readTarballNext', () => {
     test('should read a tarball', (done) => {
       const abort = new AbortController();

packages/plugins/memory/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
+## 12.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.14
+
 ## 12.0.0-next-7.13
 
 ### Patch Changes

packages/plugins/memory/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-memory",
-  "version": "12.0.0-next-7.13",
+  "version": "12.0.0-next-7.15",
   "description": "Storage implementation in memory",
   "keywords": [
     "private",
@@ -30,15 +30,15 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "memory-fs": "0.5.0",
     "debug": "4.3.4",
     "memfs": "3.5.3"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/plugins/ui-theme/CHANGELOG.md

@@ -1,5 +1,9 @@
 # @verdaccio/ui-theme
 
+## 7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/plugins/ui-theme/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/ui-theme",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "Verdaccio User Interface",
   "author": {
     "name": "Verdaccio Contributors",
@@ -27,7 +27,7 @@
     "@testing-library/dom": "9.3.4",
     "@testing-library/jest-dom": "6.3.0",
     "@testing-library/react": "14.1.2",
-    "@verdaccio/node-api": "workspace:7.0.0-next-7.13",
+    "@verdaccio/node-api": "workspace:7.0.0-next-7.15",
     "@verdaccio/types": "workspace:*",
     "@verdaccio/ui-components": "workspace:3.0.0-next-7.6",
     "babel-loader": "8.3.0",
@@ -47,7 +47,7 @@
     "js-yaml": "4.1.0",
     "localstorage-memory": "1.0.3",
     "lodash": "4.17.21",
-    "marked": "11.1.1",
+    "marked": "11.2.0",
     "mini-css-extract-plugin": "2.7.7",
     "msw": "0.49.3",
     "mutationobserver-shim": "0.3.7",

packages/plugins/ui-theme/src/components/Contributors/generated_contributors_list.json

@@ -35,14 +35,14 @@
     "username": "dianmorales",
     "id": 558740
   },
-  {
-    "username": "anikethsaha",
-    "id": 26347874
-  },
   {
     "username": "mbtools",
     "id": 59966492
   },
+  {
+    "username": "anikethsaha",
+    "id": 26347874
+  },
   {
     "username": "kgrubb",
     "id": 8471701
@@ -435,14 +435,14 @@
     "username": "marnel",
     "id": 3189424
   },
-  {
-    "username": "MasterOdin",
-    "id": 1845314
-  },
   {
     "username": "kba",
     "id": 273367
   },
+  {
+    "username": "MasterOdin",
+    "id": 1845314
+  },
   {
     "username": "aledbf",
     "id": 161571
@@ -563,6 +563,10 @@
     "username": "todpunk",
     "id": 1166358
   },
+  {
+    "username": "fhp",
+    "id": 374671
+  },
   {
     "username": "simon-lorenz",
     "id": 34041551
@@ -591,14 +595,6 @@
     "username": "rostislav-simonik",
     "id": 25525736
   },
-  {
-    "username": "hedocode",
-    "id": 22884999
-  },
-  {
-    "username": "fhp",
-    "id": 374671
-  },
   {
     "username": "stephanebachelier",
     "id": 172615
@@ -635,6 +631,10 @@
     "username": "Tiny-Fendy",
     "id": 8954107
   },
+  {
+    "username": "Tobbe",
+    "id": 30793
+  },
   {
     "username": "oltodo",
     "id": 483842
@@ -699,6 +699,10 @@
     "username": "RodrigoBalest",
     "id": 4810463
   },
+  {
+    "username": "tomcoonen",
+    "id": 988013
+  },
   {
     "username": "iketiunn",
     "id": 10249208
@@ -779,10 +783,6 @@
     "username": "melodyVoid",
     "id": 26846212
   },
-  {
-    "username": "tomcoonen",
-    "id": 988013
-  },
   {
     "username": "grrowl",
     "id": 907140
@@ -867,6 +867,10 @@
     "username": "dasmikko",
     "id": 4254869
   },
+  {
+    "username": "divdavem",
+    "id": 1152706
+  },
   {
     "username": "iambrandonn",
     "id": 1644549
@@ -944,8 +948,12 @@
     "id": 20465797
   },
   {
-    "username": "einfallstoll",
-    "id": 619048
+    "username": "Joon",
+    "id": 94231
+  },
+  {
+    "username": "hedocode",
+    "id": 22884999
   },
   {
     "username": "itsabdelrahman",
@@ -1007,6 +1015,10 @@
     "username": "hafffe",
     "id": 3322693
   },
+  {
+    "username": "sethidden",
+    "id": 5359825
+  },
   {
     "username": "BarthV",
     "id": 1901955
@@ -1099,6 +1111,10 @@
     "username": "morrain",
     "id": 9381634
   },
+  {
+    "username": "einfallstoll",
+    "id": 619048
+  },
   {
     "username": "felipeplets",
     "id": 119980
@@ -1135,6 +1151,10 @@
     "username": "inyong37",
     "id": 20737479
   },
+  {
+    "username": "ItamarGronich",
+    "id": 14963977
+  },
   {
     "username": "jrussellsmyth",
     "id": 2998207
@@ -1171,10 +1191,6 @@
     "username": "jondlm",
     "id": 3290587
   },
-  {
-    "username": "Joon",
-    "id": 94231
-  },
   {
     "username": "notsag",
     "id": 674589

packages/proxy/CHANGELOG.md

@@ -1,5 +1,22 @@
 # @verdaccio/proxy
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.14
+- @verdaccio/config@7.0.0-next-7.14
+- @verdaccio/utils@7.0.0-next-7.14
+
 ## 7.0.0-next-7.13
 
 ### Patch Changes

packages/proxy/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/proxy",
-  "version": "7.0.0-next-7.13",
+  "version": "7.0.0-next-7.15",
   "description": "verdaccio proxy fetcher",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,9 +38,9 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.13",
-    "@verdaccio/core": "workspace:7.0.0-next-7.13",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.13",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "JSONStream": "1.3.5",
     "debug": "4.3.4",
     "got-cjs": "12.5.4",
@@ -48,8 +48,8 @@
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/logger": "workspace:7.0.0-next-7.13",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "get-stream": "^6.0.1",
     "nock": "13.5.1",
     "node-mocks-http": "1.14.1",

packages/search-indexer/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @verdaccio/search-indexer
 
+## 7.0.0-next-7.2
+
+### Patch Changes
+
+- 542f9d3: fix: remove node engine restriction
+
 ## 7.0.0-next-7.1
 
 ### Patch Changes

packages/search-indexer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/search-indexer",
-  "version": "7.0.0-next-7.1",
+  "version": "7.0.0-next-7.2",
   "description": "verdaccio search indexer",
   "main": "./build/dist.js",
   "types": "build/index.d.ts",
@@ -26,7 +26,7 @@
     "verdaccio"
   ],
   "engines": {
-    "node": ">=18"
+    "node": ">=12"
   },
   "scripts": {
     "clean": "rimraf ./build",
@@ -37,7 +37,7 @@
     "build": "esbuild src/index.ts --bundle --outfile=build/dist.js --platform=node --target=node12  && pnpm run build:types"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "@orama/orama": "1.2.4",
     "debug": "4.3.4",
     "esbuild": "0.14.10"

packages/search/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @verdaccio/search
 
+## 7.0.0-next-7.4
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/proxy@7.0.0-next-7.15
+
+## 7.0.0-next-7.3
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.14
+- @verdaccio/config@7.0.0-next-7.14
+- @verdaccio/proxy@7.0.0-next-7.14
+- @verdaccio/logger@7.0.0-next-7.14
+
 ## 7.0.0-next-7.2
 
 ### Patch Changes