chore: update versions (next-7) (#4658)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.changeset/big-cameras-invent.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/store': patch
+---
+
+chore: fix types for some store tests

.changeset/dry-shoes-report.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/logger-commons': patch
+'@verdaccio/logger-prettify': patch
+---
+
+fix: log spacing depending on the FORMAT and COLORS options

.changeset/eight-icons-heal.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/tarball': patch
+'@verdaccio/store': patch
+---
+
+feat: add tarball details for published packages

.changeset/poor-seals-turn.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/tarball': patch
+'@verdaccio/store': patch
+---
+
+revert #4600

.changeset/pre.json

@@ -61,8 +61,11 @@
   },
   "changesets": [
     "angry-trees-tie",
+    "big-cameras-invent",
     "breezy-mayflies-pull",
     "chilled-carrots-guess",
+    "dry-shoes-report",
+    "eight-icons-heal",
     "eight-squids-judge",
     "eighty-lobsters-study",
     "good-cups-train",
@@ -74,6 +77,7 @@
     "perfect-chairs-act",
     "pink-apples-nail",
     "pink-balloons-leave",
+    "poor-seals-turn",
     "quick-buses-scream",
     "real-socks-vanish",
     "sharp-wolves-carry",
@@ -84,9 +88,11 @@
     "slow-wasps-glow",
     "spicy-birds-flow",
     "strange-points-repair",
+    "stupid-dancers-relate",
     "thirty-toes-swim",
     "unlucky-cycles-sparkle",
     "weak-fans-explain",
+    "wet-balloons-give",
     "wicked-kiwis-check",
     "wicked-worms-wash",
     "wild-otters-talk",

.changeset/stupid-dancers-relate.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/url': patch
+---
+
+patch(core/url): Throw if VERDACCIO_FORWARDED_PROTO resolves to an array (#4613 by @Tobbe)

.changeset/wet-balloons-give.md

@@ -0,0 +1,10 @@
+---
+'@verdaccio/types': minor
+'@verdaccio/core': minor
+'@verdaccio/signature': minor
+'@verdaccio/node-api': minor
+'@verdaccio/config': minor
+'@verdaccio/auth': minor
+---
+
+feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property

.github/dependabot.yml

@@ -8,18 +8,11 @@ updates:
   # Maintain dependencies for GitHub Actions
   - package-ecosystem: 'github-actions'
     directory: '/'
-    schedule:
-      interval: 'weekly'
-
-  # Maintain dependencies for npm
-  - package-ecosystem: 'npm'
-    directory: '/'
-    schedule:
-      interval: 'daily'
-    allow:
-      - dependency-name: '@verdaccio/*'
-      - dependency-name: 'verdaccio-*'
+    open-pull-requests-limit: 1
+    prefix: "[github-actions] "
     assignees:
-      - 'verdacciobot'
+      - 'verdacciobot'    
+    schedule:
+      interval: 'monthly'
     labels:
       - 'bot: dependencies'

.github/workflows/changesets.yml

@@ -20,7 +20,7 @@ jobs:
     if: github.ref == 'refs/heads/master' && github.repository == 'verdaccio/verdaccio'
     steps:
       - name: checkout code repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
         with:
           fetch-depth: 0
 

.github/workflows/ci-windows.yml

@@ -18,7 +18,7 @@ jobs:
         env:
           NODE_ENV: production          
     steps:
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
     - name: Node
       uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
       with:
@@ -32,7 +32,7 @@ jobs:
     - name: Install
       run: pnpm install --registry http://localhost:4873
     - name: Cache .pnpm-store
-      uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
       with:
         path: ~/.pnpm-store
         key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -43,14 +43,14 @@ jobs:
     name: Lint
     needs: prepare
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -67,14 +67,14 @@ jobs:
     name: Format
     needs: prepare
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -96,14 +96,14 @@ jobs:
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node ${{ matrix.node_version }}
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node_version }}
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -122,13 +122,13 @@ jobs:
     runs-on: windows-latest
     name: UI Test E2E
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/workflows/ci.yml

@@ -30,7 +30,7 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -46,7 +46,7 @@ jobs:
       - name: Install
         run: pnpm install  --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -57,7 +57,7 @@ jobs:
     name: Lint
     needs: prepare
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -66,7 +66,7 @@ jobs:
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -82,7 +82,7 @@ jobs:
     name: Format
     needs: prepare
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -91,7 +91,7 @@ jobs:
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -108,11 +108,11 @@ jobs:
       fail-fast: true
       matrix:
         os: [ubuntu-latest]
-        node_version: [18, 20, 21]
+        node_version: [18, 20, 21, 22]
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node ${{ matrix.node_version }}
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -121,7 +121,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -140,7 +140,7 @@ jobs:
     name: synchronize translations
     if: (github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'verdaccio/verdaccio') || github.event_name == 'workflow_dispatch'
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
@@ -148,7 +148,7 @@ jobs:
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/workflows/codeql-analysis.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
         with:
           # We must fetch at least the immediate parents so that if this is
           # a pull request then we can checkout the head.
@@ -34,7 +34,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c7f9125735019aa87cfc361530512d50ea439c71 # v2
+        uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f # v2
 
       # Override language selection by uncommenting this and choosing your languages
       # with:
@@ -42,7 +42,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@c7f9125735019aa87cfc361530512d50ea439c71 # v2
+        uses: github/codeql-action/autobuild@f079b8493333aace61c81488f8bd40919487bd9f # v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -56,4 +56,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c7f9125735019aa87cfc361530512d50ea439c71 # v2
+        uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f # v2

.github/workflows/docker-proxy-apache-e2e.yml

@@ -16,7 +16,7 @@ jobs:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       
     - name: Start containers
       run: docker-compose -f "./e2e/docker/apache-verdaccio/docker-compose.yaml" up -d --build

.github/workflows/docker-proxy-nginx-e2e.yml

@@ -13,7 +13,7 @@ jobs:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       
     - name: Start containers
       run: docker-compose -f "./e2e/docker/proxy-nginx/docker-compose.yaml" up -d --build

.github/workflows/docker-publish.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'verdaccio/verdaccio'
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # tag=v1
       - uses: docker/setup-buildx-action@v1
         with:

.github/workflows/e2e-ci.yml

@@ -18,7 +18,7 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -34,7 +34,7 @@ jobs:
       - name: Install
         run: pnpm install --reporter=silence --ignore-scripts --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -44,7 +44,7 @@ jobs:
     needs: [prepare]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node 16
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -53,7 +53,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -65,7 +65,7 @@ jobs:
       - name: build
         run: pnpm build
       - name: Cache packages
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         id: cache-packages
         with:
           path: ./packages/
@@ -97,7 +97,7 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
@@ -105,7 +105,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -114,7 +114,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -141,7 +141,7 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
@@ -149,7 +149,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -158,7 +158,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --loglevel debug --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -186,7 +186,7 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
@@ -194,7 +194,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -203,7 +203,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}

.github/workflows/e2e-ui.yml

@@ -18,7 +18,7 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:

.github/workflows/static-data.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'verdaccio/verdaccio'
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
         with:
           persist-credentials: false
           fetch-depth: 0

.github/workflows/ui-components.yml

@@ -23,7 +23,7 @@ jobs:
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
 
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
@@ -31,7 +31,7 @@ jobs:
           node-version-file: '.nvmrc'
 
       - name: Cache pnpm modules
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         env:
           cache-name: cache-pnpm-modules
         with:

.github/workflows/website.yml

@@ -2,8 +2,6 @@ name: Verdaccio Website CI
 
 on:
   workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * *' 
 
 permissions:
   contents: read  #  to fetch code (actions/checkout)
@@ -28,7 +26,7 @@ jobs:
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
 
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
@@ -45,7 +43,7 @@ jobs:
       - name: Install
         run: pnpm install  --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -56,7 +54,7 @@ jobs:
       - name: Build Translations percentage
         run: pnpm --filter @verdaccio/crowdin-translations build
       - name: Cache Docusaurus Build
-        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: website/node_modules/.cache/webpack
           key: cache/webpack-${{github.ref}}-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -69,6 +67,7 @@ jobs:
           CONTEXT: production
         run: pnpm --filter @verdaccio/website netlify:build
       - name: Deploy to Netlify
+        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
         env:
           NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}

docs/env.variables.md

@@ -5,12 +5,13 @@ internal features.
 
 #### VERDACCIO_LEGACY_ALGORITHM
 
-Allows to define the specific algorithm for the token
-signature which by default is `aes-256-ctr`
+Allows to define the specific algorithm for the token signature which by default is `aes-256-ctr`. The algorithm must be supported by `crypto.createCipheriv` and `crypto.createDecipheriv`.
+Read more here: https://nodejs.org/api/crypto.html#crypto_crypto_createcipheriv_algorithm_key_iv_options
 
 #### VERDACCIO_LEGACY_ENCRYPTION_KEY
 
-By default, the token stores in the database, but using this variable allows to get it from memory
+By default, the token stores in the database, but using this variable allows to get it from memory, the length must be 32 characters otherwise will throw an error.
+Read more here: https://nodejs.org/api/crypto.html#crypto_crypto_createcipheriv_algorithm_key_iv_options
 
 #### VERDACCIO_PUBLIC_URL
 

docs/migration-v5-to-v6.md

@@ -1,14 +1,14 @@
-# Migration guide from Verdaccio 5 to Verdaccio 6
+# Migration Guide from Verdaccio 5 to Verdaccio 6
 
 Notes regarding breaking changes for next major release.
 
-> This list might growth over the development.
+> This list might growth over the course of development.
 
-## Breaking changes
+## Breaking Changes
 
 ### New node-api interface [#2165](https://github.com/verdaccio/verdaccio/pull/2165)
 
-If you are using the node-api, the new structure is Promise based and less arguments.
+If you are using the `node-api`, the new structure is Promise based and less arguments.
 
 ```js
 import { runServer } from '@verdaccio/node-api';
@@ -22,7 +22,7 @@ app.listen(4000, (event) => {
 });
 ```
 
-### allow other password hashing algorithms [#1917](https://github.com/verdaccio/verdaccio/pull/1917)
+### Allow other password hashing algorithms [#1917](https://github.com/verdaccio/verdaccio/pull/1917)
 
 The current implementation of the `htpasswd` module supports multiple hash formats on verify, but only `crypt` on sign in.
 `crypt` is an insecure old format, so to improve the security of the new `verdaccio` release we introduce the support of multiple hash algorithms on sign in step.
@@ -53,21 +53,28 @@ htpasswd:
 
 - The `experiments` configuration is renamed to `flags`. The functionality is exactly the same.
 
-```js
-flags: token: false;
-search: false;
+```yaml
+flags:
+  token: false;
+  search: false;
 ```
 
 - The `self_path` property from the config file is being removed in favor of `config_file` full path.
 - Refactor `config` module, better types and utilities
 
-### legacy token signature by removing crypto.createDecipher is deprecated [#1953](https://github.com/verdaccio/verdaccio/pull/1953)
+### Legacy token signature by removing crypto.createDecipher is deprecated [#1953](https://github.com/verdaccio/verdaccio/pull/1953)
 
 - Replace signature handler for legacy tokens by removing deprecated crypto.createDecipher by createCipheriv
 - **The new signature invalidates all previous tokens generated by Verdaccio 5 or previous versions**.
 - The secret key must have 32 characters long
   > Remediation, update `.verdaccio-db.json` secret field with a secret key with 32 characters.
 
+### Legacy token secret length
+
+If the migration to v6 include an update to node 22 or higher, be aware that token secrets with a length other than 32 are not
+supported anymore. A new secret will be generated. See [docs](https://verdaccio.org/docs/6.x/configuration#legacy-token-signature)
+for more details.
+
 #### New environment variables
 
 Introduce environment variables for legacy tokens.

e2e/cli/cli-commons/package.json

@@ -5,16 +5,16 @@
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
   "devDependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "debug": "4.3.4",
     "fs-extra": "11.2.0",
     "get-port": "5.1.1",
     "got": "11.8.6",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",
-    "verdaccio": "workspace:7.0.0-next-7.14"
+    "verdaccio": "workspace:7.0.0-next-7.16"
   },
   "scripts": {
     "test": "jest",

e2e/ui/package.json

@@ -3,9 +3,9 @@
   "name": "@verdaccio/e2e-ui",
   "version": "2.0.0",
   "devDependencies": {
-    "verdaccio": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
+    "verdaccio": "workspace:7.0.0-next-7.16",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
     "debug": "4.3.4",
     "cypress": "^13.6.0",

packages/api/CHANGELOG.md

@@ -1,5 +1,33 @@
 # @verdaccio/api
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- Updated dependencies [e5624e1]
+- Updated dependencies [5bfab62]
+  - @verdaccio/store@7.0.0-next-7.16
+  - @verdaccio/logger@7.0.0-next-7.16
+  - @verdaccio/middleware@7.0.0-next-7.16
+  - @verdaccio/auth@7.0.0-next-7.16
+  - @verdaccio/core@7.0.0-next-7.16
+  - @verdaccio/config@7.0.0-next-7.16
+  - @verdaccio/utils@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [7400830]
+- Updated dependencies [bd8703e]
+  - @verdaccio/store@7.0.0-next-7.15
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/auth@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/middleware@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/api",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,25 +38,25 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.14",
-    "@verdaccio/store": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.16",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.16",
+    "@verdaccio/store": "workspace:7.0.0-next-7.16",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.16",
     "abortcontroller-polyfill": "1.7.5",
     "body-parser": "1.20.2",
     "cookies": "0.9.0",
     "debug": "4.3.4",
-    "express": "4.18.3",
+    "express": "4.19.2",
     "lodash": "4.17.21",
     "mime": "2.6.0",
     "semver": "7.6.0"
   },
   "devDependencies": {
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "mockdate": "3.0.5",
     "nock": "13.5.1",
     "supertest": "6.3.4"

packages/auth/CHANGELOG.md

@@ -1,5 +1,34 @@
 # @verdaccio/auth
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.16
+- @verdaccio/loaders@7.0.0-next-7.16
+- verdaccio-htpasswd@12.0.0-next-7.16
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/config@7.0.0-next-7.16
+- @verdaccio/utils@7.0.0-next-7.16
+- @verdaccio/signature@7.0.0-next-7.5
+
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/loaders@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - verdaccio-htpasswd@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/auth",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,21 +38,21 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/loaders": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/signature": "workspace:7.0.0-next-7.4",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/loaders": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
+    "@verdaccio/signature": "workspace:7.0.0-next-7.5",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.16",
     "debug": "4.3.4",
     "lodash": "4.17.21",
-    "verdaccio-htpasswd": "workspace:12.0.0-next-7.14"
+    "verdaccio-htpasswd": "workspace:12.0.0-next-7.16"
   },
   "devDependencies": {
-    "express": "4.18.3",
+    "express": "4.19.2",
     "supertest": "6.3.4",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.16",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/auth/src/auth.ts

@@ -13,7 +13,6 @@ import {
   pluginUtils,
   warningUtils,
 } from '@verdaccio/core';
-import '@verdaccio/core';
 import { asyncLoadPlugin } from '@verdaccio/loaders';
 import { logger } from '@verdaccio/logger';
 import {
@@ -21,6 +20,7 @@ import {
   aesEncryptDeprecated,
   parseBasicPayload,
   signPayload,
+  utils as signatureUtils,
 } from '@verdaccio/signature';
 import {
   AllowAccess,
@@ -481,14 +481,9 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     next: Function
   ): void {
     debug('handle legacy api middleware');
-    debug('api middleware secret %o', typeof secret === 'string');
+    debug('api middleware has a secret? %o', typeof secret === 'string');
     debug('api middleware authorization %o', typeof authorization === 'string');
-    const credentials: any = getMiddlewareCredentials(
-      security,
-      secret,
-      authorization,
-      this.config?.getEnhancedLegacySignature()
-    );
+    const credentials: any = getMiddlewareCredentials(security, secret, authorization);
     debug('api middleware credentials %o', credentials?.name);
     if (credentials) {
       const { user, password } = credentials;
@@ -588,13 +583,12 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
    * Encrypt a string.
    */
   public aesEncrypt(value: string): string | void {
-    // enhancedLegacySignature enables modern aes192 algorithm signature
-    if (this.config?.getEnhancedLegacySignature()) {
-      debug('signing with enhaced aes legacy');
+    if (this.secret.length === signatureUtils.TOKEN_VALID_LENGTH) {
+      debug('signing with enhanced aes legacy');
       const token = aesEncrypt(value, this.secret);
       return token;
     } else {
-      debug('signing with enhaced aes deprecated legacy');
+      debug('signing with enhanced aes deprecated legacy');
       // deprecated aes (legacy) signature, only must be used for legacy version
       const token = aesEncryptDeprecated(Buffer.from(value), this.secret).toString('base64');
       return token;

packages/auth/src/signature.ts

@@ -1,66 +0,0 @@
-import buildDebug from 'debug';
-import _ from 'lodash';
-
-import { TOKEN_BASIC, TOKEN_BEARER } from '@verdaccio/core';
-import { aesDecrypt, parseBasicPayload } from '@verdaccio/signature';
-import { Security } from '@verdaccio/types';
-
-import { AuthMiddlewarePayload } from './types';
-import {
-  convertPayloadToBase64,
-  isAESLegacy,
-  parseAuthTokenHeader,
-  verifyJWTPayload,
-} from './utils';
-
-const debug = buildDebug('verdaccio:auth:utils');
-
-export function parseAESCredentials(authorizationHeader: string, secret: string) {
-  debug('parseAESCredentials');
-  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
-
-  // basic is deprecated and should not be enforced
-  // basic is currently being used for functional test
-  if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
-    debug('legacy header basic');
-    const credentials = convertPayloadToBase64(token).toString();
-
-    return credentials;
-  } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
-    debug('legacy header bearer');
-    const credentials = aesDecrypt(token, secret);
-
-    return credentials;
-  }
-}
-
-export function getMiddlewareCredentials(
-  security: Security,
-  secretKey: string,
-  authorizationHeader: string
-): AuthMiddlewarePayload {
-  debug('getMiddlewareCredentials');
-  // comment out for debugging purposes
-  if (isAESLegacy(security)) {
-    debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey);
-    if (!credentials) {
-      debug('parse legacy credentials failed');
-      return;
-    }
-
-    const parsedCredentials = parseBasicPayload(credentials);
-    if (!parsedCredentials) {
-      debug('parse legacy basic payload credentials failed');
-      return;
-    }
-
-    return parsedCredentials;
-  }
-  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
-
-  debug('is jwt');
-  if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
-    return verifyJWTPayload(token, secretKey);
-  }
-}

packages/auth/src/utils.ts

@@ -40,12 +40,8 @@ export function parseAuthTokenHeader(authorizationHeader: string): AuthTokenHead
   return { scheme, token };
 }
 
-export function parseAESCredentials(
-  authorizationHeader: string,
-  secret: string,
-  enhanced: boolean
-) {
-  debug('parseAESCredentials');
+export function parseAESCredentials(authorizationHeader: string, secret: string) {
+  debug('parseAESCredentials init');
   const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
 
   // basic is deprecated and should not be enforced
@@ -57,27 +53,29 @@ export function parseAESCredentials(
     return credentials;
   } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
     debug('legacy header bearer');
-    debug('legacy header enhanced?', enhanced);
-    const credentials = enhanced
-      ? aesDecrypt(token.toString(), secret)
-      : // FUTURE: once deprecated legacy is removed this logic won't be longer need it
-        aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
-
-    return credentials;
+    debug('secret length %o', secret.length);
+    const isLegacyUnsecure = secret.length > 32;
+    debug('is legacy unsecure %o', isLegacyUnsecure);
+    if (isLegacyUnsecure) {
+      debug('legacy unsecure enabled');
+      return aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
+    } else {
+      debug('legacy secure enabled');
+      return aesDecrypt(token.toString(), secret);
+    }
   }
 }
 
 export function getMiddlewareCredentials(
   security: Security,
   secretKey: string,
-  authorizationHeader: string,
-  enhanced: boolean = true
+  authorizationHeader: string
 ): AuthMiddlewarePayload {
-  debug('getMiddlewareCredentials');
+  debug('getMiddlewareCredentials init');
   // comment out for debugging purposes
   if (isAESLegacy(security)) {
     debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey, enhanced);
+    const credentials = parseAESCredentials(authorizationHeader, secretKey);
     if (!credentials) {
       debug('parse legacy credentials failed');
       return;

packages/auth/test/auth.spec.ts

@@ -601,16 +601,14 @@ describe('AuthTest', () => {
           });
         });
 
-        describe('deprecated legacy handling forceEnhancedLegacySignature=false', () => {
+        describe('deprecated legacy handling', () => {
           test('should handle valid auth token', async () => {
             const payload = 'juan:password';
             // const token = await signPayload(remoteUser, '12345');
-            const config: Config = new AppConfig(
-              { ...authProfileConf },
-              { forceEnhancedLegacySignature: false }
-            );
+            const config: Config = new AppConfig({ ...authProfileConf });
             // intended to force key generator (associated with mocks above)
-            config.checkSecretKey(undefined);
+            // 64 characters secret long
+            config.checkSecretKey('35fabdd29b820d39125e76e6d85cc294');
             const auth = new Auth(config);
             await auth.init();
             const token = auth.aesEncrypt(payload) as string;
@@ -624,10 +622,7 @@ describe('AuthTest', () => {
 
           test('should handle invalid auth token', async () => {
             const payload = 'juan:password';
-            const config: Config = new AppConfig(
-              { ...authPluginFailureConf },
-              { forceEnhancedLegacySignature: false }
-            );
+            const config: Config = new AppConfig({ ...authPluginFailureConf });
             // intended to force key generator (associated with mocks above)
             config.checkSecretKey(undefined);
             const auth = new Auth(config);
@@ -691,8 +686,7 @@ describe('AuthTest', () => {
               {
                 ...authProfileConf,
                 ...{ security: { api: { jwt: { sign: { expiresIn: '29d' } } } } },
-              },
-              { forceEnhancedLegacySignature: false }
+              }
             );
             // intended to force key generator (associated with mocks above)
             config.checkSecretKey(undefined);
@@ -700,7 +694,6 @@ describe('AuthTest', () => {
             await auth.init();
             const token = (await auth.jwtEncrypt(
               createRemoteUser('jwt_user', [ROLES.ALL]),
-              // @ts-expect-error
               config.security.api.jwt.sign
             )) as string;
             const app = await getServer(auth);

packages/cli/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @verdaccio/cli
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.16
+- @verdaccio/node-api@7.0.0-next-7.16
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/config@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/node-api@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/cli",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "author": {
     "name": "Juan Picado",
     "email": "juanpicado19@gmail.com"
@@ -43,10 +43,10 @@
     "start": "ts-node src/index.ts"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/node-api": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
+    "@verdaccio/node-api": "workspace:7.0.0-next-7.16",
     "clipanion": "3.2.1",
     "envinfo": "7.11.0",
     "kleur": "4.1.5",

packages/config/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @verdaccio/config
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/utils@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/config",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "logger",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,8 +38,8 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.16",
     "debug": "4.3.4",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",

packages/config/src/config.ts

@@ -36,6 +36,13 @@ export const defaultUserRateLimiting = {
   max: 1000,
 };
 
+export function isNodeVersionGreaterThan21() {
+  const [major, minor] = process.versions.node.split('.').map(Number);
+  return major > 21 || (major === 21 && minor >= 0);
+}
+
+const TOKEN_VALID_LENGTH = 32;
+
 /**
  * Coordinates the application configuration
  */
@@ -56,21 +63,20 @@ class Config implements AppConfig {
   public plugins: string | void | null;
   public security: Security;
   public serverSettings: ServerSettingsConf;
+  private configOverrideOptions: { forceMigrateToSecureLegacySignature: boolean };
   // @ts-ignore
   public secret: string;
   public flags: FlagsConfig;
   public userRateLimit: RateLimit;
-  private configOptions: { forceEnhancedLegacySignature: boolean };
   public constructor(
     config: ConfigYaml & { config_path: string },
     // forceEnhancedLegacySignature is a property that
     // allows switch a new legacy aes signature token signature
     // for older versions do not want to have this new signature model
     // this property must be false
-    configOptions = { forceEnhancedLegacySignature: true }
+    configOverrideOptions = { forceMigrateToSecureLegacySignature: true }
   ) {
     const self = this;
-    this.configOptions = configOptions;
     this.storage = process.env.VERDACCIO_STORAGE_PATH || config.storage;
     if (!config.configPath) {
       // backport self_path for previous to version 6
@@ -80,11 +86,21 @@ class Config implements AppConfig {
         throw new Error('configPath property is required');
       }
     }
+    this.configOverrideOptions = configOverrideOptions;
     this.configPath = config.configPath;
     this.self_path = this.configPath;
     debug('config path: %s', this.configPath);
     this.plugins = config.plugins;
-    this.security = _.merge(defaultSecurity, config.security);
+    this.security = _.merge(
+      // override the default security configuration via constructor
+      _.merge(defaultSecurity, {
+        api: {
+          migrateToSecureLegacySignature:
+            this.configOverrideOptions.forceMigrateToSecureLegacySignature,
+        },
+      }),
+      config.security
+    );
     this.serverSettings = serverSettings;
     this.flags = {
       searchRemote: config.flags?.searchRemote ?? true,
@@ -135,14 +151,8 @@ class Config implements AppConfig {
     }
   }
 
-  public getEnhancedLegacySignature() {
-    if (typeof this?.security.enhancedLegacySignature !== 'undefined') {
-      if (this.security.enhancedLegacySignature === true) {
-        return true;
-      }
-      return false;
-    }
-    return this.configOptions.forceEnhancedLegacySignature;
+  public getMigrateToSecureLegacySignature() {
+    return this.security.api.migrateToSecureLegacySignature;
   }
 
   public getConfigPath() {
@@ -158,36 +168,70 @@ class Config implements AppConfig {
   }
 
   /**
-   * Store or create whether receive a secret key
+   * Verify if the secret complies with the required structure
+   *  - If the secret is not provided, it will generate a new one
+   *    - For any Node.js version the new secret will be 32 characters long (to allow compatibility with modern Node.js versions)
+   *  - If the secret is provided:
+   *    - If Node.js 22 or higher, the secret must be 32 characters long thus the application will fail on startup
+   *    - If Node.js 21 or lower, the secret will be used as is but will display a deprecation warning
+   *    - If the property `security.api.migrateToSecureLegacySignature` is provided and set to true, the secret will be
+   *      generated with the new signature model
    * @secret external secret key
    */
   public checkSecretKey(secret?: string): string {
-    debug('check secret key');
+    debug('checking secret key init');
     if (typeof secret === 'string' && _.isEmpty(secret) === false) {
+      debug('checking secret key length %s', secret.length);
+      if (secret.length > TOKEN_VALID_LENGTH) {
+        if (isNodeVersionGreaterThan21()) {
+          debug('is node version greater than 21');
+          if (this.getMigrateToSecureLegacySignature() === true) {
+            this.secret = generateRandomSecretKey();
+            debug('rewriting secret key with length %s', this.secret.length);
+            return this.secret;
+          }
+          // oops, user needs to generate a new secret key
+          debug(
+            'secret does not comply with the required length, current length  %d, application will fail on startup',
+            secret.length
+          );
+          throw new Error(
+            `Invalid storage secret key length, must be 32 characters long but is ${secret.length}. 
+            The secret length in Node.js 22 or higher must be 32 characters long. Please consider generate a new one. 
+            Learn more at https://verdaccio.org/docs/configuration/#.verdaccio-db`
+          );
+        } else {
+          debug('is node version lower than 22');
+          if (this.getMigrateToSecureLegacySignature() === true) {
+            this.secret = generateRandomSecretKey();
+            debug('rewriting secret key with length %s', this.secret.length);
+            return this.secret;
+          }
+          debug('triggering deprecation warning for secret key length %s', secret.length);
+          // still using Node.js versions previous to 22, but we need to emit a deprecation warning
+          // deprecation warning, secret key is too long and must be 32
+          // this will be removed in the next major release and will produce an error
+          warningUtils.emit(Codes.VERWAR007);
+          this.secret = secret;
+          return this.secret;
+        }
+      } else if (secret.length === TOKEN_VALID_LENGTH) {
+        debug('detected valid secret key length %s', secret.length);
+        this.secret = secret;
+        return this.secret;
+      }
+      debug('reusing previous key with length %s', secret.length);
       this.secret = secret;
-      debug('reusing previous key');
-      return secret;
-    }
-    // generate a new a secret key
-    // FUTURE: this might be an external secret key, perhaps within config file?
-    debug('generating a new secret key');
-
-    if (this.getEnhancedLegacySignature()) {
-      debug('key generated with "enhanced" legacy signature user config');
-      this.secret = generateRandomSecretKey();
+      return this.secret;
     } else {
-      debug('key generated with legacy signature user config');
-      this.secret = generateRandomHexString(32);
-    }
-    // set this to false allow use old token signature and is not recommended
-    // only use for migration reasons, major release will remove this property and
-    // set it by default
-    if (this.security?.enhancedLegacySignature === false) {
-      warningUtils.emit(Codes.VERWAR005);
-    }
+      // generate a new a secret key
+      // FUTURE: this might be an external secret key, perhaps within config file?
+      debug('generating a new secret key');
+      this.secret = generateRandomSecretKey();
+      debug('generated a new secret key length %s', this.secret?.length);
 
-    debug('generated a new secret key length %s', this.secret?.length);
-    return this.secret;
+      return this.secret;
+    }
   }
 }
 

packages/config/src/security.ts

@@ -13,6 +13,7 @@ const defaultWebTokenOptions: JWTOptions = {
 
 const defaultApiTokenConf: APITokenOptions = {
   legacy: true,
+  migrateToSecureLegacySignature: true,
 };
 
 export const defaultSecurity: Security = {

packages/config/src/token.ts

@@ -1,9 +1,11 @@
 import { randomBytes } from 'crypto';
 
+// TODO: code duplicated at @verdaccio/signature
 export const TOKEN_VALID_LENGTH = 32;
 
 /**
  * Secret key must have 32 characters.
+ * // TODO: code duplicated at @verdaccio/signature
  */
 export function generateRandomSecretKey(): string {
   return randomBytes(TOKEN_VALID_LENGTH).toString('base64').substring(0, TOKEN_VALID_LENGTH);

packages/config/test/config.spec.ts

@@ -6,9 +6,12 @@ import {
   DEFAULT_REGISTRY,
   DEFAULT_UPLINK,
   ROLES,
+  TOKEN_VALID_LENGTH,
   WEB_TITLE,
   defaultSecurity,
+  generateRandomSecretKey,
   getDefaultConfig,
+  isNodeVersionGreaterThan21,
   parseConfigFile,
 } from '../src';
 import { parseConfigurationFile } from './utils';
@@ -19,6 +22,8 @@ const resolveConf = (conf) => {
   return path.join(__dirname, `../src/conf/${name}${ext.startsWith('.') ? ext : '.yaml'}`);
 };
 
+const itif = (condition) => (condition ? it : it.skip);
+
 const checkDefaultUplink = (config) => {
   expect(_.isObject(config.uplinks[DEFAULT_UPLINK])).toBeTruthy();
   expect(config.uplinks[DEFAULT_UPLINK].url).toMatch(DEFAULT_REGISTRY);
@@ -94,32 +99,85 @@ describe('check basic content parsed file', () => {
 describe('checkSecretKey', () => {
   test('with default.yaml and pre selected secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(config.checkSecretKey('12345')).toEqual('12345');
+    expect(config.checkSecretKey(generateRandomSecretKey())).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
   test('with default.yaml and void secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
+    const secret = config.checkSecretKey();
+    expect(typeof secret === 'string').toBeTruthy();
+    expect(secret).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
-  test('with default.yaml and emtpy string secret', () => {
+  test('with default.yaml and empty string secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(typeof config.checkSecretKey('') === 'string').toBeTruthy();
+    const secret = config.checkSecretKey('');
+    expect(typeof secret === 'string').toBeTruthy();
+    expect(secret).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
-  test('with enhanced legacy signature', () => {
+  test('with default.yaml and valid string secret length', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    config.security.enhancedLegacySignature = true;
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
-    expect(config.secret.length).toBe(32);
+    expect(typeof config.checkSecretKey(generateRandomSecretKey()) === 'string').toBeTruthy();
   });
 
-  test('without enhanced legacy signature', () => {
-    const config = new Config(parseConfigFile(resolveConf('default')));
-    config.security.enhancedLegacySignature = false;
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
-    expect(config.secret.length).toBe(64);
+  test('with default.yaml migrate a valid string secret length', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: true,
+    });
+    expect(
+      // 64 characters secret long
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
   });
+
+  // only runs on Node.js 22 or higher
+  itif(isNodeVersionGreaterThan21())('with enhanced legacy signature Node 22 or higher', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: false,
+    });
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(() =>
+      // 64 characters secret long
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toThrow();
+  });
+
+  itif(isNodeVersionGreaterThan21())('with enhanced legacy signature Node 22 or higher', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: false,
+    });
+    config.security.api.migrateToSecureLegacySignature = true;
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
+  });
+
+  itif(isNodeVersionGreaterThan21() === false)(
+    'with old unsecure legacy signature Node 21 or lower',
+    () => {
+      const config = new Config(parseConfigFile(resolveConf('default')));
+      config.security.api.migrateToSecureLegacySignature = false;
+      // 64 characters secret long
+      // eslint-disable-next-line jest/no-standalone-expect
+      expect(
+        config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+      ).toHaveLength(64);
+    }
+  );
+
+  test('with migration to new legacy signature Node 21 or lower', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')));
+    config.security.api.migrateToSecureLegacySignature = true;
+    // 64 characters secret long
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
+  });
+
+  test.todo('test emit warning with secret key');
 });
 
 describe('getMatchedPackagesSpec', () => {

packages/core/core/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @verdaccio/core
 
+## 7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
 ## 7.0.0-next-7.14
 
 ## 7.0.0-next-7.13

packages/core/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/core",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "core utilities",
   "keywords": [
     "private",
@@ -44,7 +44,7 @@
     "lodash": "4.17.21",
     "typedoc": "0.23.25",
     "typedoc-plugin-missing-exports": "latest",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/core/src/warning-utils.ts

@@ -9,17 +9,13 @@ export enum Codes {
   VERWAR002 = 'VERWAR002',
   VERWAR003 = 'VERWAR003',
   VERWAR004 = 'VERWAR004',
-  VERWAR005 = 'VERWAR005',
   // deprecation warnings
   VERDEP003 = 'VERDEP003',
   VERWAR006 = 'VERWAR006',
+  VERWAR007 = 'VERWAR007',
 }
 
-warningInstance.create(
-  verdaccioWarning,
-  Codes.VERWAR002,
-  `The configuration property "logs" has been deprecated, please rename to "log" for future compatibility`
-);
+/* general warnings */
 
 warningInstance.create(
   verdaccioWarning,
@@ -27,6 +23,12 @@ warningInstance.create(
   `Verdaccio doesn't need superuser privileges. don't run it under root`
 );
 
+warningInstance.create(
+  verdaccioWarning,
+  Codes.VERWAR002,
+  `The configuration property "logs" has been deprecated, please rename to "log" for future compatibility`
+);
+
 warningInstance.create(
   verdaccioWarning,
   Codes.VERWAR003,
@@ -42,23 +44,26 @@ https://verdaccio.org/docs/en/configuration#listen-port`
 );
 
 warningInstance.create(
-  verdaccioWarning,
-  Codes.VERWAR005,
-  'disable enhanced legacy signature is considered a security risk, please reconsider enable it'
+  verdaccioDeprecation,
+  Codes.VERWAR006,
+  'the auth plugin method "add_user" in the auth plugin is deprecated and will be removed in next major release, rename to "adduser"'
 );
 
+warningInstance.create(
+  verdaccioDeprecation,
+  Codes.VERWAR007,
+  `the secret length is too long, it must be 32 characters long, please consider generate a new one 
+  Learn more at https://verdaccio.org/docs/configuration/#.verdaccio-db`
+);
+
+/* deprecation warnings */
+
 warningInstance.create(
   verdaccioDeprecation,
   Codes.VERDEP003,
   'multiple addresses will be deprecated in the next major, only use one'
 );
 
-warningInstance.create(
-  verdaccioDeprecation,
-  Codes.VERWAR006,
-  'the auth plugin method "add_user" in the auth plugin is deprecated and will be removed in next major release, rename to "adduser"'
-);
-
 export function emit(code: string, a?: string, b?: string, c?: string) {
   warningInstance.emit(code, a, b, c);
 }

packages/core/file-locking/package.json

@@ -39,7 +39,7 @@
     "lockfile": "1.0.4"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/tarball/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Change Log
 
+## 12.0.0-next-7.16
+
+### Patch Changes
+
+- 5bfab62: feat: add tarball details for published packages
+- Updated dependencies [38b1e82]
+  - @verdaccio/url@12.0.0-next-7.16
+  - @verdaccio/core@7.0.0-next-7.16
+  - @verdaccio/utils@7.0.0-next-7.16
+
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- 7400830: revert #4600
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/url@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/core/tarball/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/tarball",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.16",
   "description": "tarball utilities resolver",
   "keywords": [
     "private",
@@ -33,16 +33,16 @@
     "access": "public"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/url": "workspace:12.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/url": "workspace:12.0.0-next-7.16",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.16",
     "debug": "4.3.4",
     "gunzip-maybe": "^1.4.2",
     "lodash": "4.17.21",
     "tar-stream": "^3.1.7"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "node-mocks-http": "1.14.1"
   },
   "scripts": {

packages/core/tarball/src/getTarballDetails.ts

@@ -7,10 +7,10 @@ export type TarballDetails = {
   unpackedSize: number; // in bytes
 };
 
-export async function getTarballDetails(readable: Readable): Promise<TarballDetails> {
+export async function getTarballDetails(buffer: Buffer): Promise<TarballDetails> {
   let fileCount = 0;
   let unpackedSize = 0;
-
+  const readable = Readable.from(buffer);
   const unpack = tarStream.extract();
 
   return new Promise((resolve, reject) => {

packages/core/tarball/src/index.ts

@@ -5,6 +5,6 @@ export {
   convertDistVersionToLocalTarballsUrl,
 } from './convertDistRemoteToLocalTarballUrls';
 export { extractTarballFromUrl, getLocalRegistryTarballUri } from './getLocalRegistryTarballUri';
-export { TarballDetails, getTarballDetails } from './getTarballDetails';
+export { getTarballDetails, TarballDetails } from './getTarballDetails';
 
 export { RequestOptions };

packages/core/tarball/tests/getTarballDetails.spec.ts

@@ -1,6 +1,5 @@
 import fs from 'fs';
 import path from 'path';
-import { Readable } from 'stream';
 
 import { getTarballDetails } from '../src/getTarballDetails.ts';
 
@@ -15,23 +14,20 @@ const getFileBuffer = async (filename: string): Promise<Buffer> => {
 describe('getTarballDetails', () => {
   test('should return stats of tarball (gzipped)', async () => {
     const buffer = await getFileBuffer('tarball.tgz');
-    const readable = Readable.from(buffer);
-    const details = await getTarballDetails(readable);
+    const details = await getTarballDetails(buffer);
     expect(details.fileCount).toBe(2);
     expect(details.unpackedSize).toBe(1280);
   });
 
   test('should return stats of tarball (uncompressed)', async () => {
     const buffer = await getFileBuffer('tarball.tar');
-    const readable = Readable.from(buffer);
-    const details = await getTarballDetails(readable);
+    const details = await getTarballDetails(buffer);
     expect(details.fileCount).toBe(2);
     expect(details.unpackedSize).toBe(1280);
   });
 
   test('should throw an error if the buffer is corrupt', async () => {
     const corruptBuffer = Buffer.from('this is not a tarball');
-    const readable = Readable.from(corruptBuffer);
-    await expect(getTarballDetails(readable)).rejects.toThrow();
+    await expect(getTarballDetails(corruptBuffer)).rejects.toThrow();
   });
 });

packages/core/types/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log
 
+## 12.0.0-next-7.3
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
 ## 12.0.0-next.2
 
 ### Minor Changes

packages/core/types/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/types",
-  "version": "12.0.0-next.2",
+  "version": "12.0.0-next-7.3",
   "description": "verdaccio types definitions",
   "keywords": [
     "private",

packages/core/types/src/configuration.ts

@@ -182,11 +182,14 @@ export interface JWTVerifyOptions {
 
 export interface APITokenOptions {
   legacy: boolean;
+  /**
+   * Temporary flag to allow migration to the new legacy signature
+   */
+  migrateToSecureLegacySignature: boolean;
   jwt?: JWTOptions;
 }
 
 export interface Security {
-  enhancedLegacySignature?: boolean;
   web: JWTOptions;
   api: APITokenOptions;
 }

packages/core/url/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Change Log
 
+## 12.0.0-next-7.16
+
+### Patch Changes
+
+- 38b1e82: patch(core/url): Throw if VERDACCIO_FORWARDED_PROTO resolves to an array (#4613 by @Tobbe)
+  - @verdaccio/core@7.0.0-next-7.16
+
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/core/url/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/url",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.16",
   "description": "url utilities resolver",
   "keywords": [
     "private",
@@ -33,13 +33,13 @@
     "access": "public"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
     "debug": "4.3.4",
     "lodash": "4.17.21",
     "validator": "13.11.0"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "node-mocks-http": "1.14.1"
   },
   "scripts": {

packages/core/url/src/index.ts

@@ -121,10 +121,17 @@ export function getPublicUrl(url_prefix: string = '', requestOptions: RequestOpt
       throw new Error('invalid host');
     }
 
+    // 'X-Forwarded-Proto' is the default header
     const protoHeader: string =
       process.env.VERDACCIO_FORWARDED_PROTO?.toLocaleLowerCase() ??
       HEADERS.FORWARDED_PROTO.toLowerCase();
-    const forwardedProtocolHeaderValue = requestOptions.headers[protoHeader] as string | undefined;
+    const forwardedProtocolHeaderValue = requestOptions.headers[protoHeader];
+
+    if (Array.isArray(forwardedProtocolHeaderValue)) {
+      // This really should never happen - only set-cookie is allowed to have
+      // multiple values.
+      throw new Error('invalid forwarded protocol header value. Reading header ' + protoHeader);
+    }
 
     const protocol = getWebProtocol(forwardedProtocolHeaderValue, requestOptions.protocol);
     const combinedUrl = combineBaseUrl(protocol, host, url_prefix);

packages/core/url/tests/getPublicUrl.spec.ts

@@ -316,6 +316,31 @@ describe('env variable', () => {
     delete process.env.VERDACCIO_FORWARDED_PROTO;
   });
 
+  test('with the VERDACCIO_FORWARDED_PROTO environment variable set to "set-cookie"', () => {
+    process.env.VERDACCIO_FORWARDED_PROTO = 'set-cookie';
+    const req = httpMocks.createRequest({
+      method: 'GET',
+      headers: {
+        host: 'some.com',
+        cookie: 'name=value; name2=value2;',
+        'set-cookie': [
+          'cookieName1=value; expires=Tue, 19 Jan 2038 03:14:07 GMT;',
+          'cookieName2=value; expires=Tue, 19 Jan 2038 03:14:07 GMT;',
+        ],
+      },
+      url: '/',
+    });
+
+    expect(() =>
+      getPublicUrl('/test/', {
+        host: req.hostname,
+        headers: req.headers as any,
+        protocol: req.protocol,
+      })
+    ).toThrow('invalid forwarded protocol header value. Reading header set-cookie');
+    delete process.env.VERDACCIO_FORWARDED_PROTO;
+  });
+
   test('with a invalid X-Forwarded-Proto https and host injection with invalid host', () => {
     process.env.VERDACCIO_PUBLIC_URL = 'http://injection.test.com"><svg onload="alert(1)">';
     const req = httpMocks.createRequest({

packages/hooks/CHANGELOG.md

@@ -1,5 +1,20 @@
 # @verdaccio/hooks
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.16
+- @verdaccio/core@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/hooks/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/hooks",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -29,17 +29,17 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
     "core-js": "3.35.0",
     "debug": "4.3.4",
     "got-cjs": "12.5.4",
     "handlebars": "4.7.8"
   },
   "devDependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.16",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "nock": "13.5.1"
   },
   "scripts": {

packages/loaders/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @verdaccio/loaders
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/loaders/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/loaders",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -13,14 +13,14 @@
     "url": "https://github.com/verdaccio/verdaccio"
   },
   "dependencies": {
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
     "debug": "4.3.4",
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "@verdaccio-scope/verdaccio-auth-foo": "0.0.2",
     "verdaccio-auth-memory": "workspace:*",
     "customprefix-auth": "2.0.0-next.0"

packages/logger/logger-7/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @verdaccio/logger-7
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- Updated dependencies [cf1b46c]
+  - @verdaccio/logger-commons@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- @verdaccio/logger-commons@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/logger/logger-7/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger-7",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "logger for verdaccio 5.x version",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,11 +38,11 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/logger-commons": "workspace:7.0.0-next-7.14",
+    "@verdaccio/logger-commons": "workspace:7.0.0-next-7.16",
     "pino": "7.11.0"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/logger/logger-commons/CHANGELOG.md

@@ -1,5 +1,21 @@
 # @verdaccio/logger-commons
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- cf1b46c: fix: log spacing depending on the FORMAT and COLORS options
+- Updated dependencies [cf1b46c]
+  - @verdaccio/logger-prettify@7.0.0-next-7.3
+  - @verdaccio/core@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/logger/logger-commons/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger-commons",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,14 +38,14 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger-prettify": "workspace:7.0.0-next-7.2",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger-prettify": "workspace:7.0.0-next-7.3",
     "debug": "4.3.4",
     "colorette": "2.0.20"
   },
   "devDependencies": {
     "pino": "7.11.0",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/logger/logger-commons/test/logger.spec.ts

@@ -36,7 +36,7 @@ describe('logger test', () => {
       logger.trace(`this should not be logged`);
       logger.error(`this should logged`);
       const content = await readLogFile(file);
-      expect(content).toBe('info --- testing test \nerror--- this should logged \n');
+      expect(content).toBe('info --- testing test\nerror--- this should logged\n');
     });
 
     test('should include all logging level', async () => {
@@ -51,7 +51,7 @@ describe('logger test', () => {
       logger.error(`this should logged`);
       const content = await readLogFile(file);
       expect(content).toBe(
-        'info --- testing test \ndebug--- this should not be logged \ntrace--- this should not be logged \nerror--- this should logged \n'
+        'info --- testing test\ndebug--- this should not be logged\ntrace--- this should not be logged\nerror--- this should logged\n'
       );
     });
   });
@@ -101,7 +101,7 @@ describe('logger test', () => {
         `publishing or updating a new version for @{packageName}`
       );
       const content = await readLogFile(file);
-      expect(content).toEqual('info --- publishing or updating a new version for test \n');
+      expect(content).toEqual('info --- publishing or updating a new version for test\n');
     });
 
     test('should log into a file with pretty-timestamped', async () => {
@@ -122,7 +122,7 @@ describe('logger test', () => {
       );
       const content = await readLogFile(file);
       // TODO: we might want mock time for testing
-      expect(content).toMatch('info --- publishing or updating a new version for test \n');
+      expect(content).toMatch('info --- publishing or updating a new version for test\n');
     });
   });
 });

packages/logger/logger-prettify/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @verdaccio/logger-prettify
 
+## 7.0.0-next-7.3
+
+### Patch Changes
+
+- cf1b46c: fix: log spacing depending on the FORMAT and COLORS options
+
 ## 7.0.0-next-7.2
 
 ### Patch Changes

packages/logger/logger-prettify/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger-prettify",
-  "version": "7.0.0-next-7.2",
+  "version": "7.0.0-next-7.3",
   "description": "logger",
   "main": "./build/index.js",
   "types": "build/index.d.ts",

packages/logger/logger-prettify/src/formatter.ts

@@ -3,7 +3,7 @@ import { inspect } from 'util';
 
 import { LevelCode, calculateLevel, levelsColors, subSystemLevels } from './levels';
 import { PrettyOptionsExtended } from './types';
-import { formatLoggingDate, isObject, padLeft, padRight } from './utils';
+import { formatLoggingDate, isObject, padRight } from './utils';
 
 let LEVEL_VALUE_MAX = 0;
 for (const l in levelsColors) {
@@ -68,11 +68,11 @@ function getMessage(debugLevel, msg, sub, templateObjects, hasColors: boolean) {
       `${subSystemType} ${finalMessage}`
     )}`;
 
-    return padLeft(logString);
+    return logString;
   }
   const logString = `${padRight(debugLevel, LEVEL_VALUE_MAX)}${subSystemType} ${finalMessage}`;
 
-  return padRight(logString);
+  return logString;
 }
 
 export function printMessage(

packages/logger/logger-prettify/src/utils.ts

@@ -8,10 +8,6 @@ export function isObject(obj: unknown): boolean {
   return _.isObject(obj) && _.isNull(obj) === false && _.isArray(obj) === false;
 }
 
-export function padLeft(message: string) {
-  return message.padStart(message.length + CUSTOM_PAD_LENGTH, ' ');
-}
-
 export function padRight(message: string, max = message.length + CUSTOM_PAD_LENGTH) {
   return message.padEnd(max, ' ');
 }
@@ -19,5 +15,5 @@ export function padRight(message: string, max = message.length + CUSTOM_PAD_LENG
 export function formatLoggingDate(time: number, message: string): string {
   const timeFormatted = dayjs(time).format(FORMAT_DATE);
 
-  return `[${timeFormatted}]${message}`;
+  return `[${timeFormatted}] ${message}`;
 }

packages/logger/logger-prettify/test/__snapshots__/formatter.spec.ts.snap

@@ -1,21 +1,21 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`formatter printMessage should display a bytes request 1`] = `"fatal<-- 200, user: null(127.0.0.1), req: 'GET /verdaccio', bytes: 0/150186 "`;
+exports[`formatter printMessage should display a bytes request 1`] = `"fatal<-- 200, user: null(127.0.0.1), req: 'GET /verdaccio', bytes: 0/150186"`;
 
-exports[`formatter printMessage should display a resource request 1`] = `"info <-- 127.0.0.1 requested 'GET /verdaccio' "`;
+exports[`formatter printMessage should display a resource request 1`] = `"info <-- 127.0.0.1 requested 'GET /verdaccio'"`;
 
-exports[`formatter printMessage should display a streaming request 1`] = `"fatal--> 304, req: 'GET https://registry.npmjs.org/verdaccio' (streaming) "`;
+exports[`formatter printMessage should display a streaming request 1`] = `"fatal--> 304, req: 'GET https://registry.npmjs.org/verdaccio' (streaming)"`;
 
-exports[`formatter printMessage should display an error request 1`] = `"fatal--> ERR, req: 'GET https://registry.fake.org/aaa', error: getaddrinfo ENOTFOUND registry.fake.org "`;
+exports[`formatter printMessage should display an error request 1`] = `"fatal--> ERR, req: 'GET https://registry.fake.org/aaa', error: getaddrinfo ENOTFOUND registry.fake.org"`;
 
-exports[`formatter printMessage should display an fatal request 1`] = `"fatal--> ERR, req: 'GET https://registry.fake.org/aaa', error: fatal error "`;
+exports[`formatter printMessage should display an fatal request 1`] = `"fatal--> ERR, req: 'GET https://registry.fake.org/aaa', error: fatal error"`;
 
-exports[`formatter printMessage should display config file 1`] = `"warn --- config file  - /Users/user/.config/verdaccio/config/config.yaml "`;
+exports[`formatter printMessage should display config file 1`] = `"warn --- config file  - /Users/user/.config/verdaccio/config/config.yaml"`;
 
-exports[`formatter printMessage should display custom log message 1`] = `"fatal--- custom - foo - undefined "`;
+exports[`formatter printMessage should display custom log message 1`] = `"fatal--- custom - foo - undefined"`;
 
-exports[`formatter printMessage should display trace level 1`] = `"trace--- [trace]  - foo "`;
+exports[`formatter printMessage should display trace level 1`] = `"trace--- [trace]  - foo"`;
 
-exports[`formatter printMessage should display trace level with pretty stamp 1`] = `"[formatted-date]trace--- [trace]  - foo "`;
+exports[`formatter printMessage should display trace level with pretty stamp 1`] = `"[formatted-date] trace--- [trace]  - foo"`;
 
-exports[`formatter printMessage should display version and http address 1`] = `"warn --- http address - http://localhost:4873/ - verdaccio/5.0.0 "`;
+exports[`formatter printMessage should display version and http address 1`] = `"warn --- http address - http://localhost:4873/ - verdaccio/5.0.0"`;

packages/logger/logger-prettify/test/index.spec.ts

@@ -17,7 +17,7 @@ describe('prettyFactory', () => {
         objectMode: true,
         write(chunk, enc, cb) {
           const formatted = pretty(JSON.parse(chunk));
-          expect(formatted).toBe('info --- test message ');
+          expect(formatted).toBe('info --- test message');
           cb();
           done();
         },

packages/logger/logger-prettify/test/utils.test.ts

@@ -1,8 +1,8 @@
-import { formatLoggingDate, padLeft, padRight } from '../src/utils';
+import { formatLoggingDate, padRight } from '../src/utils';
 
 describe('formatLoggingDate', () => {
   test('basic', () => {
-    expect(formatLoggingDate(1585411248203, ' message')).toEqual('[2020-03-28 16:00:48] message');
+    expect(formatLoggingDate(1585411248203, 'message')).toEqual('[2020-03-28 16:00:48] message');
   });
 });
 
@@ -14,7 +14,4 @@ describe('pad', () => {
   test('pad right 2', () => {
     expect(padRight('message right')).toEqual('message right ');
   });
-  test('pad left', () => {
-    expect(padLeft('message left')).toEqual(' message left');
-  });
 });

packages/logger/logger/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @verdaccio/logger
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- Updated dependencies [cf1b46c]
+  - @verdaccio/logger-commons@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- @verdaccio/logger-commons@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/logger/logger/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,11 +38,11 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/logger-commons": "workspace:7.0.0-next-7.14",
+    "@verdaccio/logger-commons": "workspace:7.0.0-next-7.16",
     "pino": "8.17.2"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/middleware/CHANGELOG.md

@@ -1,5 +1,25 @@
 # @verdaccio/middleware
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- Updated dependencies [38b1e82]
+  - @verdaccio/url@12.0.0-next-7.16
+  - @verdaccio/core@7.0.0-next-7.16
+  - @verdaccio/config@7.0.0-next-7.16
+  - @verdaccio/utils@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/url@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/middleware/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/middleware",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "express middleware utils",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,13 +38,13 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/url": "workspace:12.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.16",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/url": "workspace:12.0.0-next-7.16",
     "debug": "4.3.4",
     "lru-cache": "7.18.3",
-    "express": "4.18.3",
+    "express": "4.19.2",
     "lodash": "4.17.21",
     "mime": "2.6.0",
     "express-rate-limit": "5.5.1"
@@ -54,7 +54,7 @@
     "url": "https://opencollective.com/verdaccio"
   },
   "devDependencies": {
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
     "body-parser": "1.20.2",
     "supertest": "6.3.4"
   }

packages/node-api/CHANGELOG.md

@@ -1,5 +1,30 @@
 # @verdaccio/node-api
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/server@7.0.0-next-7.16
+- @verdaccio/server-fastify@7.0.0-next-7.16
+- @verdaccio/logger@7.0.0-next-7.16
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/config@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/server-fastify@7.0.0-next-7.15
+  - @verdaccio/server@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/node-api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/node-api",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "node API",
   "main": "build/index.js",
   "types": "build/index.d.ts",
@@ -38,17 +38,17 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/server": "workspace:7.0.0-next-7.14",
-    "@verdaccio/server-fastify": "workspace:7.0.0-next-7.14",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
+    "@verdaccio/server": "workspace:7.0.0-next-7.16",
+    "@verdaccio/server-fastify": "workspace:7.0.0-next-7.16",
     "core-js": "3.35.0",
     "debug": "4.3.4",
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "jest": "29.7.0",
     "selfsigned": "2.4.1",
     "supertest": "6.3.4"

packages/node-api/test/run-server.spec.ts

@@ -15,7 +15,6 @@ describe('startServer via API', () => {
   });
 
   test('should fail on start with null as entry', async () => {
-    // @ts-expect-error
     await expect(runServer(null)).rejects.toThrow();
   });
 });

packages/plugins/audit/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Change Log
 
+## 12.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/config@7.0.0-next-7.16
+
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/plugins/audit/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-audit",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.16",
   "description": "Verdaccio Middleware plugin to bypass npmjs audit",
   "keywords": [
     "private",
@@ -30,16 +30,16 @@
     "node": ">=12"
   },
   "dependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "express": "4.18.3",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "express": "4.19.2",
     "https-proxy-agent": "5.0.1",
     "node-fetch": "cjs"
   },
   "devDependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "nock": "13.5.1",
     "supertest": "6.3.4"
   },

packages/plugins/auth-memory/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Change Log
 
+## 12.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.16
+
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/plugins/auth-memory/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-auth-memory",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.16",
   "description": "Auth plugin for Verdaccio that keeps users in memory",
   "keywords": [
     "private",
@@ -30,13 +30,13 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
     "debug": "4.3.4"
   },
   "devDependencies": {
     "@types/debug": "^4.1.12",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/plugins/htpasswd/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Change Log
 
+## 12.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.16
+
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/file-locking@12.0.0-next.1
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/plugins/htpasswd/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-htpasswd",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.16",
   "description": "htpasswd auth plugin for Verdaccio",
   "keywords": [
     "private",
@@ -33,7 +33,7 @@
     "node": ">=12"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
     "@verdaccio/file-locking": "workspace:12.0.0-next.1",
     "apache-md5": "1.1.8",
     "bcryptjs": "2.4.3",
@@ -44,9 +44,9 @@
   },
   "devDependencies": {
     "@types/bcryptjs": "2.4.6",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
     "mockdate": "3.0.5"
   },
   "scripts": {

packages/plugins/local-storage/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Change Log
 
+## 12.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/utils@7.0.0-next-7.16
+
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/file-locking@12.0.0-next.1
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/plugins/local-storage/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/local-storage",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.16",
   "description": "Local storage implementation",
   "keywords": [
     "private",
@@ -36,9 +36,9 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
     "@verdaccio/file-locking": "workspace:12.0.0-next.1",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.16",
     "core-js": "3.35.0",
     "debug": "4.3.4",
     "globby": "11.1.0",
@@ -50,10 +50,10 @@
   },
   "devDependencies": {
     "@types/minimatch": "5.1.2",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "minimatch": "9.0.3"
   },
   "scripts": {

packages/plugins/memory/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Change Log
 
+## 12.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.16
+
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/plugins/memory/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-memory",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.16",
   "description": "Storage implementation in memory",
   "keywords": [
     "private",
@@ -30,15 +30,15 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
     "memory-fs": "0.5.0",
     "debug": "4.3.4",
     "memfs": "3.5.3"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/plugins/ui-theme/CHANGELOG.md

@@ -1,5 +1,9 @@
 # @verdaccio/ui-theme
 
+## 7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ## 7.0.0-next-7.13

packages/plugins/ui-theme/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/ui-theme",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "Verdaccio User Interface",
   "author": {
     "name": "Verdaccio Contributors",
@@ -27,7 +27,7 @@
     "@testing-library/dom": "9.3.4",
     "@testing-library/jest-dom": "6.3.0",
     "@testing-library/react": "14.1.2",
-    "@verdaccio/node-api": "workspace:7.0.0-next-7.14",
+    "@verdaccio/node-api": "workspace:7.0.0-next-7.16",
     "@verdaccio/types": "workspace:*",
     "@verdaccio/ui-components": "workspace:3.0.0-next-7.6",
     "babel-loader": "8.3.0",

packages/plugins/ui-theme/src/components/Contributors/generated_contributors_list.json

@@ -191,6 +191,10 @@
     "username": "NotWearingPants",
     "id": 26556598
   },
+  {
+    "username": "gweesin",
+    "id": 42909374
+  },
   {
     "username": "BartDubois",
     "id": 1180931
@@ -199,14 +203,14 @@
     "username": "CrispyConductor",
     "id": 2132722
   },
-  {
-    "username": "semoal",
-    "id": 22656541
-  },
   {
     "username": "greshilov",
     "id": 814614
   },
+  {
+    "username": "semoal",
+    "id": 22656541
+  },
   {
     "username": "Jason-Cooke",
     "id": 5185660
@@ -355,6 +359,10 @@
     "username": "plitex",
     "id": 2946823
   },
+  {
+    "username": "Tobbe",
+    "id": 30793
+  },
   {
     "username": "varijkapil13",
     "id": 8291077
@@ -632,8 +640,12 @@
     "id": 8954107
   },
   {
-    "username": "Tobbe",
-    "id": 30793
+    "username": "tomcoonen",
+    "id": 988013
+  },
+  {
+    "username": "morrain",
+    "id": 9381634
   },
   {
     "username": "oltodo",
@@ -699,10 +711,6 @@
     "username": "RodrigoBalest",
     "id": 4810463
   },
-  {
-    "username": "tomcoonen",
-    "id": 988013
-  },
   {
     "username": "iketiunn",
     "id": 10249208
@@ -871,6 +879,10 @@
     "username": "divdavem",
     "id": 1152706
   },
+  {
+    "username": "hedocode",
+    "id": 22884999
+  },
   {
     "username": "iambrandonn",
     "id": 1644549
@@ -947,14 +959,6 @@
     "username": "ericmutta",
     "id": 20465797
   },
-  {
-    "username": "Joon",
-    "id": 94231
-  },
-  {
-    "username": "hedocode",
-    "id": 22884999
-  },
   {
     "username": "itsabdelrahman",
     "id": 11808903
@@ -1039,6 +1043,14 @@
     "username": "bchenSyd",
     "id": 8207081
   },
+  {
+    "username": "einfallstoll",
+    "id": 619048
+  },
+  {
+    "username": "Joon",
+    "id": 94231
+  },
   {
     "username": "Mearman",
     "id": 1331872
@@ -1107,14 +1119,6 @@
     "username": "morlay",
     "id": 1667873
   },
-  {
-    "username": "morrain",
-    "id": 9381634
-  },
-  {
-    "username": "einfallstoll",
-    "id": 619048
-  },
   {
     "username": "felipeplets",
     "id": 119980
@@ -1139,10 +1143,6 @@
     "username": "gecruz",
     "id": 29457476
   },
-  {
-    "username": "gweesin",
-    "id": 42909374
-  },
   {
     "username": "iztsv",
     "id": 3539802
@@ -1171,6 +1171,10 @@
     "username": "vStone",
     "id": 356719
   },
+  {
+    "username": "jlguenego",
+    "id": 2842446
+  },
   {
     "username": "zaventh",
     "id": 669283
@@ -1283,6 +1287,10 @@
     "username": "MrCube42",
     "id": 1512210
   },
+  {
+    "username": "kongdewen",
+    "id": 10659566
+  },
   {
     "username": "donbowman",
     "id": 5131923

packages/proxy/CHANGELOG.md

@@ -1,5 +1,22 @@
 # @verdaccio/proxy
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/config@7.0.0-next-7.16
+- @verdaccio/utils@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/proxy/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/proxy",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "verdaccio proxy fetcher",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,9 +38,9 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.16",
     "JSONStream": "1.3.5",
     "debug": "4.3.4",
     "got-cjs": "12.5.4",
@@ -48,8 +48,8 @@
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "get-stream": "^6.0.1",
     "nock": "13.5.1",
     "node-mocks-http": "1.14.1",

packages/search-indexer/package.json

@@ -37,7 +37,7 @@
     "build": "esbuild src/index.ts --bundle --outfile=build/dist.js --platform=node --target=node12  && pnpm run build:types"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "@orama/orama": "1.2.4",
     "debug": "4.3.4",
     "esbuild": "0.14.10"

packages/search/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @verdaccio/search
 
+## 7.0.0-next-7.5
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.16
+- @verdaccio/proxy@7.0.0-next-7.16
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/config@7.0.0-next-7.16
+
+## 7.0.0-next-7.4
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/proxy@7.0.0-next-7.15
+
 ## 7.0.0-next-7.3
 
 ### Patch Changes

packages/search/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/search",
-  "version": "7.0.0-next-7.3",
+  "version": "7.0.0-next-7.5",
   "description": "verdaccio search proxy",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -40,13 +40,13 @@
   "dependencies": {
     "debug": "4.3.4",
     "lodash": "4.17.21",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/proxy": "workspace:7.0.0-next-7.14"
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
+    "@verdaccio/proxy": "workspace:7.0.0-next-7.16"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "mockdate": "3.0.5",
     "nock": "13.5.1",
     "node-mocks-http": "1.14.1"

packages/server/express/CHANGELOG.md

@@ -1,5 +1,41 @@
 # @verdaccio/server
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- Updated dependencies [e5624e1]
+- Updated dependencies [5bfab62]
+  - @verdaccio/store@7.0.0-next-7.16
+  - @verdaccio/api@7.0.0-next-7.16
+  - @verdaccio/web@7.0.0-next-7.16
+  - @verdaccio/logger@7.0.0-next-7.16
+  - @verdaccio/middleware@7.0.0-next-7.16
+  - @verdaccio/auth@7.0.0-next-7.16
+  - @verdaccio/loaders@7.0.0-next-7.16
+  - verdaccio-audit@12.0.0-next-7.16
+  - @verdaccio/core@7.0.0-next-7.16
+  - @verdaccio/config@7.0.0-next-7.16
+  - @verdaccio/utils@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [7400830]
+- Updated dependencies [bd8703e]
+  - @verdaccio/store@7.0.0-next-7.15
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/auth@7.0.0-next-7.15
+  - @verdaccio/web@7.0.0-next-7.15
+  - @verdaccio/api@7.0.0-next-7.15
+  - @verdaccio/loaders@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - verdaccio-audit@12.0.0-next-7.15
+  - @verdaccio/middleware@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/server/express/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/server",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.16",
   "description": "server logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -29,25 +29,25 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/api": "workspace:7.0.0-next-7.14",
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/loaders": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.14",
-    "@verdaccio/store": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
-    "@verdaccio/web": "workspace:7.0.0-next-7.14",
-    "verdaccio-audit": "workspace:12.0.0-next-7.14",
+    "@verdaccio/api": "workspace:7.0.0-next-7.16",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.16",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/loaders": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.16",
+    "@verdaccio/store": "workspace:7.0.0-next-7.16",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.16",
+    "@verdaccio/web": "workspace:7.0.0-next-7.16",
+    "verdaccio-audit": "workspace:12.0.0-next-7.16",
     "compression": "1.7.4",
     "cors": "2.8.5",
     "debug": "4.3.4",
-    "express": "4.18.3",
+    "express": "4.19.2",
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/proxy": "workspace:7.0.0-next-7.14",
+    "@verdaccio/proxy": "workspace:7.0.0-next-7.16",
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
     "http-errors": "2.0.0"
   },

packages/server/fastify/CHANGELOG.md

@@ -1,5 +1,33 @@
 # @verdaccio/server-fastify
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- Updated dependencies [e5624e1]
+- Updated dependencies [5bfab62]
+  - @verdaccio/store@7.0.0-next-7.16
+  - @verdaccio/tarball@12.0.0-next-7.16
+  - @verdaccio/logger@7.0.0-next-7.16
+  - @verdaccio/auth@7.0.0-next-7.16
+  - @verdaccio/core@7.0.0-next-7.16
+  - @verdaccio/config@7.0.0-next-7.16
+  - @verdaccio/utils@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [7400830]
+- Updated dependencies [bd8703e]
+  - @verdaccio/tarball@12.0.0-next-7.15
+  - @verdaccio/store@7.0.0-next-7.15
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/auth@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes