chore: update versions (6-next) (#3654)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.changeset/kind-ladybugs-admire.md

@@ -0,0 +1,8 @@
+---
+'@verdaccio/auth': minor
+'@verdaccio/config': minor
+'@verdaccio/signature': minor
+'@verdaccio/ui-components': minor
+---
+
+feat: signature package

.changeset/pre.json

@@ -56,7 +56,9 @@
     "customprefix-auth": "0.0.1",
     "@verdaccio/crowdin-translations": "1.0.0",
     "@verdaccio/logger-7": "6.0.0-6-next.1",
-    "@verdaccio/logger-commons": "6.0.0-6-next.25"
+    "@verdaccio/logger-commons": "6.0.0-6-next.25",
+    "@verdaccio/e2e-cli-pnpm8": "1.0.1-6-next.6",
+    "@verdaccio/signature": "6.0.0-6-next.1"
   },
   "changesets": [
     "afraid-mice-obey",
@@ -101,6 +103,7 @@
     "heavy-ravens-lay",
     "hip-hounds-destroy",
     "kind-bears-nail",
+    "kind-ladybugs-admire",
     "late-adults-love",
     "late-parents-act",
     "light-pumas-brake",
@@ -128,6 +131,7 @@
     "pretty-hounds-tap",
     "proud-jeans-walk",
     "proud-jobs-hope",
+    "rare-planets-travel",
     "red-chefs-float",
     "red-yaks-sell",
     "rich-badgers-begin",

.changeset/rare-planets-travel.md

@@ -0,0 +1,9 @@
+---
+'@verdaccio/config': minor
+'@verdaccio/core': minor
+'@verdaccio/types': minor
+'@verdaccio/signature': minor
+'@verdaccio/test-helper': minor
+---
+
+feat: add forceEnhancedLegacySignature

.github/workflows/e2e-ci.yml

@@ -75,7 +75,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        pkg: [npm6, npm7, npm8, npm9, pnpm6, pnpm7, yarn1, yarn2, yarn3, yarn4]
+        pkg: [npm6, npm7, npm8, npm9, pnpm6, pnpm7, pnpm8, yarn1, yarn2, yarn3, yarn4]
         node: [16, 18, 19]
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest

.github/workflows/static-data.yml

@@ -28,12 +28,6 @@ jobs:
           node-version: 18.x
       - name: install pnpm
         run: sudo npm i pnpm@latest-6 -g
-      - name: set store
-        run: | 
-          mkdir ~/.pnpm-store
-          pnpm config set store-dir ~/.pnpm-store
-      - name: setup pnpm config registry
-        run: pnpm config set registry https://registry.verdaccio.org
       - name: install dependencies
         run: pnpm install
       - name: Build Translations percentage

e2e/cli/README.md

@@ -10,18 +10,18 @@
 
 ### Commands Tested
 
-| cmd       | npm6 | npm7 | npm8 | npm9 | pnpm6 | pnpm7 | yarn1 | yarn2 | yarn3 | yarn4 |
-| --------- | ---- | ---- | ---- | ---- | ----- | ----- | ----- | ----- | ----- | ----- |
-| publish   | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    |
-| info      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    |
-| audit     | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ❌    |
-| install   | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    |
-| deprecate | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
-| ping      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
-| search    | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
-| star      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
-| stars     | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
-| dist-tag  | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ❌    | ❌    | ❌    |
+| cmd       | npm6 | npm7 | npm8 | npm9 | pnpm6 | pnpm7 | pnpm8 | yarn1 | yarn2 | yarn3 | yarn4 |
+| --------- | ---- | ---- | ---- | ---- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
+| publish   | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    |
+| info      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    |
+| audit     | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    | ❌    |
+| install   | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    |
+| deprecate | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
+| ping      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
+| search    | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
+| star      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
+| stars     | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
+| dist-tag  | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ❌    | ❌    | ❌    |
 
 > notes:
 >

e2e/cli/cli-commons/package.json

@@ -5,15 +5,15 @@
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
   "devDependencies": {
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/types": "workspace:11.0.0-6-next.21",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22",
     "debug": "4.3.4",
     "fs-extra": "10.1.0",
-    "got": "11.8.5",
+    "got": "11.8.6",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",
-    "verdaccio": "workspace:6.0.0-6-next.62"
+    "verdaccio": "workspace:6.0.0-6-next.63"
   },
   "scripts": {
     "test": "jest",

e2e/cli/e2e-npm9/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1-6-next.6",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0-6-next.6",
-    "npm": "9.5.0"
+    "npm": "9.5.1"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-pnpm8/.babelrc

@@ -0,0 +1,3 @@
+{
+  "extends": "../../../.babelrc"
+}

e2e/cli/e2e-pnpm8/.eslintrc

@@ -0,0 +1,7 @@
+{
+  "rules": {
+    "no-console": 0,
+    "@typescript-eslint/no-var-requires": 0,
+    "@typescript-eslint/explicit-member-accessibility": 0
+  }
+}

e2e/cli/e2e-pnpm8/CHANGELOG.md

@@ -0,0 +1,46 @@
+# @verdaccio/e2e-cli-pnpm7
+
+## 1.0.1-6-next.6
+
+### Patch Changes
+
+- Updated dependencies [d167f92e]
+  - @verdaccio/test-cli-commons@1.1.0-6-next.6
+
+## 1.0.1-6-next.5
+
+### Patch Changes
+
+- @verdaccio/test-cli-commons@1.0.1-6-next.5
+
+## 1.0.1-6-next.4
+
+### Patch Changes
+
+- @verdaccio/test-cli-commons@1.0.1-6-next.4
+
+## 1.0.1-6-next.3
+
+### Patch Changes
+
+- 351aeeaa: fix(deps): @verdaccio/utils should be a prod dep of local-storage
+- Updated dependencies [351aeeaa]
+  - @verdaccio/test-cli-commons@1.0.1-6-next.3
+
+## 1.0.1-6-next.2
+
+### Patch Changes
+
+- @verdaccio/test-cli-commons@1.0.1-6-next.2
+
+## 1.0.1-6-next.1
+
+### Patch Changes
+
+- @verdaccio/test-cli-commons@1.0.1-6-next.1
+
+## 1.0.1-6-next.0
+
+### Patch Changes
+
+- @verdaccio/test-cli-commons@1.0.1-6-next.0

e2e/cli/e2e-pnpm8/audit.spec.ts

@@ -0,0 +1,45 @@
+import { addRegistry, initialSetup, prepareGenericEmptyProject } from '@verdaccio/test-cli-commons';
+
+import { pnpm } from './utils';
+
+describe('install a package', () => {
+  jest.setTimeout(10000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test.each([['verdaccio-memory', '@verdaccio/cli']])(
+    'should audit a package %s',
+    async (pkgName) => {
+      const { tempFolder } = await prepareGenericEmptyProject(
+        pkgName,
+        '1.0.0-patch',
+        registry.port,
+        registry.getToken(),
+        registry.getRegistryUrl(),
+        { jquery: '3.6.1' }
+      );
+      // install is required to create package lock file
+      await pnpm({ cwd: tempFolder }, 'install', ...addRegistry(registry.getRegistryUrl()));
+      const resp = await pnpm(
+        { cwd: tempFolder },
+        'audit',
+        '--json',
+        ...addRegistry(registry.getRegistryUrl())
+      );
+      const parsedBody = JSON.parse(resp.stdout as string);
+      expect(parsedBody.metadata).toBeDefined();
+      expect(parsedBody.actions).toBeDefined();
+      expect(parsedBody.advisories).toBeDefined();
+      expect(parsedBody.muted).toBeDefined();
+    }
+  );
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-pnpm8/deprecate.spec.ts

@@ -0,0 +1,115 @@
+import {
+  addRegistry,
+  initialSetup,
+  pnpmUtils,
+  prepareGenericEmptyProject,
+} from '@verdaccio/test-cli-commons';
+
+import { pnpm } from './utils';
+
+describe('deprecate a package', () => {
+  jest.setTimeout(20000);
+  let registry;
+
+  async function deprecate(tempFolder, packageVersion, registry, message) {
+    await pnpm(
+      { cwd: tempFolder },
+      'deprecate',
+      packageVersion,
+      message,
+      '--json',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+  }
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test.each([['@verdaccio/deprecated-1']])(
+    'should deprecate a single package %s',
+    async (pkgName) => {
+      const message = 'some message';
+      const { tempFolder } = await prepareGenericEmptyProject(
+        pkgName,
+        '1.0.0',
+        registry.port,
+        registry.getToken(),
+        registry.getRegistryUrl()
+      );
+      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+      // deprecate one version
+      await deprecate(tempFolder, `${pkgName}@1.0.0`, registry, message);
+      // verify is deprecated
+      const infoBody = await pnpmUtils.getInfoVersions(pnpm, `${pkgName}`, registry);
+      expect(infoBody.name).toEqual(pkgName);
+      expect(infoBody.deprecated).toEqual(message);
+    }
+  );
+
+  test.each([['@verdaccio/deprecated-2']])('should un-deprecate a package %s', async (pkgName) => {
+    const message = 'some message';
+    const { tempFolder } = await prepareGenericEmptyProject(
+      pkgName,
+      '1.0.0',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl()
+    );
+    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+    // deprecate one version
+    await deprecate(tempFolder, `${pkgName}@1.0.0`, registry, message);
+    // verify is deprecated
+    const infoBody = await pnpmUtils.getInfoVersions(pnpm, `${pkgName}`, registry);
+    expect(infoBody.deprecated).toEqual(message);
+    // empty string is same as undeprecate
+    await deprecate(tempFolder, `${pkgName}@1.0.0`, registry, '');
+    const infoBody2 = await pnpmUtils.getInfoVersions(pnpm, `${pkgName}`, registry);
+    expect(infoBody2.deprecated).toBeUndefined();
+  });
+
+  test.each([['@verdaccio/deprecated-3']])(
+    'should deprecate a multiple packages %s',
+    async (pkgName) => {
+      const message = 'some message';
+      const { tempFolder } = await prepareGenericEmptyProject(
+        pkgName,
+        '1.0.0',
+        registry.port,
+        registry.getToken(),
+        registry.getRegistryUrl()
+      );
+      // publish 1.0.0
+      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+      // publish 1.1.0
+      await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
+      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+      // publish 1.2.0
+      await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
+      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+      // publish 1.3.0
+      await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
+      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+      // // deprecate all version
+      await deprecate(tempFolder, pkgName, registry, message);
+      // verify is deprecated
+      for (let v of ['1.0.0', '1.1.0', '1.2.0', '1.3.0']) {
+        const infoResp = await pnpmUtils.getInfoVersions(pnpm, `${pkgName}@${v}`, registry);
+        expect(infoResp.deprecated).toEqual(message);
+      }
+      // publish normal version
+      // publish 1.4.0
+      await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
+      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+      const infoResp = await pnpmUtils.getInfoVersions(pnpm, `${pkgName}@1.4.0`, registry);
+      // must be not deprecated
+      expect(infoResp.deprecated).toBeUndefined();
+    }
+  );
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-pnpm8/dist-tags.spec.ts

@@ -0,0 +1,91 @@
+import {
+  addRegistry,
+  initialSetup,
+  pnpmUtils,
+  prepareGenericEmptyProject,
+} from '@verdaccio/test-cli-commons';
+
+import { pnpm } from './utils';
+
+describe('publish a package', () => {
+  jest.setTimeout(20000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test.each([['@foo/foo', 'foo']])('should list dist-tags for %s', async (pkgName) => {
+    const { tempFolder } = await prepareGenericEmptyProject(
+      pkgName,
+      '1.0.0',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl()
+    );
+    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+    await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
+    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry, ['--tag', 'beta']);
+    const resp2 = await pnpm(
+      { cwd: tempFolder },
+      'dist-tag',
+      'ls',
+      '--json',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    expect(resp2.stdout).toEqual('beta: 1.1.0latest: 1.0.0');
+  });
+
+  test.each([['@verdaccio/bar']])('should remove tag with dist-tags for %s', async (pkgName) => {
+    const { tempFolder } = await prepareGenericEmptyProject(
+      pkgName,
+      '1.0.0',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl()
+    );
+    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+    await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
+    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry, ['--tag', 'beta']);
+    const resp2 = await pnpm(
+      { cwd: tempFolder },
+      'dist-tag',
+      'rm',
+      `${pkgName}@1.1.0`,
+      'beta',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    expect(resp2.stdout).toEqual('-beta: @verdaccio/bar@1.1.0');
+  });
+
+  test.each([['@verdaccio/five']])(
+    'should add tag to package and version with dist-tags for %s',
+    async (pkgName) => {
+      const { tempFolder } = await prepareGenericEmptyProject(
+        pkgName,
+        '1.0.0',
+        registry.port,
+        registry.getToken(),
+        registry.getRegistryUrl()
+      );
+      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+      await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
+      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+      const resp2 = await pnpm(
+        { cwd: tempFolder },
+        'dist-tag',
+        'add',
+        `${pkgName}@1.1.0`,
+        'alfa',
+        ...addRegistry(registry.getRegistryUrl())
+      );
+      expect(resp2.stdout).toEqual(`+alfa: ${pkgName}@1.1.0`);
+    }
+  );
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-pnpm8/info.spec.ts

@@ -0,0 +1,31 @@
+import { addRegistry, initialSetup } from '@verdaccio/test-cli-commons';
+
+import { pnpm } from './utils';
+
+describe('install a package', () => {
+  jest.setTimeout(10000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test('should run pnpm info json body', async () => {
+    const resp = await pnpm(
+      {},
+      'info',
+      'verdaccio',
+      '--json',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    const parsedBody = JSON.parse(resp.stdout as string);
+    expect(parsedBody.name).toEqual('verdaccio');
+    expect(parsedBody.dependencies).toBeDefined();
+  });
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-pnpm8/install.spec.ts

@@ -0,0 +1,36 @@
+import { addRegistry, initialSetup, prepareGenericEmptyProject } from '@verdaccio/test-cli-commons';
+
+import { pnpm } from './utils';
+
+describe('install a project packages', () => {
+  jest.setTimeout(80000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test('should run npm install json body', async () => {
+    const { tempFolder } = await prepareGenericEmptyProject(
+      'something',
+      '1.0.0-patch',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl(),
+      { react: '18.2.0' }
+    );
+    const resp = await pnpm(
+      { cwd: tempFolder },
+      'install',
+      '--reporter=default',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    expect(resp.stdout).toMatch(/react/);
+  });
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-pnpm8/jest.config.js

@@ -0,0 +1,3 @@
+const config = require('../jest.config');
+
+module.exports = { ...config };

e2e/cli/e2e-pnpm8/package.json

@@ -0,0 +1,12 @@
+{
+  "private": true,
+  "name": "@verdaccio/e2e-cli-pnpm8",
+  "version": "1.0.1-6-next.6",
+  "dependencies": {
+    "@verdaccio/test-cli-commons": "workspace:1.1.0-6-next.6",
+    "pnpm": "^8.0.0-alpha.0"
+  },
+  "scripts": {
+    "test": "jest"
+  }
+}

e2e/cli/e2e-pnpm8/ping.spec.ts

@@ -0,0 +1,24 @@
+import { addRegistry, initialSetup } from '@verdaccio/test-cli-commons';
+
+import { pnpm } from './utils';
+
+describe('ping registry', () => {
+  jest.setTimeout(10000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test('should ping registry', async () => {
+    const resp = await pnpm({}, 'ping', '--json', ...addRegistry(registry.getRegistryUrl()));
+    const parsedBody = JSON.parse(resp.stdout as string);
+    expect(parsedBody.registry).toEqual(registry.getRegistryUrl() + '/');
+  });
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-pnpm8/publish.spec.ts

@@ -0,0 +1,41 @@
+import { addRegistry, initialSetup, prepareGenericEmptyProject } from '@verdaccio/test-cli-commons';
+
+import { pnpm } from './utils';
+
+describe('install a package', () => {
+  jest.setTimeout(10000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test.each([['verdaccio-memory', 'verdaccio', '@verdaccio/foo', '@verdaccio/some-foo']])(
+    'should publish a package %s',
+    async (pkgName) => {
+      const { tempFolder } = await prepareGenericEmptyProject(
+        pkgName,
+        '1.0.0-patch',
+        registry.port,
+        registry.getToken(),
+        registry.getRegistryUrl()
+      );
+      const resp = await pnpm(
+        { cwd: tempFolder },
+        'publish',
+        '--json',
+        ...addRegistry(registry.getRegistryUrl())
+      );
+      const parsedBody = JSON.parse(resp.stdout as string);
+      expect(parsedBody.name).toEqual(pkgName);
+      expect(parsedBody.files).toBeDefined();
+      expect(parsedBody.files).toBeDefined();
+    }
+  );
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-pnpm8/search.spec.ts

@@ -0,0 +1,33 @@
+import { addRegistry, initialSetup } from '@verdaccio/test-cli-commons';
+
+import { pnpm } from './utils';
+
+describe('search a package', () => {
+  jest.setTimeout(10000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test('should search a package', async () => {
+    const resp = await pnpm(
+      {},
+      'search',
+      '@verdaccio/cli',
+      '--json',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    const parsedBody = JSON.parse(resp.stdout as string);
+    const pkgFind = parsedBody.find((item) => {
+      return item.name === '@verdaccio/cli';
+    });
+    expect(pkgFind.name).toEqual('@verdaccio/cli');
+  });
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-pnpm8/star.spec.ts

@@ -0,0 +1,89 @@
+import {
+  addRegistry,
+  initialSetup,
+  pnpmUtils,
+  prepareGenericEmptyProject,
+} from '@verdaccio/test-cli-commons';
+
+import { pnpm } from './utils';
+
+describe('star a package', () => {
+  jest.setTimeout(20000);
+  let registry;
+
+  beforeAll(async () => {
+    const setup = await initialSetup();
+    registry = setup.registry;
+    await registry.init();
+  });
+
+  test.each([['@verdaccio/foo']])('should star a package %s', async (pkgName) => {
+    const { tempFolder } = await prepareGenericEmptyProject(
+      pkgName,
+      '1.0.0-patch',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl()
+    );
+
+    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+    const resp = await pnpm(
+      { cwd: tempFolder },
+      'star',
+      pkgName,
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    expect(resp.stdout).toEqual(`★  ${pkgName}`);
+  });
+
+  test.each([['@verdaccio/bar']])('should unstar a package %s', async (pkgName) => {
+    const { tempFolder } = await prepareGenericEmptyProject(
+      pkgName,
+      '1.0.0-patch',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl()
+    );
+
+    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+    const resp = await pnpm(
+      { cwd: tempFolder },
+      'star',
+      pkgName,
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    expect(resp.stdout).toEqual(`★  ${pkgName}`);
+
+    const resp1 = await pnpm(
+      { cwd: tempFolder },
+      'unstar',
+      pkgName,
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    expect(resp1.stdout).toEqual(`☆  ${pkgName}`);
+  });
+
+  test('should list stars of a user %s', async () => {
+    const pkgName = '@verdaccio/stars';
+    const { tempFolder } = await prepareGenericEmptyProject(
+      pkgName,
+      '1.0.0-patch',
+      registry.port,
+      registry.getToken(),
+      registry.getRegistryUrl()
+    );
+    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
+    await pnpm({ cwd: tempFolder }, 'star', pkgName, ...addRegistry(registry.getRegistryUrl()));
+    const resp = await pnpm(
+      { cwd: tempFolder },
+      'stars',
+      ...addRegistry(registry.getRegistryUrl())
+    );
+    // side effects: this result is affected the the package published in the previous step
+    expect(resp.stdout).toEqual(`@verdaccio/foo@verdaccio/stars`);
+  });
+
+  afterAll(async () => {
+    registry.stop();
+  });
+});

e2e/cli/e2e-pnpm8/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "../../../tsconfig.reference.json",
+  "references": [
+    {
+      "path": "../cli-commons"
+    }
+  ]
+}

e2e/cli/e2e-pnpm8/utils.ts

@@ -0,0 +1,12 @@
+import { SpawnOptions } from 'child_process';
+import { join } from 'path';
+
+import { exec } from '@verdaccio/test-cli-commons';
+
+function getCommand() {
+  return join(__dirname, './node_modules/.bin/pnpm');
+}
+
+export function pnpm(options: SpawnOptions, ...args: string[]) {
+  return exec(options, getCommand(), args);
+}

e2e/ui/package.json

@@ -3,10 +3,10 @@
   "name": "@verdaccio/e2e-ui",
   "version": "2.0.0-6-next.3",
   "devDependencies": {
-    "verdaccio": "workspace:6.0.0-6-next.62",
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/test-helper": "workspace:2.0.0-6-next.7",
+    "verdaccio": "workspace:6.0.0-6-next.63",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/test-helper": "workspace:2.0.0-6-next.8",
     "debug": "4.3.4",
     "cypress": "11.2.0"
   },

package.json

@@ -88,7 +88,7 @@
     "detect-secrets": "1.0.6",
     "eslint": "8.34.0",
     "fs-extra": "10.1.0",
-    "got": "11.8.5",
+    "got": "11.8.6",
     "husky": "7.0.4",
     "in-publish": "2.0.1",
     "jest": "29.4.3",

packages/api/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @verdaccio/api
 
+## 6.0.0-6-next.46
+
+### Patch Changes
+
+- Updated dependencies [ddb6a223]
+- Updated dependencies [dc571aab]
+  - @verdaccio/auth@6.0.0-6-next.42
+  - @verdaccio/config@6.0.0-6-next.63
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/middleware@6.0.0-6-next.42
+  - @verdaccio/store@6.0.0-6-next.43
+  - @verdaccio/utils@6.0.0-6-next.31
+  - @verdaccio/logger@6.0.0-6-next.31
+
 ## 6.0.0-6-next.45
 
 ### Patch Changes

packages/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/api",
-  "version": "6.0.0-6-next.45",
+  "version": "6.0.0-6-next.46",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -39,13 +39,13 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/auth": "workspace:6.0.0-6-next.41",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
-    "@verdaccio/middleware": "workspace:6.0.0-6-next.41",
-    "@verdaccio/store": "workspace:6.0.0-6-next.42",
-    "@verdaccio/utils": "workspace:6.0.0-6-next.30",
+    "@verdaccio/auth": "workspace:6.0.0-6-next.42",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
+    "@verdaccio/middleware": "workspace:6.0.0-6-next.42",
+    "@verdaccio/store": "workspace:6.0.0-6-next.43",
+    "@verdaccio/utils": "workspace:6.0.0-6-next.31",
     "abortcontroller-polyfill": "1.7.5",
     "cookies": "0.8.0",
     "debug": "4.3.4",
@@ -57,9 +57,9 @@
   },
   "devDependencies": {
     "@types/node": "16.18.10",
-    "@verdaccio/server": "workspace:6.0.0-6-next.51",
-    "@verdaccio/types": "workspace:11.0.0-6-next.21",
-    "@verdaccio/test-helper": "workspace:2.0.0-6-next.7",
+    "@verdaccio/server": "workspace:6.0.0-6-next.52",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22",
+    "@verdaccio/test-helper": "workspace:2.0.0-6-next.8",
     "supertest": "6.3.3",
     "nock": "13.2.9",
     "mockdate": "3.0.5"

packages/auth/CHANGELOG.md

@@ -1,5 +1,23 @@
 # @verdaccio/auth
 
+## 6.0.0-6-next.42
+
+### Minor Changes
+
+- ddb6a223: feat: signature package
+
+### Patch Changes
+
+- Updated dependencies [ddb6a223]
+- Updated dependencies [dc571aab]
+  - @verdaccio/config@6.0.0-6-next.63
+  - @verdaccio/signature@6.0.0-6-next.2
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/loaders@6.0.0-6-next.32
+  - verdaccio-htpasswd@11.0.0-6-next.33
+  - @verdaccio/utils@6.0.0-6-next.31
+  - @verdaccio/logger@6.0.0-6-next.31
+
 ## 6.0.0-6-next.41
 
 ### Patch Changes

packages/auth/jest.config.js

@@ -4,7 +4,7 @@ module.exports = Object.assign({}, config, {
   coverageThreshold: {
     global: {
       // FIXME: increase to 90
-      lines: 42,
+      lines: 30,
     },
   },
 });

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/auth",
-  "version": "6.0.0-6-next.41",
+  "version": "6.0.0-6-next.42",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -39,19 +39,19 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/loaders": "workspace:6.0.0-6-next.31",
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
-    "@verdaccio/utils": "workspace:6.0.0-6-next.30",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/loaders": "workspace:6.0.0-6-next.32",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
+    "@verdaccio/signature": "workspace:6.0.0-6-next.2",
+    "@verdaccio/utils": "workspace:6.0.0-6-next.31",
     "debug": "4.3.4",
     "express": "4.18.2",
-    "jsonwebtoken": "9.0.0",
     "lodash": "4.17.21",
-    "verdaccio-htpasswd": "workspace:11.0.0-6-next.32"
+    "verdaccio-htpasswd": "workspace:11.0.0-6-next.33"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:11.0.0-6-next.21"
+    "@verdaccio/types": "workspace:11.0.0-6-next.22"
   },
   "funding": {
     "type": "opencollective",

packages/auth/src/auth.ts

@@ -15,6 +15,7 @@ import {
 } from '@verdaccio/core';
 import { asyncLoadPlugin } from '@verdaccio/loaders';
 import { logger } from '@verdaccio/logger';
+import { aesEncrypt, parseBasicPayload, signPayload } from '@verdaccio/signature';
 import {
   AllowAccess,
   Callback,
@@ -27,9 +28,6 @@ import {
 } from '@verdaccio/types';
 import { getMatchedPackagesSpec, isFunction, isNil } from '@verdaccio/utils';
 
-import { signPayload } from './jwt-token';
-import { aesEncrypt } from './legacy-token';
-import { parseBasicPayload } from './token';
 import {
   convertPayloadToBase64,
   getDefaultPlugins,
@@ -47,6 +45,7 @@ export interface TokenEncryption {
   aesEncrypt(buf: string): string | void;
 }
 
+// remove
 export interface AESPayload {
   user: string;
   password: string;

packages/auth/src/index.ts

@@ -1,5 +1,2 @@
-export { Auth, TokenEncryption } from './auth';
+export { Auth } from './auth';
 export * from './utils';
-export * from './legacy-token';
-export * from './jwt-token';
-export * from './token';

packages/auth/src/utils.ts

@@ -11,12 +11,10 @@ import {
   errorUtils,
   pluginUtils,
 } from '@verdaccio/core';
+import { aesDecrypt, parseBasicPayload, verifyPayload } from '@verdaccio/signature';
 import { AuthPackageAllow, Config, Logger, RemoteUser, Security } from '@verdaccio/types';
 
 import { AESPayload, TokenEncryption } from './auth';
-import { verifyPayload } from './jwt-token';
-import { aesDecrypt } from './legacy-token';
-import { parseBasicPayload } from './token';
 
 const debug = buildDebug('verdaccio:auth:utils');
 

packages/auth/test/auth-utils.spec.ts

@@ -17,24 +17,22 @@ import {
   errorUtils,
 } from '@verdaccio/core';
 import { setup } from '@verdaccio/logger';
+import { aesDecrypt, signPayload, verifyPayload } from '@verdaccio/signature';
 import { Config, RemoteUser, Security } from '@verdaccio/types';
 import { buildToken, buildUserBuffer, getAuthenticatedMessage } from '@verdaccio/utils';
-import type { AllowActionCallbackResponse } from '@verdaccio/utils';
 
 import {
   ActionsAllowed,
+  AllowActionCallbackResponse,
   Auth,
-  aesDecrypt,
   allow_action,
   getApiToken,
   getDefaultPlugins,
   getMiddlewareCredentials,
-  signPayload,
   verifyJWTPayload,
-  verifyPayload,
 } from '../src';
 
-setup([]);
+setup({});
 
 const parseConfigurationFile = (conf) => {
   const { name, ext } = path.parse(conf);
@@ -452,6 +450,7 @@ describe('Auth utilities', () => {
         const config: Config = getConfig('security-legacy', secret);
         const auth: Auth = new Auth(config);
         await auth.init();
+        // @ts-expect-error
         const token = auth.aesEncrypt(null);
         const security: Security = config.security;
         const credentials = getMiddlewareCredentials(

packages/auth/tsconfig.json

@@ -19,6 +19,9 @@
     {
       "path": "../loaders"
     },
+    {
+      "path": "../signature"
+    },
     {
       "path": "../logger/logger"
     },

packages/cli/CHANGELOG.md

@@ -1,5 +1,16 @@
 # @verdaccio/cli
 
+## 6.0.0-6-next.63
+
+### Patch Changes
+
+- Updated dependencies [ddb6a223]
+- Updated dependencies [dc571aab]
+  - @verdaccio/config@6.0.0-6-next.63
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/node-api@6.0.0-6-next.63
+  - @verdaccio/logger@6.0.0-6-next.31
+
 ## 6.0.0-6-next.62
 
 ### Patch Changes

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/cli",
-  "version": "6.0.0-6-next.62",
+  "version": "6.0.0-6-next.63",
   "author": {
     "name": "Juan Picado",
     "email": "juanpicado19@gmail.com"
@@ -44,10 +44,10 @@
     "start": "ts-node src/index.ts"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
-    "@verdaccio/node-api": "workspace:6.0.0-6-next.62",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
+    "@verdaccio/node-api": "workspace:6.0.0-6-next.63",
     "clipanion": "3.2.0",
     "envinfo": "7.8.1",
     "kleur": "3.0.3",

packages/config/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @verdaccio/config
 
+## 6.0.0-6-next.63
+
+### Minor Changes
+
+- ddb6a223: feat: signature package
+- dc571aab: feat: add forceEnhancedLegacySignature
+
+### Patch Changes
+
+- Updated dependencies [dc571aab]
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/utils@6.0.0-6-next.31
+
 ## 6.0.0-6-next.62
 
 ### Patch Changes

packages/config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/config",
-  "version": "6.0.0-6-next.62",
+  "version": "6.0.0-6-next.63",
   "description": "logger",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,8 +38,8 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/utils": "workspace:6.0.0-6-next.30",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/utils": "workspace:6.0.0-6-next.31",
     "debug": "4.3.4",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",

packages/config/src/config-path.ts

@@ -28,7 +28,6 @@ const debug = buildDebug('verdaccio:config');
  * @return {String} the config file path
  */
 function findConfigFile(configPath?: string): string {
-  // console.log(process.env);
   if (typeof configPath !== 'undefined') {
     return path.resolve(configPath);
   }

packages/config/src/config.ts

@@ -2,7 +2,8 @@ import assert from 'assert';
 import buildDebug from 'debug';
 import _ from 'lodash';
 
-import { APP_ERROR } from '@verdaccio/core';
+import { APP_ERROR, warningUtils } from '@verdaccio/core';
+import { Codes } from '@verdaccio/core/build/warning-utils';
 import {
   Config as AppConfig,
   AuthConf,
@@ -45,9 +46,11 @@ class Config implements AppConfig {
   public users: any;
   public auth: AuthConf;
   public server_id: string;
-  // @deprecated use configPath instead
-  public config_path: string;
   public configPath: string;
+  /**
+   * @deprecated use configPath or config.getConfigPath();
+   */
+  public self_path: string;
   public storage: string | void;
 
   public plugins: string | void | null;
@@ -57,14 +60,24 @@ class Config implements AppConfig {
   public secret: string;
   public flags: FlagsConfig;
   public userRateLimit: RateLimit;
-  public constructor(config: ConfigYaml & { config_path: string }) {
+  private configOptions: { forceEnhancedLegacySignature: boolean };
+  public constructor(
+    config: ConfigYaml & { config_path: string },
+    configOptions = { forceEnhancedLegacySignature: true }
+  ) {
     const self = this;
+    this.configOptions = configOptions;
     this.storage = process.env.VERDACCIO_STORAGE_PATH || config.storage;
     if (!config.configPath) {
-      throw new Error('config_path is required');
+      // backport self_path for previous to version 6
+      // @ts-expect-error
+      config.configPath = config.config_path ?? config.self_path;
+      if (!config.configPath) {
+        throw new Error('configPath property is required');
+      }
     }
-    this.config_path = config.config_path ?? (config.configPath as string);
     this.configPath = config.configPath;
+    this.self_path = this.configPath;
     debug('config path: %s', this.configPath);
     this.plugins = config.plugins;
     this.security = _.merge(defaultSecurity, config.security);
@@ -117,6 +130,10 @@ class Config implements AppConfig {
     }
   }
 
+  public getConfigPath() {
+    return this.configPath;
+  }
+
   /**
    * Check for package spec
    */
@@ -127,18 +144,35 @@ class Config implements AppConfig {
 
   /**
    * Store or create whether receive a secret key
+   * @secret external secret key
    */
   public checkSecretKey(secret?: string): string {
     debug('check secret key');
-    if (_.isString(secret) && _.isEmpty(secret) === false) {
+    if (typeof secret === 'string' && _.isEmpty(secret) === false) {
       this.secret = secret;
       debug('reusing previous key');
       return secret;
     }
-    // it generates a secret key
+    // generate a new a secret key
     // FUTURE: this might be an external secret key, perhaps within config file?
     debug('generate a new key');
-    this.secret = generateRandomSecretKey();
+    //
+    if (this.configOptions.forceEnhancedLegacySignature) {
+      this.secret = generateRandomSecretKey();
+    } else {
+      this.secret =
+        this.security.enhancedLegacySignature === true
+          ? generateRandomSecretKey()
+          : generateRandomHexString(32);
+      // set this to false allow use old token signature and is not recommended
+      // only use for migration reasons, major release will remove this property and
+      // set it by default
+      if (this.security.enhancedLegacySignature === false) {
+        warningUtils.emit(Codes.VERWAR005);
+      }
+    }
+
+    debug('generated a new secret key %s', this.secret?.length);
     return this.secret;
   }
 }

packages/config/tsconfig.json

@@ -9,6 +9,9 @@
   "references": [
     {
       "path": "../utils"
+    },
+    {
+      "path": "../core/core"
     }
   ]
 }

packages/core/core/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @verdaccio/core
 
+## 6.0.0-6-next.63
+
+### Minor Changes
+
+- dc571aab: feat: add forceEnhancedLegacySignature
+
 ## 6.0.0-6-next.62
 
 ### Patch Changes

packages/core/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/core",
-  "version": "6.0.0-6-next.62",
+  "version": "6.0.0-6-next.63",
   "description": "core utilities",
   "keywords": [
     "private",
@@ -44,7 +44,7 @@
     "lodash": "4.17.21",
     "typedoc": "0.23.25",
     "typedoc-plugin-missing-exports": "latest",
-    "@verdaccio/types": "workspace:11.0.0-6-next.21"
+    "@verdaccio/types": "workspace:11.0.0-6-next.22"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/core/src/warning-utils.ts

@@ -9,6 +9,7 @@ export enum Codes {
   VERWAR002 = 'VERWAR002',
   VERWAR003 = 'VERWAR003',
   VERWAR004 = 'VERWAR004',
+  VERWAR005 = 'VERWAR005',
   // deprecation warnings
   VERDEP003 = 'VERDEP003',
 }
@@ -39,6 +40,12 @@ host:port (e.g. "localhost:4873") or full url '(e.g. "http://localhost:4873/")
 https://verdaccio.org/docs/en/configuration#listen-port`
 );
 
+warningInstance.create(
+  verdaccioWarning,
+  Codes.VERWAR005,
+  'disable enhanced legacy signature is considered a security risk, please reconsider enable it'
+);
+
 warningInstance.create(
   verdaccioDeprecation,
   Codes.VERDEP003,

packages/core/file-locking/package.json

@@ -39,7 +39,7 @@
     "lockfile": "1.0.4"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:11.0.0-6-next.21"
+    "@verdaccio/types": "workspace:11.0.0-6-next.22"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/tarball/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Change Log
 
+## 11.0.0-6-next.32
+
+### Patch Changes
+
+- Updated dependencies [dc571aab]
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/url@11.0.0-6-next.29
+  - @verdaccio/utils@6.0.0-6-next.31
+
 ## 11.0.0-6-next.31
 
 ### Patch Changes

packages/core/tarball/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/tarball",
-  "version": "11.0.0-6-next.31",
+  "version": "11.0.0-6-next.32",
   "description": "tarball utilities resolver",
   "keywords": [
     "private",
@@ -34,13 +34,13 @@
   },
   "dependencies": {
     "debug": "4.3.4",
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/url": "workspace:11.0.0-6-next.28",
-    "@verdaccio/utils": "workspace:6.0.0-6-next.30",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/url": "workspace:11.0.0-6-next.29",
+    "@verdaccio/utils": "workspace:6.0.0-6-next.31",
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:11.0.0-6-next.21",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22",
     "node-mocks-http": "1.12.1"
   },
   "scripts": {

packages/core/types/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log
 
+## 11.0.0-6-next.22
+
+### Minor Changes
+
+- dc571aab: feat: add forceEnhancedLegacySignature
+
 ## 11.0.0-6-next.21
 
 ### Patch Changes

packages/core/types/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/types",
-  "version": "11.0.0-6-next.21",
+  "version": "11.0.0-6-next.22",
   "description": "verdaccio types definitions",
   "keywords": [
     "private",

packages/core/types/src/configuration.ts

@@ -185,6 +185,7 @@ export interface APITokenOptions {
 }
 
 export interface Security {
+  enhancedLegacySignature?: boolean;
   web: JWTOptions;
   api: APITokenOptions;
 }
@@ -266,8 +267,6 @@ export interface ConfigYaml {
   flags?: FlagsConfig;
   userRateLimit?: RateLimit;
   // internal objects, added by internal yaml to JS config parser
-  // @deprecated use configPath instead
-  config_path?: string;
   // save the configuration file path
   configPath?: string;
 }
@@ -282,6 +281,8 @@ export interface Config extends Omit<ConfigYaml, 'packages' | 'security' | 'conf
   secret: string;
   // save the configuration file path, it's fails without thi configPath
   configPath: string;
+  // @deprecated use configPath
+  self_path?: string;
   // packages from yaml file looks different from packages inside the config file
   packages: PackageList;
   // security object defaults is added by the config file but optional in the yaml file

packages/core/url/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Change Log
 
+## 11.0.0-6-next.29
+
+### Patch Changes
+
+- Updated dependencies [dc571aab]
+  - @verdaccio/core@6.0.0-6-next.63
+
 ## 11.0.0-6-next.28
 
 ### Patch Changes

packages/core/url/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/url",
-  "version": "11.0.0-6-next.28",
+  "version": "11.0.0-6-next.29",
   "description": "url utilities resolver",
   "keywords": [
     "private",
@@ -33,13 +33,13 @@
     "access": "public"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
     "debug": "4.3.4",
     "lodash": "4.17.21",
     "validator": "13.9.0"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:11.0.0-6-next.21",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22",
     "node-mocks-http": "1.12.1"
   },
   "scripts": {

packages/hooks/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @verdaccio/hooks
 
+## 6.0.0-6-next.33
+
+### Patch Changes
+
+- Updated dependencies [dc571aab]
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/logger@6.0.0-6-next.31
+
 ## 6.0.0-6-next.32
 
 ### Patch Changes

packages/hooks/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/hooks",
-  "version": "6.0.0-6-next.32",
+  "version": "6.0.0-6-next.33",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -29,8 +29,8 @@
     "node": ">=16"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
     "core-js": "3.28.0",
     "debug": "4.3.4",
     "handlebars": "4.7.7",
@@ -38,9 +38,9 @@
   },
   "devDependencies": {
     "@types/node": "16.18.10",
-    "@verdaccio/auth": "workspace:6.0.0-6-next.41",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/types": "workspace:11.0.0-6-next.21"
+    "@verdaccio/auth": "workspace:6.0.0-6-next.42",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/loaders/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @verdaccio/loaders
 
+## 6.0.0-6-next.32
+
+### Patch Changes
+
+- @verdaccio/logger@6.0.0-6-next.31
+
 ## 6.0.0-6-next.31
 
 ### Patch Changes

packages/loaders/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/loaders",
-  "version": "6.0.0-6-next.31",
+  "version": "6.0.0-6-next.32",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -13,14 +13,14 @@
     "url": "https://github.com/verdaccio/verdaccio"
   },
   "dependencies": {
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
     "debug": "4.3.4",
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/types": "workspace:11.0.0-6-next.21",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22",
     "@verdaccio-scope/verdaccio-auth-foo": "0.0.2",
     "verdaccio-auth-memory": "workspace:*",
     "customprefix-auth": "1.0.0-6-next.0"

packages/logger/logger-7/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @verdaccio/logger-7
 
+## 6.0.0-6-next.8
+
+### Patch Changes
+
+- @verdaccio/logger-commons@6.0.0-6-next.31
+
 ## 6.0.0-6-next.7
 
 ### Patch Changes

packages/logger/logger-7/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger-7",
-  "version": "6.0.0-6-next.7",
+  "version": "6.0.0-6-next.8",
   "description": "logger for verdaccio 5.x version",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,11 +38,11 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/logger-commons": "workspace:6.0.0-6-next.30",
+    "@verdaccio/logger-commons": "workspace:6.0.0-6-next.31",
     "pino": "7.11.0"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:11.0.0-6-next.21"
+    "@verdaccio/types": "workspace:11.0.0-6-next.22"
   },
   "funding": {
     "type": "opencollective",

packages/logger/logger-commons/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @verdaccio/logger-commons
 
+## 6.0.0-6-next.31
+
+### Patch Changes
+
+- Updated dependencies [dc571aab]
+  - @verdaccio/core@6.0.0-6-next.63
+
 ## 6.0.0-6-next.30
 
 ### Patch Changes

packages/logger/logger-commons/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger-commons",
-  "version": "6.0.0-6-next.30",
+  "version": "6.0.0-6-next.31",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,14 +38,14 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
     "@verdaccio/logger-prettify": "workspace:6.0.0-6-next.9",
     "debug": "4.3.4",
     "colorette": "2.0.19"
   },
   "devDependencies": {
     "pino": "8.10.0",
-    "@verdaccio/types": "workspace:11.0.0-6-next.21"
+    "@verdaccio/types": "workspace:11.0.0-6-next.22"
   },
   "funding": {
     "type": "opencollective",

packages/logger/logger/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @verdaccio/logger
 
+## 6.0.0-6-next.31
+
+### Patch Changes
+
+- @verdaccio/logger-commons@6.0.0-6-next.31
+
 ## 6.0.0-6-next.30
 
 ### Patch Changes

packages/logger/logger/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger",
-  "version": "6.0.0-6-next.30",
+  "version": "6.0.0-6-next.31",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,11 +38,11 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/logger-commons": "workspace:6.0.0-6-next.30",
+    "@verdaccio/logger-commons": "workspace:6.0.0-6-next.31",
     "pino": "8.10.0"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:11.0.0-6-next.21"
+    "@verdaccio/types": "workspace:11.0.0-6-next.22"
   },
   "funding": {
     "type": "opencollective",

packages/middleware/CHANGELOG.md

@@ -1,5 +1,16 @@
 # @verdaccio/middleware
 
+## 6.0.0-6-next.42
+
+### Patch Changes
+
+- Updated dependencies [ddb6a223]
+- Updated dependencies [dc571aab]
+  - @verdaccio/config@6.0.0-6-next.63
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/url@11.0.0-6-next.29
+  - @verdaccio/utils@6.0.0-6-next.31
+
 ## 6.0.0-6-next.41
 
 ### Patch Changes

packages/middleware/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/middleware",
-  "version": "6.0.0-6-next.41",
+  "version": "6.0.0-6-next.42",
   "description": "express middleware utils",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,10 +38,10 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/utils": "workspace:6.0.0-6-next.30",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/url": "workspace:11.0.0-6-next.28",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/utils": "workspace:6.0.0-6-next.31",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/url": "workspace:11.0.0-6-next.29",
     "debug": "4.3.4",
     "lru-cache": "7.16.1",
     "express": "4.18.2",
@@ -54,7 +54,7 @@
     "url": "https://opencollective.com/verdaccio"
   },
   "devDependencies": {
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
     "body-parser": "1.20.1",
     "supertest": "6.3.3"
   }

packages/node-api/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @verdaccio/node-api
 
+## 6.0.0-6-next.63
+
+### Patch Changes
+
+- Updated dependencies [ddb6a223]
+- Updated dependencies [dc571aab]
+  - @verdaccio/config@6.0.0-6-next.63
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/server@6.0.0-6-next.52
+  - @verdaccio/server-fastify@6.0.0-6-next.44
+  - @verdaccio/logger@6.0.0-6-next.31
+
 ## 6.0.0-6-next.62
 
 ### Patch Changes

packages/node-api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/node-api",
-  "version": "6.0.0-6-next.62",
+  "version": "6.0.0-6-next.63",
   "description": "node API",
   "main": "build/index.js",
   "types": "build/index.d.ts",
@@ -39,18 +39,18 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
-    "@verdaccio/server": "workspace:6.0.0-6-next.51",
-    "@verdaccio/server-fastify": "workspace:6.0.0-6-next.43",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
+    "@verdaccio/server": "workspace:6.0.0-6-next.52",
+    "@verdaccio/server-fastify": "workspace:6.0.0-6-next.44",
     "core-js": "3.28.0",
     "debug": "4.3.4",
     "lodash": "4.17.21"
   },
   "devDependencies": {
     "@types/node": "16.18.10",
-    "@verdaccio/types": "workspace:11.0.0-6-next.21",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22",
     "jest-mock-process": "1.5.1",
     "selfsigned": "1.10.14",
     "supertest": "6.3.3"

packages/node-api/test/run-server.spec.ts

@@ -11,7 +11,7 @@ describe('startServer via API', () => {
 
   test('should fail on start with empty configuration', async () => {
     // @ts-expect-error
-    await expect(runServer({})).rejects.toThrow('config_path is required');
+    await expect(runServer({})).rejects.toThrow('configPath property is required');
   });
 
   test('should fail on start with null as entry', async () => {

packages/plugins/audit/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Change Log
 
+## 11.0.0-6-next.26
+
+### Patch Changes
+
+- Updated dependencies [ddb6a223]
+- Updated dependencies [dc571aab]
+  - @verdaccio/config@6.0.0-6-next.63
+  - @verdaccio/core@6.0.0-6-next.63
+
 ## 11.0.0-6-next.25
 
 ### Patch Changes

packages/plugins/audit/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-audit",
-  "version": "11.0.0-6-next.25",
+  "version": "11.0.0-6-next.26",
   "description": "Verdaccio Middleware plugin to bypass npmjs audit",
   "keywords": [
     "private",
@@ -30,16 +30,16 @@
     "node": ">=12"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
     "express": "4.18.2",
     "https-proxy-agent": "5.0.1",
     "node-fetch": "cjs"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:11.0.0-6-next.21",
-    "@verdaccio/auth": "workspace:6.0.0-6-next.41",
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22",
+    "@verdaccio/auth": "workspace:6.0.0-6-next.42",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
     "nock": "13.2.9",
     "supertest": "6.3.3"
   },

packages/plugins/auth-memory/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Change Log
 
+## 11.0.0-6-next.28
+
+### Patch Changes
+
+- Updated dependencies [dc571aab]
+  - @verdaccio/core@6.0.0-6-next.63
+
 ## 11.0.0-6-next.27
 
 ### Patch Changes

packages/plugins/auth-memory/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-auth-memory",
-  "version": "11.0.0-6-next.27",
+  "version": "11.0.0-6-next.28",
   "description": "Auth plugin for Verdaccio that keeps users in memory",
   "keywords": [
     "private",
@@ -32,11 +32,11 @@
   },
   "dependencies": {
     "debug": "4.3.4",
-    "@verdaccio/core": "workspace:6.0.0-6-next.62"
+    "@verdaccio/core": "workspace:6.0.0-6-next.63"
   },
   "devDependencies": {
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/types": "workspace:11.0.0-6-next.21"
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/plugins/htpasswd/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Change Log
 
+## 11.0.0-6-next.33
+
+### Patch Changes
+
+- Updated dependencies [dc571aab]
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/file-locking@11.0.0-6-next.7
+
 ## 11.0.0-6-next.32
 
 ### Patch Changes

packages/plugins/htpasswd/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-htpasswd",
-  "version": "11.0.0-6-next.32",
+  "version": "11.0.0-6-next.33",
   "description": "htpasswd auth plugin for Verdaccio",
   "keywords": [
     "private",
@@ -34,7 +34,7 @@
     "npm": ">=6"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
     "@verdaccio/file-locking": "workspace:11.0.0-6-next.7",
     "apache-md5": "1.1.8",
     "bcryptjs": "2.4.3",
@@ -45,9 +45,9 @@
   },
   "devDependencies": {
     "@types/bcryptjs": "2.4.2",
-    "@verdaccio/types": "workspace:11.0.0-6-next.21",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
     "mockdate": "3.0.5"
   },
   "scripts": {

packages/plugins/local-storage/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Change Log
 
+## 11.0.0-6-next.33
+
+### Patch Changes
+
+- Updated dependencies [dc571aab]
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/utils@6.0.0-6-next.31
+  - @verdaccio/file-locking@11.0.0-6-next.7
+
 ## 11.0.0-6-next.32
 
 ### Patch Changes

packages/plugins/local-storage/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/local-storage",
-  "version": "11.0.0-6-next.32",
+  "version": "11.0.0-6-next.33",
   "description": "Local storage implementation",
   "keywords": [
     "private",
@@ -37,9 +37,9 @@
     "npm": ">=7"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
     "@verdaccio/file-locking": "workspace:11.0.0-6-next.7",
-    "@verdaccio/utils": "workspace:6.0.0-6-next.30",
+    "@verdaccio/utils": "workspace:6.0.0-6-next.31",
     "core-js": "3.28.0",
     "debug": "4.3.4",
     "globby": "11.1.0",
@@ -51,10 +51,10 @@
   },
   "devDependencies": {
     "@types/minimatch": "3.0.5",
-    "@verdaccio/types": "workspace:11.0.0-6-next.21",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
-    "@verdaccio/test-helper": "workspace:2.0.0-6-next.7",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
+    "@verdaccio/test-helper": "workspace:2.0.0-6-next.8",
     "minimatch": "3.1.2"
   },
   "scripts": {

packages/plugins/memory/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Change Log
 
+## 11.0.0-6-next.30
+
+### Patch Changes
+
+- Updated dependencies [dc571aab]
+  - @verdaccio/core@6.0.0-6-next.63
+
 ## 11.0.0-6-next.29
 
 ### Patch Changes

packages/plugins/memory/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-memory",
-  "version": "11.0.0-6-next.29",
+  "version": "11.0.0-6-next.30",
   "description": "Storage implementation in memory",
   "keywords": [
     "private",
@@ -31,15 +31,15 @@
     "npm": ">=6"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
     "memory-fs": "0.5.0",
     "debug": "4.3.4",
     "memfs": "3.4.12"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:11.0.0-6-next.21",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30"
+    "@verdaccio/types": "workspace:11.0.0-6-next.22",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/plugins/ui-theme/CHANGELOG.md

@@ -1,5 +1,7 @@
 # @verdaccio/ui-theme
 
+## 6.0.0-6-next.63
+
 ## 6.0.0-6-next.62
 
 ### Major Changes

packages/plugins/ui-theme/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/ui-theme",
-  "version": "6.0.0-6-next.62",
+  "version": "6.0.0-6-next.63",
   "description": "Verdaccio User Interface",
   "author": {
     "name": "Verdaccio Contributors",
@@ -27,8 +27,8 @@
     "@testing-library/dom": "8.19.1",
     "@testing-library/jest-dom": "5.16.5",
     "@testing-library/react": "13.4.0",
-    "@verdaccio/node-api": "workspace:6.0.0-6-next.62",
-    "@verdaccio/ui-components": "workspace:2.0.0-6-next.4",
+    "@verdaccio/node-api": "workspace:6.0.0-6-next.63",
+    "@verdaccio/ui-components": "workspace:2.0.0-6-next.5",
     "@verdaccio/types": "workspace:*",
     "normalize.css": "8.0.1",
     "babel-loader": "8.3.0",

packages/plugins/ui-theme/src/components/Contributors/generated_contributors_list.json

@@ -47,10 +47,6 @@
     "username": "tmkn",
     "id": 2671613
   },
-  {
-    "username": "indiescripter",
-    "id": 6511559
-  },
   {
     "username": "jamesgeorge007",
     "id": 25279263
@@ -199,10 +195,6 @@
     "username": "markpeterfejes",
     "id": 7912231
   },
-  {
-    "username": "steve-p-com",
-    "id": 5180548
-  },
   {
     "username": "dschaller",
     "id": 1004789
@@ -1079,6 +1071,10 @@
     "username": "okyanusoz",
     "id": 46757266
   },
+  {
+    "username": "profanis",
+    "id": 7045092
+  },
   {
     "username": "robi-wan",
     "id": 30210
@@ -1119,6 +1115,10 @@
     "username": "hiwanz",
     "id": 338102
   },
+  {
+    "username": "melodyVoid",
+    "id": 26846212
+  },
   {
     "username": "notsag",
     "id": 674589

packages/proxy/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @verdaccio/proxy
 
+## 6.0.0-6-next.41
+
+### Patch Changes
+
+- Updated dependencies [ddb6a223]
+- Updated dependencies [dc571aab]
+  - @verdaccio/config@6.0.0-6-next.63
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/local-storage@11.0.0-6-next.33
+  - @verdaccio/utils@6.0.0-6-next.31
+  - @verdaccio/logger@6.0.0-6-next.31
+
 ## 6.0.0-6-next.40
 
 ### Patch Changes

packages/proxy/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/proxy",
-  "version": "6.0.0-6-next.40",
+  "version": "6.0.0-6-next.41",
   "description": "verdaccio proxy fetcher",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -39,11 +39,11 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/local-storage": "workspace:11.0.0-6-next.32",
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
-    "@verdaccio/utils": "workspace:6.0.0-6-next.30",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/local-storage": "workspace:11.0.0-6-next.33",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
+    "@verdaccio/utils": "workspace:6.0.0-6-next.31",
     "JSONStream": "1.3.5",
     "debug": "4.3.4",
     "lodash": "4.17.21",
@@ -54,7 +54,7 @@
   "devDependencies": {
     "@types/node": "16.18.10",
     "p-cancelable": "2.1.1",
-    "@verdaccio/types": "workspace:11.0.0-6-next.21",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22",
     "get-stream": "^6.0.1",
     "nock": "13.2.9",
     "node-mocks-http": "1.12.1",

packages/server/express/CHANGELOG.md

@@ -1,5 +1,23 @@
 # @verdaccio/server
 
+## 6.0.0-6-next.52
+
+### Patch Changes
+
+- Updated dependencies [ddb6a223]
+- Updated dependencies [dc571aab]
+  - @verdaccio/auth@6.0.0-6-next.42
+  - @verdaccio/config@6.0.0-6-next.63
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/api@6.0.0-6-next.46
+  - verdaccio-audit@11.0.0-6-next.26
+  - @verdaccio/web@6.0.0-6-next.50
+  - @verdaccio/loaders@6.0.0-6-next.32
+  - @verdaccio/middleware@6.0.0-6-next.42
+  - @verdaccio/store@6.0.0-6-next.43
+  - @verdaccio/utils@6.0.0-6-next.31
+  - @verdaccio/logger@6.0.0-6-next.31
+
 ## 6.0.0-6-next.51
 
 ### Patch Changes

packages/server/express/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/server",
-  "version": "6.0.0-6-next.51",
+  "version": "6.0.0-6-next.52",
   "description": "server logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -30,17 +30,17 @@
     "npm": ">=6"
   },
   "dependencies": {
-    "@verdaccio/api": "workspace:6.0.0-6-next.45",
-    "@verdaccio/auth": "workspace:6.0.0-6-next.41",
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/loaders": "workspace:6.0.0-6-next.31",
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
-    "@verdaccio/middleware": "workspace:6.0.0-6-next.41",
-    "@verdaccio/store": "workspace:6.0.0-6-next.42",
-    "@verdaccio/utils": "workspace:6.0.0-6-next.30",
-    "@verdaccio/web": "workspace:6.0.0-6-next.49",
-    "verdaccio-audit": "workspace:11.0.0-6-next.25",
+    "@verdaccio/api": "workspace:6.0.0-6-next.46",
+    "@verdaccio/auth": "workspace:6.0.0-6-next.42",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/loaders": "workspace:6.0.0-6-next.32",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
+    "@verdaccio/middleware": "workspace:6.0.0-6-next.42",
+    "@verdaccio/store": "workspace:6.0.0-6-next.43",
+    "@verdaccio/utils": "workspace:6.0.0-6-next.31",
+    "@verdaccio/web": "workspace:6.0.0-6-next.50",
+    "verdaccio-audit": "workspace:11.0.0-6-next.26",
     "compression": "1.7.4",
     "cors": "2.8.5",
     "debug": "4.3.4",
@@ -49,8 +49,8 @@
   },
   "devDependencies": {
     "@types/node": "16.18.10",
-    "@verdaccio/proxy": "workspace:6.0.0-6-next.40",
-    "@verdaccio/test-helper": "workspace:2.0.0-6-next.7",
+    "@verdaccio/proxy": "workspace:6.0.0-6-next.41",
+    "@verdaccio/test-helper": "workspace:2.0.0-6-next.8",
     "http-errors": "1.8.1"
   },
   "scripts": {

packages/server/fastify/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @verdaccio/server-fastify
 
+## 6.0.0-6-next.44
+
+### Patch Changes
+
+- Updated dependencies [ddb6a223]
+- Updated dependencies [dc571aab]
+  - @verdaccio/auth@6.0.0-6-next.42
+  - @verdaccio/config@6.0.0-6-next.63
+  - @verdaccio/core@6.0.0-6-next.63
+  - @verdaccio/store@6.0.0-6-next.43
+  - @verdaccio/tarball@11.0.0-6-next.32
+  - @verdaccio/utils@6.0.0-6-next.31
+  - @verdaccio/logger@6.0.0-6-next.31
+
 ## 6.0.0-6-next.43
 
 ### Patch Changes

packages/server/fastify/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/server-fastify",
-  "version": "6.0.0-6-next.43",
+  "version": "6.0.0-6-next.44",
   "description": "fastify server api implementation",
   "keywords": [
     "private",
@@ -34,13 +34,13 @@
     "access": "public"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:6.0.0-6-next.62",
-    "@verdaccio/config": "workspace:6.0.0-6-next.62",
-    "@verdaccio/auth": "workspace:6.0.0-6-next.41",
-    "@verdaccio/logger": "workspace:6.0.0-6-next.30",
-    "@verdaccio/store": "workspace:6.0.0-6-next.42",
-    "@verdaccio/tarball": "workspace:11.0.0-6-next.31",
-    "@verdaccio/utils": "workspace:6.0.0-6-next.30",
+    "@verdaccio/core": "workspace:6.0.0-6-next.63",
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/auth": "workspace:6.0.0-6-next.42",
+    "@verdaccio/logger": "workspace:6.0.0-6-next.31",
+    "@verdaccio/store": "workspace:6.0.0-6-next.43",
+    "@verdaccio/tarball": "workspace:11.0.0-6-next.32",
+    "@verdaccio/utils": "workspace:6.0.0-6-next.31",
     "core-js": "3.28.0",
     "debug": "4.3.4",
     "fastify": "4.13.0",
@@ -49,7 +49,7 @@
   },
   "devDependencies": {
     "@types/node": "16.18.10",
-    "@verdaccio/types": "workspace:11.0.0-6-next.21",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22",
     "ts-node": "10.9.1"
   },
   "scripts": {

packages/signature/.babelrc

@@ -0,0 +1,3 @@
+{
+  "extends": "../../.babelrc"
+}

packages/signature/CHANGELOG.md

@@ -0,0 +1,8 @@
+# @verdaccio/signature
+
+## 6.0.0-6-next.2
+
+### Minor Changes
+
+- ddb6a223: feat: signature package
+- dc571aab: feat: add forceEnhancedLegacySignature

packages/signature/jest.config.js

@@ -0,0 +1,3 @@
+const config = require('../../jest/config');
+
+module.exports = Object.assign({}, config, {});

packages/signature/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@verdaccio/signature",
+  "version": "6.0.0-6-next.2",
+  "description": "verdaccio signature utils",
+  "main": "./build/index.js",
+  "types": "build/index.d.ts",
+  "author": {
+    "name": "Juan Picado",
+    "email": "juanpicado19@gmail.com"
+  },
+  "repository": {
+    "type": "https",
+    "url": "https://github.com/verdaccio/verdaccio"
+  },
+  "license": "MIT",
+  "homepage": "https://verdaccio.org",
+  "keywords": [
+    "private",
+    "package",
+    "repository",
+    "registry",
+    "enterprise",
+    "modules",
+    "proxy",
+    "server",
+    "verdaccio"
+  ],
+  "engines": {
+    "node": ">=12"
+  },
+  "scripts": {
+    "clean": "rimraf ./build",
+    "test": "jest",
+    "type-check": "tsc --noEmit -p tsconfig.build.json",
+    "build:types": "tsc --emitDeclarationOnly -p tsconfig.build.json",
+    "build:js": "babel src/ --out-dir build/ --copy-files --extensions \".ts,.tsx\" --source-maps",
+    "watch": "pnpm build:js -- --watch",
+    "build": "pnpm run build:js && pnpm run build:types"
+  },
+  "dependencies": {
+    "jsonwebtoken": "9.0.0",
+    "debug": "4.3.4",
+    "lodash": "4.17.21"
+  },
+  "devDependencies": {
+    "@verdaccio/config": "workspace:6.0.0-6-next.63",
+    "@verdaccio/types": "workspace:11.0.0-6-next.22"
+  },
+  "funding": {
+    "type": "opencollective",
+    "url": "https://opencollective.com/verdaccio"
+  }
+}

packages/signature/src/index.ts

@@ -0,0 +1,10 @@
+export {
+  aesDecryptDeprecated,
+  aesEncryptDeprecated,
+  generateRandomSecretKeyDeprecated,
+} from './legacy-signature';
+export { aesDecrypt, aesEncrypt } from './signature';
+export { signPayload, verifyPayload } from './jwt-token';
+export * as utils from './utils';
+export * as types from './types';
+export { parseBasicPayload } from './token';

packages/signature/src/legacy-signature/index.ts

@@ -0,0 +1,50 @@
+import { createCipher, createDecipher } from 'crypto';
+
+import { generateRandomHexString } from '../utils';
+
+export const defaultAlgorithm = 'aes192';
+export const defaultTarballHashAlgorithm = 'sha1';
+
+/**
+ *
+ * @param buf
+ * @param secret
+ * @returns
+ */
+export function aesEncryptDeprecated(buf: Buffer, secret: string): Buffer {
+  // deprecated (it will be removed in Verdaccio 6), it is a breaking change
+  // https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options
+  // https://www.grainger.xyz/changing-from-cipher-to-cipheriv/
+  const c = createCipher(defaultAlgorithm, secret);
+  const b1 = c.update(buf);
+  const b2 = c.final();
+  return Buffer.concat([b1, b2]);
+}
+
+/**
+ *
+ * @param buf
+ * @param secret
+ * @returns
+ */
+export function aesDecryptDeprecated(buf: Buffer, secret: string): Buffer {
+  try {
+    // https://nodejs.org/api/crypto.html#crypto_crypto_createdecipher_algorithm_password_options
+    // https://www.grainger.xyz/changing-from-cipher-to-cipheriv/
+    const c = createDecipher(defaultAlgorithm, secret);
+    const b1 = c.update(buf);
+    const b2 = c.final();
+    return Buffer.concat([b1, b2]);
+  } catch (_) {
+    return Buffer.alloc(0);
+  }
+}
+
+export const TOKEN_VALID_LENGTH_DEPRECATED = 64;
+
+/**
+ * Generate a secret key of 64 characters.
+ */
+export function generateRandomSecretKeyDeprecated(): string {
+  return generateRandomHexString(6);
+}

packages/signature/src/signature.ts

@@ -14,18 +14,17 @@ const debug = buildDebug('verdaccio:auth:token:legacy');
 export const defaultAlgorithm = process.env.VERDACCIO_LEGACY_ALGORITHM || 'aes-256-ctr';
 const inputEncoding: CharacterEncoding = 'utf8';
 const outputEncoding: BinaryToTextEncoding = 'hex';
-// For AES, this is always 16
-const IV_LENGTH = 16;
 // Must be 256 bits (32 characters)
 // https://stackoverflow.com/questions/50963160/invalid-key-length-in-crypto-createcipheriv#50963356
 const VERDACCIO_LEGACY_ENCRYPTION_KEY = process.env.VERDACCIO_LEGACY_ENCRYPTION_KEY;
 
 export function aesEncrypt(value: string, key: string): string | void {
   // https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options
-  // https://www.grainger.xyz/changing-from-cipher-to-cipheriv/
+  // https://www.grainger.xyz/posts/changing-from-cipher-to-cipheriv
   debug('encrypt %o', value);
   debug('algorithm %o', defaultAlgorithm);
-  const iv = Buffer.from(randomBytes(IV_LENGTH));
+  // IV must be a buffer of length 16
+  const iv = Buffer.from(randomBytes(16));
   const secretKey = VERDACCIO_LEGACY_ENCRYPTION_KEY || key;
   const isKeyValid = secretKey?.length === TOKEN_VALID_LENGTH;
   debug('length secret key %o', secretKey?.length);

packages/signature/src/token.ts

@@ -1,5 +1,10 @@
-import { BasicPayload } from './utils';
+import { BasicPayload } from './types';
 
+/**
+ *
+ * @param credentials
+ * @returns
+ */
 export function parseBasicPayload(credentials: string): BasicPayload {
   const index = credentials.indexOf(':');
   if (index < 0) {

packages/signature/src/types.ts

@@ -0,0 +1,6 @@
+export interface AESPayload {
+  user: string;
+  password: string;
+}
+
+export type BasicPayload = AESPayload | void;

packages/signature/src/utils.ts

@@ -0,0 +1,40 @@
+import { Hash, createHash, pseudoRandomBytes, randomBytes } from 'crypto';
+
+export const defaultTarballHashAlgorithm = 'sha1';
+
+/**
+ *
+ * @returns
+ */
+export function createTarballHash(algorithm = defaultTarballHashAlgorithm): Hash {
+  return createHash(algorithm);
+}
+
+/**
+ * Express doesn't do ETAGS with requests <= 1024b
+ * we use md5 here, it works well on 1k+ bytes, but with fewer data
+ * could improve performance using crc32 after benchmarks.
+ * @param {Object} data
+ * @return {String}
+ */
+export function stringToMD5(data: Buffer | string): string {
+  return createHash('md5').update(data).digest('hex');
+}
+
+/**
+ *
+ * @param length
+ * @returns
+ */
+export function generateRandomHexString(length = 8): string {
+  return pseudoRandomBytes(length).toString('hex');
+}
+
+export const TOKEN_VALID_LENGTH = 32;
+
+/**
+ * Generate a secret of 32 characters.
+ */
+export function generateRandomSecretKey(): string {
+  return randomBytes(TOKEN_VALID_LENGTH).toString('base64').substring(0, TOKEN_VALID_LENGTH);
+}

packages/signature/test/jwt.spec.ts

@@ -0,0 +1,13 @@
+import { createRemoteUser } from '@verdaccio/config';
+
+import { signPayload, verifyPayload } from '../src';
+
+describe('verifyJWTPayload', () => {
+  test('should verify the token and return a remote user', async () => {
+    const remoteUser = createRemoteUser('foo', []);
+    const token = await signPayload(remoteUser, '12345');
+    const verifiedToken = verifyPayload(token, '12345');
+    expect(verifiedToken.groups).toEqual(remoteUser.groups);
+    expect(verifiedToken.name).toEqual(remoteUser.name);
+  });
+});