chore: update versions (next-7) (#4658)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.changeset/big-cameras-invent.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/store': patch
+---
+
+chore: fix types for some store tests

.changeset/dry-shoes-report.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/logger-commons': patch
+'@verdaccio/logger-prettify': patch
+---
+
+fix: log spacing depending on the FORMAT and COLORS options

.changeset/eight-icons-heal.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/tarball': patch
+'@verdaccio/store': patch
+---
+
+feat: add tarball details for published packages

.changeset/eighty-lobsters-study.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/ui-theme': patch
+'@verdaccio/ui-components': patch
+---
+
+feat: versions filter by semver range

.changeset/itchy-mangos-wink.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/middleware': patch
+'@verdaccio/url': patch
+---
+
+Improved TS types for renderHTML() and related functions (by @tobbe in #4605)

.changeset/long-moles-attend.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/search-indexer': patch
+---
+
+fix: remove node engine restriction

.changeset/pink-balloons-leave.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/local-storage': patch
+---
+
+chore: reduce log to info if database is not found

.changeset/poor-seals-turn.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/tarball': patch
+'@verdaccio/store': patch
+---
+
+revert #4600

.changeset/pre.json

@@ -56,27 +56,45 @@
     "@verdaccio/web": "6.0.0",
     "@verdaccio/website": "5.20.2",
     "@verdaccio/local-publish": "0.0.1",
-    "@verdaccio/search": "7.0.0-next.0"
+    "@verdaccio/search": "7.0.0-next.0",
+    "@verdaccio/e2e-cli-pnpm9": "1.0.1"
   },
   "changesets": [
     "angry-trees-tie",
+    "big-cameras-invent",
     "breezy-mayflies-pull",
     "chilled-carrots-guess",
+    "dry-shoes-report",
+    "eight-icons-heal",
     "eight-squids-judge",
+    "eighty-lobsters-study",
     "good-cups-train",
+    "itchy-mangos-wink",
     "long-jars-collect",
+    "long-moles-attend",
     "old-turkeys-heal",
     "olive-bananas-wink",
     "perfect-chairs-act",
     "pink-apples-nail",
+    "pink-balloons-leave",
+    "poor-seals-turn",
+    "quick-buses-scream",
     "real-socks-vanish",
+    "sharp-wolves-carry",
     "shiny-worms-retire",
     "shy-carrots-compare",
     "shy-garlics-cry",
+    "silent-shirts-knock",
+    "slow-wasps-glow",
     "spicy-birds-flow",
     "strange-points-repair",
+    "stupid-dancers-relate",
     "thirty-toes-swim",
+    "unlucky-cycles-sparkle",
     "weak-fans-explain",
+    "wet-balloons-give",
+    "wicked-kiwis-check",
+    "wicked-worms-wash",
     "wild-otters-talk",
     "young-donuts-own"
   ]

.changeset/quick-buses-scream.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/store': patch
+---
+
+fix: avoid warning "time for version x already exists"

.changeset/sharp-wolves-carry.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/signature': minor
+---
+
+support for createCipher backward compatible

.changeset/silent-shirts-knock.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/config': patch
+---
+
+fix config builder erroring when passed partial config

.changeset/slow-wasps-glow.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/logger-prettify': patch
+---
+
+Avoid displaying "prettify pipeline error" if there is no error

.changeset/stupid-dancers-relate.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/url': patch
+---
+
+patch(core/url): Throw if VERDACCIO_FORWARDED_PROTO resolves to an array (#4613 by @Tobbe)

.changeset/unlucky-cycles-sparkle.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/local-storage': patch
+---
+
+fix: error when writing tarball (missing folder)

.changeset/wet-balloons-give.md

@@ -0,0 +1,10 @@
+---
+'@verdaccio/types': minor
+'@verdaccio/core': minor
+'@verdaccio/signature': minor
+'@verdaccio/node-api': minor
+'@verdaccio/config': minor
+'@verdaccio/auth': minor
+---
+
+feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property

.changeset/wicked-kiwis-check.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/auth': patch
+---
+
+fix: adduser error message grammar (@tobbe in #4586)

.changeset/wicked-worms-wash.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/store': patch
+'@verdaccio/tarball': patch
+---
+
+feat: add tarball details for published packages

.github/dependabot.yml

@@ -8,18 +8,11 @@ updates:
   # Maintain dependencies for GitHub Actions
   - package-ecosystem: 'github-actions'
     directory: '/'
-    schedule:
-      interval: 'weekly'
-
-  # Maintain dependencies for npm
-  - package-ecosystem: 'npm'
-    directory: '/'
-    schedule:
-      interval: 'daily'
-    allow:
-      - dependency-name: '@verdaccio/*'
-      - dependency-name: 'verdaccio-*'
+    open-pull-requests-limit: 1
+    prefix: "[github-actions] "
     assignees:
-      - 'verdacciobot'
+      - 'verdacciobot'    
+    schedule:
+      interval: 'monthly'
     labels:
       - 'bot: dependencies'

.github/workflows/changesets.yml

@@ -20,7 +20,7 @@ jobs:
     if: github.ref == 'refs/heads/master' && github.repository == 'verdaccio/verdaccio'
     steps:
       - name: checkout code repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
         with:
           fetch-depth: 0
 

.github/workflows/ci-windows.yml

@@ -18,7 +18,7 @@ jobs:
         env:
           NODE_ENV: production          
     steps:
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
     - name: Node
       uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
       with:
@@ -29,14 +29,10 @@ jobs:
       run: |
         mkdir ~/.pnpm-store
         pnpm config set store-dir ~/.pnpm-store
-    - name: set store
-      run: |
-        mkdir ~/.pnpm-store
-        pnpm config set store-dir ~/.pnpm-store            
     - name: Install
       run: pnpm install --registry http://localhost:4873
     - name: Cache .pnpm-store
-      uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
       with:
         path: ~/.pnpm-store
         key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -47,14 +43,14 @@ jobs:
     name: Lint
     needs: prepare
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -71,14 +67,14 @@ jobs:
     name: Format
     needs: prepare
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -100,14 +96,14 @@ jobs:
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node ${{ matrix.node_version }}
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node_version }}
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -126,13 +122,13 @@ jobs:
     runs-on: windows-latest
     name: UI Test E2E
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/workflows/ci.yml

@@ -14,6 +14,9 @@ on:
       - 'pnpm-workspace.yaml'
 permissions:
   contents: read
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true  
 
 jobs:
   prepare:
@@ -27,7 +30,7 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -43,7 +46,7 @@ jobs:
       - name: Install
         run: pnpm install  --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -54,7 +57,7 @@ jobs:
     name: Lint
     needs: prepare
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -63,7 +66,7 @@ jobs:
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -79,7 +82,7 @@ jobs:
     name: Format
     needs: prepare
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -88,7 +91,7 @@ jobs:
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -105,11 +108,11 @@ jobs:
       fail-fast: true
       matrix:
         os: [ubuntu-latest]
-        node_version: [18, 20, 21]
+        node_version: [18, 20, 21, 22]
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node ${{ matrix.node_version }}
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -118,7 +121,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -135,9 +138,9 @@ jobs:
     needs: [test]
     runs-on: ubuntu-latest
     name: synchronize translations
-    if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
+    if: (github.event_name == 'push' && github.ref == 'refs/heads/master' && github.repository == 'verdaccio/verdaccio') || github.event_name == 'workflow_dispatch'
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
@@ -145,7 +148,7 @@ jobs:
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/workflows/codeql-analysis.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
         with:
           # We must fetch at least the immediate parents so that if this is
           # a pull request then we can checkout the head.
@@ -34,7 +34,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v2
+        uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f # v2
 
       # Override language selection by uncommenting this and choosing your languages
       # with:
@@ -42,7 +42,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v2
+        uses: github/codeql-action/autobuild@f079b8493333aace61c81488f8bd40919487bd9f # v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -56,4 +56,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v2
+        uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f # v2

.github/workflows/docker-proxy-apache-e2e.yml

@@ -16,7 +16,7 @@ jobs:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       
     - name: Start containers
       run: docker-compose -f "./e2e/docker/apache-verdaccio/docker-compose.yaml" up -d --build

.github/workflows/docker-proxy-nginx-e2e.yml

@@ -13,7 +13,7 @@ jobs:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       
     - name: Start containers
       run: docker-compose -f "./e2e/docker/proxy-nginx/docker-compose.yaml" up -d --build

.github/workflows/docker-publish.yml

@@ -22,8 +22,9 @@ permissions:
 jobs:
   docker:
     runs-on: ubuntu-latest
+    if: github.repository == 'verdaccio/verdaccio'
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # tag=v1
       - uses: docker/setup-buildx-action@v1
         with:

.github/workflows/e2e-ci.yml

@@ -18,7 +18,7 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -34,7 +34,7 @@ jobs:
       - name: Install
         run: pnpm install --reporter=silence --ignore-scripts --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -44,7 +44,7 @@ jobs:
     needs: [prepare]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node 16
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -53,7 +53,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -65,7 +65,7 @@ jobs:
       - name: build
         run: pnpm build
       - name: Cache packages
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         id: cache-packages
         with:
           path: ./packages/
@@ -97,7 +97,7 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
@@ -105,7 +105,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -114,7 +114,51 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
+        with:
+          path: ./packages/
+          key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+      # - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # tag=v3
+      #   with:
+      #     path: ./e2e/
+      #     key: test-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+      - name: build e2e
+        run: pnpm --filter @verdaccio/test-cli-commons build
+      - name: Test CLI
+        run: NODE_ENV=production pnpm test --filter ...@verdaccio/e2e-cli-${{matrix.pkg}}
+
+  e2e-cli-pnpm:
+    needs: [prepare, build]
+    strategy:
+      fail-fast: true
+      matrix:
+        pkg:
+          [
+            pnpm8,
+            pnpm9,
+          ]
+        node: [20, 21]
+    name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        with:
+          node-version: ${{ matrix.node }}
+      - name: Install pnpm
+        run: |
+          corepack enable
+          corepack prepare
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
+        with:
+          path: ~/.pnpm-store
+          key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+      - name: set store
+        run: |
+          pnpm config set store-dir ~/.pnpm-store
+      - name: Install
+        run: pnpm install --loglevel debug --ignore-scripts --registry http://localhost:4873
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -126,51 +170,6 @@ jobs:
         run: pnpm --filter @verdaccio/test-cli-commons build
       - name: Test CLI
         run: NODE_ENV=production pnpm test --filter ...@verdaccio/e2e-cli-${{matrix.pkg}}
-  # TODO: fix pnpm setup
-  # e2e-cli-pnpm:
-  #   needs: [prepare, build]
-  #   strategy:
-  #     fail-fast: true
-  #     matrix:
-  #       pkg:
-  #         [          
-  #           pnpm6,
-  #           pnpm7,
-  #           pnpm8          
-  #         ]
-  #       node: [20, 21]
-  #   name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
-  #     - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
-  #       with:
-  #         node-version: ${{ matrix.node }}
-  #     - name: Install pnpm
-  #       run: |
-  #         corepack enable
-  #         corepack prepare
-  #     - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
-  #       with:
-  #         path: ~/.pnpm-store
-  #         key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
-  #     - name: set store
-  #       run: |
-  #         pnpm config set store-dir ~/.pnpm-store
-  #     - name: Install
-  #       run: pnpm install --loglevel debug --ignore-scripts --registry http://localhost:4873
-  #     - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
-  #       with:
-  #         path: ./packages/
-  #         key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
-  #     # - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # tag=v3
-  #     #   with:
-  #     #     path: ./e2e/
-  #     #     key: test-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
-  #     - name: build e2e
-  #       run: pnpm --filter @verdaccio/test-cli-commons build
-  #     - name: Test CLI
-  #       run: NODE_ENV=production pnpm test --filter ...@verdaccio/e2e-cli-${{matrix.pkg}}
   e2e-cli-yarn:
     needs: [prepare, build]
     strategy:
@@ -187,7 +186,7 @@ jobs:
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
@@ -195,7 +194,7 @@ jobs:
         run: |
           corepack enable
           corepack prepare 
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -204,7 +203,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}

.github/workflows/e2e-ui.yml

@@ -18,7 +18,7 @@ jobs:
         env:
           NODE_ENV: production
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
@@ -33,7 +33,7 @@ jobs:
         run: pnpm build
       - name: Test UI
         run: pnpm test:e2e:ui
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
+      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v3
         with:
           name: videos
           path: /home/runner/work/verdaccio/verdaccio/e2e/ui/cypress/videos

.github/workflows/static-data.yml

@@ -18,8 +18,9 @@ jobs:
   prepare:
     name: Run script
     runs-on: ubuntu-latest
+    if: github.repository == 'verdaccio/verdaccio'
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -45,7 +46,7 @@ jobs:
       - name: format
         run: pnpm format
       - name: Commit & Push changes
-        uses: actions-js/push@156f2b10c3aa000c44dbe75ea7018f32ae999772 # tag=v1.4
+        uses: actions-js/push@5a7cbd780d82c0c937b5977586e641b2fd94acc5 # tag=v1.5
         with:
           github_token: ${{ secrets.TOKEN_VERDACCIOBOT_GITHUB }}
           message: "chore: updated static data"

.github/workflows/ui-components.yml

@@ -1,7 +1,9 @@
 name: UI Components
 
-on: 
+on:
   workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *' 
 
 permissions:
   contents: read  #  to fetch code (actions/checkout)
@@ -17,10 +19,11 @@ jobs:
       pull-requests: write  #  to comment on pull-requests
 
     runs-on: ubuntu-latest
+    if: github.repository == 'verdaccio/verdaccio'
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
 
       - name: Use Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
@@ -28,7 +31,7 @@ jobs:
           node-version-file: '.nvmrc'
 
       - name: Cache pnpm modules
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         env:
           cache-name: cache-pnpm-modules
         with:
@@ -48,24 +51,8 @@ jobs:
       - name: Copy public content
         # the msw.js worker is need it at the storybook-static folder in production
         run: cp -R packages/ui-components/public/* packages/ui-components/storybook-static
-      - name: 🔥 Deploy Production UI Netlify
-        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
-        uses: verdaccio/action-netlify-deploy@1c086d59169edeec9254672c7de17d2ceac3928f # v2.0.0
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          netlify-auth-token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-          netlify-site-id: ${{ secrets.NETLIFY_UI_SITE_ID }}
-          build-dir: './packages/ui-components/storybook-static'          
-      - name: 🤖 Deploy Preview UI Components Netlify
-        if: github.repository == 'verdaccio/verdaccio'
-        uses: semoal/action-netlify-deploy@1a53f098745bf78555d11b436f5ee3af87e6b566
-        id: netlify_preview_ui
-        with:
-          draft: true
-          comment-on-pull-request: true
-          github-deployment-is-production: false
-          github-deployment-is-transient: true
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          netlify-auth-token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-          netlify-site-id: ${{ secrets.NETLIFY_UI_SITE_ID }}
-          build-dir: './packages/ui-components/storybook-static'
+      - name: Deploy to Netlify
+        env:
+          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_UI_SITE_ID }}
+          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+        run: pnpm --filter ...@verdaccio/ui-components netlify:ui:deploy

.github/workflows/website.yml

@@ -2,8 +2,6 @@ name: Verdaccio Website CI
 
 on:
   workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * *' 
 
 permissions:
   contents: read  #  to fetch code (actions/checkout)
@@ -16,6 +14,7 @@ jobs:
       pull-requests: write  #  to comment on pull-requests
 
     runs-on: ubuntu-latest
+    if: github.repository == 'verdaccio/verdaccio'
     name: setup verdaccio
     services:
       verdaccio:
@@ -27,7 +26,7 @@ jobs:
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v3
 
       - name: Node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
@@ -44,7 +43,7 @@ jobs:
       - name: Install
         run: pnpm install  --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -55,7 +54,7 @@ jobs:
       - name: Build Translations percentage
         run: pnpm --filter @verdaccio/crowdin-translations build
       - name: Cache Docusaurus Build
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v3
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v3
         with:
           path: website/node_modules/.cache/webpack
           key: cache/webpack-${{github.ref}}-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -68,6 +67,7 @@ jobs:
           CONTEXT: production
         run: pnpm --filter @verdaccio/website netlify:build
       - name: Deploy to Netlify
+        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
         env:
           NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}

README.md

@@ -43,7 +43,7 @@ Google Cloud Storage** or create your own plugin.
 Install with npm:
 
 ```bash
-npm install --location=global verdaccio@next
+npm install -g verdaccio@next
 ```
 
 With `yarn`
@@ -79,12 +79,34 @@ Furthermore, you can read the [**Debugging Guidelines**](https://github.com/verd
 You can develop your own [plugins](https://verdaccio.org/docs/plugins) with the [verdaccio generator](https://github.com/verdaccio/generator-verdaccio-plugin). Installing [Yeoman](https://yeoman.io/) is required.
 
 ```
-npm install --location=global yo
-npm install --location=global generator-verdaccio-plugin
+npm install -g yo
+npm install -g generator-verdaccio-plugin
 ```
 
 Learn more [here](https://verdaccio.org/docs/dev-plugins) how to develop plugins. Share your plugins with the community.
 
+## Integration Tests
+
+In our compatibility testing project, we're dedicated to ensuring that your favorite commands work seamlessly across different versions of npm, pnpm, and Yarn. From publishing packages to managing dependencies.
+Our goal is to give you the confidence to use your preferred package manager without any issues. So dive in, check out our matrix, and see how your commands fare across the board!
+
+[Learn or contribute here](https://github.com/verdaccio/verdaccio/tree/master/e2e/cli)
+
+### Commands
+
+| cmd       | npm6 | npm7 | npm8 | npm9 | npm10 | pnpm8 | pnpm9 (beta) | yarn1 | yarn2 | yarn3 | yarn4 |
+| --------- | ---- | ---- | ---- | ---- | ----- | ----- | ------------ | ----- | ----- | ----- | ----- |
+| publish   | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ✅    | ✅    | ✅    | ✅    |
+| info      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ✅    | ✅    | ✅    | ✅    |
+| audit     | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ✅    | ✅    | ✅    | ❌    |
+| install   | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ✅    | ✅    | ✅    | ✅    |
+| deprecate | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ⛔    | ⛔    | ⛔    | ⛔    |
+| ping      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ⛔    | ⛔    | ⛔    | ⛔    |
+| search    | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ⛔    | ⛔    | ⛔    | ⛔    |
+| star      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ⛔    | ⛔    | ⛔    | ⛔    |
+| stars     | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ⛔    | ⛔    | ⛔    | ⛔    |
+| dist-tag  | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ✅    | ❌    | ❌    | ❌    |
+
 ## Donations
 
 Verdaccio is run by **volunteers**; nobody is working full-time on it. If you find this project to be useful and would like to support its development, consider doing a long support donation - **and your logo will be on this section of the readme.**
@@ -123,7 +145,7 @@ Furthermore, here few examples how to start:
 
 ## Watch our Videos
 
-**Node Congress 2022, February 2022, Online Free**
+**Node 2022, February 2022, Online Free**
 
 <div>
    <a href="https://portal.gitnation.org/contents/five-ways-of-taking-advantage-of-verdaccio-your-private-and-proxy-nodejs-registry">

SECURITY.md

@@ -34,7 +34,7 @@ Note that time-frame and processes are subject to each program’s own policy.
 
 - Report the security issue to the project maintainers directly at verdaccio@pm.me. If the report contains highly sensitive information, please be advised to encrypt your findings using our [PGP key](https://cdn.verdaccio.dev/gpg/publickey.verdaccio@pm.me.asc) which is also available in this document.
 
-Your efforts to responsibly disclose your findings are sincerely appreciated and will be taken into account to acknowledge your contributions.
+Your efforts to responsibly disclose your findings are sincerely appreciated. There isn't a security bounty program available, but any security contributions will be duly acknowledged to recognize your valuable input.
 
 ## PGP key
 

docs/env.variables.md

@@ -5,12 +5,13 @@ internal features.
 
 #### VERDACCIO_LEGACY_ALGORITHM
 
-Allows to define the specific algorithm for the token
-signature which by default is `aes-256-ctr`
+Allows to define the specific algorithm for the token signature which by default is `aes-256-ctr`. The algorithm must be supported by `crypto.createCipheriv` and `crypto.createDecipheriv`.
+Read more here: https://nodejs.org/api/crypto.html#crypto_crypto_createcipheriv_algorithm_key_iv_options
 
 #### VERDACCIO_LEGACY_ENCRYPTION_KEY
 
-By default, the token stores in the database, but using this variable allows to get it from memory
+By default, the token stores in the database, but using this variable allows to get it from memory, the length must be 32 characters otherwise will throw an error.
+Read more here: https://nodejs.org/api/crypto.html#crypto_crypto_createcipheriv_algorithm_key_iv_options
 
 #### VERDACCIO_PUBLIC_URL
 

docs/migration-v5-to-v6.md

@@ -1,14 +1,14 @@
-# Migration guide from Verdaccio 5 to Verdaccio 6
+# Migration Guide from Verdaccio 5 to Verdaccio 6
 
 Notes regarding breaking changes for next major release.
 
-> This list might growth over the development.
+> This list might growth over the course of development.
 
-## Breaking changes
+## Breaking Changes
 
 ### New node-api interface [#2165](https://github.com/verdaccio/verdaccio/pull/2165)
 
-If you are using the node-api, the new structure is Promise based and less arguments.
+If you are using the `node-api`, the new structure is Promise based and less arguments.
 
 ```js
 import { runServer } from '@verdaccio/node-api';
@@ -22,7 +22,7 @@ app.listen(4000, (event) => {
 });
 ```
 
-### allow other password hashing algorithms [#1917](https://github.com/verdaccio/verdaccio/pull/1917)
+### Allow other password hashing algorithms [#1917](https://github.com/verdaccio/verdaccio/pull/1917)
 
 The current implementation of the `htpasswd` module supports multiple hash formats on verify, but only `crypt` on sign in.
 `crypt` is an insecure old format, so to improve the security of the new `verdaccio` release we introduce the support of multiple hash algorithms on sign in step.
@@ -53,21 +53,28 @@ htpasswd:
 
 - The `experiments` configuration is renamed to `flags`. The functionality is exactly the same.
 
-```js
-flags: token: false;
-search: false;
+```yaml
+flags:
+  token: false;
+  search: false;
 ```
 
 - The `self_path` property from the config file is being removed in favor of `config_file` full path.
 - Refactor `config` module, better types and utilities
 
-### legacy token signature by removing crypto.createDecipher is deprecated [#1953](https://github.com/verdaccio/verdaccio/pull/1953)
+### Legacy token signature by removing crypto.createDecipher is deprecated [#1953](https://github.com/verdaccio/verdaccio/pull/1953)
 
 - Replace signature handler for legacy tokens by removing deprecated crypto.createDecipher by createCipheriv
 - **The new signature invalidates all previous tokens generated by Verdaccio 5 or previous versions**.
 - The secret key must have 32 characters long
   > Remediation, update `.verdaccio-db.json` secret field with a secret key with 32 characters.
 
+### Legacy token secret length
+
+If the migration to v6 include an update to node 22 or higher, be aware that token secrets with a length other than 32 are not
+supported anymore. A new secret will be generated. See [docs](https://verdaccio.org/docs/6.x/configuration#legacy-token-signature)
+for more details.
+
 #### New environment variables
 
 Introduce environment variables for legacy tokens.

e2e/cli/README.md

@@ -7,18 +7,18 @@
 
 ### Commands Tested
 
-| cmd       | npm6 | npm7 | npm8 | npm9 | npm10 | pnpm6 | pnpm7 | yarn1 | yarn2 | yarn3 | yarn4 |
-| --------- | ---- | ---- | ---- | ---- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
-| publish   | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    |
-| info      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    |
-| audit     | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    | ❌    |
-| install   | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    | ✅    |
-| deprecate | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
-| ping      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
-| search    | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
-| star      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
-| stars     | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ⛔    | ⛔    | ⛔    | ⛔    |
-| dist-tag  | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅    | ✅    | ❌    | ❌    | ❌    |
+| cmd       | npm6 | npm7 | npm8 | npm9 | npm10 | pnpm8 | pnpm9 (beta) | yarn1 | yarn2 | yarn3 | yarn4 |
+| --------- | ---- | ---- | ---- | ---- | ----- | ----- | ------------ | ----- | ----- | ----- | ----- |
+| publish   | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ✅    | ✅    | ✅    | ✅    |
+| info      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ✅    | ✅    | ✅    | ✅    |
+| audit     | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ✅    | ✅    | ✅    | ❌    |
+| install   | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ✅    | ✅    | ✅    | ✅    |
+| deprecate | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ⛔    | ⛔    | ⛔    | ⛔    |
+| ping      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ⛔    | ⛔    | ⛔    | ⛔    |
+| search    | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ⛔    | ⛔    | ⛔    | ⛔    |
+| star      | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ⛔    | ⛔    | ⛔    | ⛔    |
+| stars     | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ⛔    | ⛔    | ⛔    | ⛔    |
+| dist-tag  | ✅   | ✅   | ✅   | ✅   | ✅    | ✅    | ✅           | ✅    | ❌    | ❌    | ❌    |
 
 > notes:
 >

e2e/cli/cli-commons/package.json

@@ -5,16 +5,16 @@
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
   "devDependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.12",
-    "@verdaccio/core": "workspace:7.0.0-next-7.12",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "debug": "4.3.4",
     "fs-extra": "11.2.0",
     "get-port": "5.1.1",
     "got": "11.8.6",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",
-    "verdaccio": "workspace:7.0.0-next-7.12"
+    "verdaccio": "workspace:7.0.0-next-7.16"
   },
   "scripts": {
     "test": "jest",

e2e/cli/e2e-npm10/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "10.4.0"
+    "npm": "10.5.0"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm6/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.9.2"
+    "npm": "9.9.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm7/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.9.2"
+    "npm": "9.9.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm8/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.9.2"
+    "npm": "9.9.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm9/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.9.2"
+    "npm": "9.9.3"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-pnpm6/CHANGELOG.md

@@ -1,63 +0,0 @@
-# @verdaccio/e2e-cli-pnpm6
-
-## 1.0.1
-
-### Patch Changes
-
-- 351aeeaa8: fix(deps): @verdaccio/utils should be a prod dep of local-storage
-- Updated dependencies [351aeeaa8]
-- Updated dependencies [d167f92e1]
-- Updated dependencies [c383eb68c]
-  - @verdaccio/test-cli-commons@1.1.0
-
-## 1.0.1-6-next.7
-
-### Patch Changes
-
-- Updated dependencies [c383eb68]
-  - @verdaccio/test-cli-commons@1.1.0-6-next.7
-
-## 1.0.1-6-next.6
-
-### Patch Changes
-
-- Updated dependencies [d167f92e]
-  - @verdaccio/test-cli-commons@1.1.0-6-next.6
-
-## 1.0.1-6-next.5
-
-### Patch Changes
-
-- @verdaccio/test-cli-commons@1.0.1-6-next.5
-
-## 1.0.1-6-next.4
-
-### Patch Changes
-
-- @verdaccio/test-cli-commons@1.0.1-6-next.4
-
-## 1.0.1-6-next.3
-
-### Patch Changes
-
-- 351aeeaa: fix(deps): @verdaccio/utils should be a prod dep of local-storage
-- Updated dependencies [351aeeaa]
-  - @verdaccio/test-cli-commons@1.0.1-6-next.3
-
-## 1.0.1-6-next.2
-
-### Patch Changes
-
-- @verdaccio/test-cli-commons@1.0.1-6-next.2
-
-## 1.0.1-6-next.1
-
-### Patch Changes
-
-- @verdaccio/test-cli-commons@1.0.1-6-next.1
-
-## 1.0.1-6-next.0
-
-### Patch Changes
-
-- @verdaccio/test-cli-commons@1.0.1-6-next.0

e2e/cli/e2e-pnpm6/audit.spec.ts

@@ -1,45 +0,0 @@
-import { addRegistry, initialSetup, prepareGenericEmptyProject } from '@verdaccio/test-cli-commons';
-
-import { pnpm } from './utils';
-
-describe('audit a package', () => {
-  jest.setTimeout(10000);
-  let registry;
-
-  beforeAll(async () => {
-    const setup = await initialSetup();
-    registry = setup.registry;
-    await registry.init();
-  });
-
-  test.each([['verdaccio-memory', '@verdaccio/cli']])(
-    'should audit a package %s',
-    async (pkgName) => {
-      const { tempFolder } = await prepareGenericEmptyProject(
-        pkgName,
-        '1.0.0-patch',
-        registry.port,
-        registry.getToken(),
-        registry.getRegistryUrl(),
-        { jquery: '3.6.1' }
-      );
-      // install is required to create package lock file
-      await pnpm({ cwd: tempFolder }, 'install', ...addRegistry(registry.getRegistryUrl()));
-      const resp = await pnpm(
-        { cwd: tempFolder },
-        'audit',
-        '--json',
-        ...addRegistry(registry.getRegistryUrl())
-      );
-      const parsedBody = JSON.parse(resp.stdout as string);
-      expect(parsedBody.metadata).toBeDefined();
-      expect(parsedBody.actions).toBeDefined();
-      expect(parsedBody.advisories).toBeDefined();
-      expect(parsedBody.muted).toBeDefined();
-    }
-  );
-
-  afterAll(async () => {
-    registry.stop();
-  });
-});

e2e/cli/e2e-pnpm6/package.json

@@ -1,12 +0,0 @@
-{
-  "private": true,
-  "name": "@verdaccio/e2e-cli-pnpm6",
-  "version": "1.0.1",
-  "dependencies": {
-    "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "pnpm": "^6.35.1"
-  },
-  "scripts": {
-    "test": "jest"
-  }
-}

e2e/cli/e2e-pnpm6/utils.ts

@@ -1,14 +0,0 @@
-import { SpawnOptions } from 'child_process';
-import { join } from 'path';
-
-import { exec } from '@verdaccio/test-cli-commons';
-
-function getCommand() {
-  return join(__dirname, './node_modules/.bin/pnpm');
-}
-
-function pnpm(options: SpawnOptions, ...args: string[]) {
-  return exec(options, getCommand(), args);
-}
-
-export { pnpm };

e2e/cli/e2e-pnpm7/.babelrc

@@ -1,3 +0,0 @@
-{
-  "extends": "../../../.babelrc"
-}

e2e/cli/e2e-pnpm7/.eslintrc

@@ -1,7 +0,0 @@
-{
-  "rules": {
-    "no-console": 0,
-    "@typescript-eslint/no-var-requires": 0,
-    "@typescript-eslint/explicit-member-accessibility": 0
-  }
-}

e2e/cli/e2e-pnpm7/CHANGELOG.md

@@ -1,63 +0,0 @@
-# @verdaccio/e2e-cli-pnpm7
-
-## 1.0.1
-
-### Patch Changes
-
-- 351aeeaa8: fix(deps): @verdaccio/utils should be a prod dep of local-storage
-- Updated dependencies [351aeeaa8]
-- Updated dependencies [d167f92e1]
-- Updated dependencies [c383eb68c]
-  - @verdaccio/test-cli-commons@1.1.0
-
-## 1.0.1-6-next.7
-
-### Patch Changes
-
-- Updated dependencies [c383eb68]
-  - @verdaccio/test-cli-commons@1.1.0-6-next.7
-
-## 1.0.1-6-next.6
-
-### Patch Changes
-
-- Updated dependencies [d167f92e]
-  - @verdaccio/test-cli-commons@1.1.0-6-next.6
-
-## 1.0.1-6-next.5
-
-### Patch Changes
-
-- @verdaccio/test-cli-commons@1.0.1-6-next.5
-
-## 1.0.1-6-next.4
-
-### Patch Changes
-
-- @verdaccio/test-cli-commons@1.0.1-6-next.4
-
-## 1.0.1-6-next.3
-
-### Patch Changes
-
-- 351aeeaa: fix(deps): @verdaccio/utils should be a prod dep of local-storage
-- Updated dependencies [351aeeaa]
-  - @verdaccio/test-cli-commons@1.0.1-6-next.3
-
-## 1.0.1-6-next.2
-
-### Patch Changes
-
-- @verdaccio/test-cli-commons@1.0.1-6-next.2
-
-## 1.0.1-6-next.1
-
-### Patch Changes
-
-- @verdaccio/test-cli-commons@1.0.1-6-next.1
-
-## 1.0.1-6-next.0
-
-### Patch Changes
-
-- @verdaccio/test-cli-commons@1.0.1-6-next.0

e2e/cli/e2e-pnpm7/deprecate.spec.ts

@@ -1,115 +0,0 @@
-import {
-  addRegistry,
-  initialSetup,
-  pnpmUtils,
-  prepareGenericEmptyProject,
-} from '@verdaccio/test-cli-commons';
-
-import { pnpm } from './utils';
-
-describe('deprecate a package', () => {
-  jest.setTimeout(20000);
-  let registry;
-
-  async function deprecate(tempFolder, packageVersion, registry, message) {
-    await pnpm(
-      { cwd: tempFolder },
-      'deprecate',
-      packageVersion,
-      message,
-      '--json',
-      ...addRegistry(registry.getRegistryUrl())
-    );
-  }
-
-  beforeAll(async () => {
-    const setup = await initialSetup();
-    registry = setup.registry;
-    await registry.init();
-  });
-
-  test.each([['@verdaccio/deprecated-1']])(
-    'should deprecate a single package %s',
-    async (pkgName) => {
-      const message = 'some message';
-      const { tempFolder } = await prepareGenericEmptyProject(
-        pkgName,
-        '1.0.0',
-        registry.port,
-        registry.getToken(),
-        registry.getRegistryUrl()
-      );
-      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-      // deprecate one version
-      await deprecate(tempFolder, `${pkgName}@1.0.0`, registry, message);
-      // verify is deprecated
-      const infoBody = await pnpmUtils.getInfoVersions(pnpm, `${pkgName}`, registry);
-      expect(infoBody.name).toEqual(pkgName);
-      expect(infoBody.deprecated).toEqual(message);
-    }
-  );
-
-  test.each([['@verdaccio/deprecated-2']])('should un-deprecate a package %s', async (pkgName) => {
-    const message = 'some message';
-    const { tempFolder } = await prepareGenericEmptyProject(
-      pkgName,
-      '1.0.0',
-      registry.port,
-      registry.getToken(),
-      registry.getRegistryUrl()
-    );
-    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-    // deprecate one version
-    await deprecate(tempFolder, `${pkgName}@1.0.0`, registry, message);
-    // verify is deprecated
-    const infoBody = await pnpmUtils.getInfoVersions(pnpm, `${pkgName}`, registry);
-    expect(infoBody.deprecated).toEqual(message);
-    // empty string is same as undeprecate
-    await deprecate(tempFolder, `${pkgName}@1.0.0`, registry, '');
-    const infoBody2 = await pnpmUtils.getInfoVersions(pnpm, `${pkgName}`, registry);
-    expect(infoBody2.deprecated).toBeUndefined();
-  });
-
-  test.each([['@verdaccio/deprecated-3']])(
-    'should deprecate a multiple packages %s',
-    async (pkgName) => {
-      const message = 'some message';
-      const { tempFolder } = await prepareGenericEmptyProject(
-        pkgName,
-        '1.0.0',
-        registry.port,
-        registry.getToken(),
-        registry.getRegistryUrl()
-      );
-      // publish 1.0.0
-      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-      // publish 1.1.0
-      await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
-      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-      // publish 1.2.0
-      await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
-      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-      // publish 1.3.0
-      await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
-      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-      // // deprecate all version
-      await deprecate(tempFolder, pkgName, registry, message);
-      // verify is deprecated
-      for (let v of ['1.0.0', '1.1.0', '1.2.0', '1.3.0']) {
-        const infoResp = await pnpmUtils.getInfoVersions(pnpm, `${pkgName}@${v}`, registry);
-        expect(infoResp.deprecated).toEqual(message);
-      }
-      // publish normal version
-      // publish 1.4.0
-      await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
-      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-      const infoResp = await pnpmUtils.getInfoVersions(pnpm, `${pkgName}@1.4.0`, registry);
-      // must be not deprecated
-      expect(infoResp.deprecated).toBeUndefined();
-    }
-  );
-
-  afterAll(async () => {
-    registry.stop();
-  });
-});

e2e/cli/e2e-pnpm7/dist-tags.spec.ts

@@ -1,91 +0,0 @@
-import {
-  addRegistry,
-  initialSetup,
-  pnpmUtils,
-  prepareGenericEmptyProject,
-} from '@verdaccio/test-cli-commons';
-
-import { pnpm } from './utils';
-
-describe('publish a package', () => {
-  jest.setTimeout(20000);
-  let registry;
-
-  beforeAll(async () => {
-    const setup = await initialSetup();
-    registry = setup.registry;
-    await registry.init();
-  });
-
-  test.each([['@foo/foo', 'foo']])('should list dist-tags for %s', async (pkgName) => {
-    const { tempFolder } = await prepareGenericEmptyProject(
-      pkgName,
-      '1.0.0',
-      registry.port,
-      registry.getToken(),
-      registry.getRegistryUrl()
-    );
-    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-    await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
-    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry, ['--tag', 'beta']);
-    const resp2 = await pnpm(
-      { cwd: tempFolder },
-      'dist-tag',
-      'ls',
-      '--json',
-      ...addRegistry(registry.getRegistryUrl())
-    );
-    expect(resp2.stdout).toEqual('beta: 1.1.0latest: 1.0.0');
-  });
-
-  test.each([['@verdaccio/bar']])('should remove tag with dist-tags for %s', async (pkgName) => {
-    const { tempFolder } = await prepareGenericEmptyProject(
-      pkgName,
-      '1.0.0',
-      registry.port,
-      registry.getToken(),
-      registry.getRegistryUrl()
-    );
-    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-    await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
-    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry, ['--tag', 'beta']);
-    const resp2 = await pnpm(
-      { cwd: tempFolder },
-      'dist-tag',
-      'rm',
-      `${pkgName}@1.1.0`,
-      'beta',
-      ...addRegistry(registry.getRegistryUrl())
-    );
-    expect(resp2.stdout).toEqual('-beta: @verdaccio/bar@1.1.0');
-  });
-
-  test.each([['@verdaccio/five']])(
-    'should add tag to package and version with dist-tags for %s',
-    async (pkgName) => {
-      const { tempFolder } = await prepareGenericEmptyProject(
-        pkgName,
-        '1.0.0',
-        registry.port,
-        registry.getToken(),
-        registry.getRegistryUrl()
-      );
-      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-      await pnpmUtils.bumbUp(pnpm, tempFolder, registry);
-      await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-      const resp2 = await pnpm(
-        { cwd: tempFolder },
-        'dist-tag',
-        'add',
-        `${pkgName}@1.1.0`,
-        'alfa',
-        ...addRegistry(registry.getRegistryUrl())
-      );
-      expect(resp2.stdout).toEqual(`+alfa: ${pkgName}@1.1.0`);
-    }
-  );
-
-  afterAll(async () => {
-    registry.stop();
-  });
-});

e2e/cli/e2e-pnpm7/info.spec.ts

@@ -1,31 +0,0 @@
-import { addRegistry, initialSetup } from '@verdaccio/test-cli-commons';
-
-import { pnpm } from './utils';
-
-describe('install a package', () => {
-  jest.setTimeout(10000);
-  let registry;
-
-  beforeAll(async () => {
-    const setup = await initialSetup();
-    registry = setup.registry;
-    await registry.init();
-  });
-
-  test('should run pnpm info json body', async () => {
-    const resp = await pnpm(
-      {},
-      'info',
-      'verdaccio',
-      '--json',
-      ...addRegistry(registry.getRegistryUrl())
-    );
-    const parsedBody = JSON.parse(resp.stdout as string);
-    expect(parsedBody.name).toEqual('verdaccio');
-    expect(parsedBody.dependencies).toBeDefined();
-  });
-
-  afterAll(async () => {
-    registry.stop();
-  });
-});

e2e/cli/e2e-pnpm7/install.spec.ts

@@ -1,36 +0,0 @@
-import { addRegistry, initialSetup, prepareGenericEmptyProject } from '@verdaccio/test-cli-commons';
-
-import { pnpm } from './utils';
-
-describe('install a project packages', () => {
-  jest.setTimeout(80000);
-  let registry;
-
-  beforeAll(async () => {
-    const setup = await initialSetup();
-    registry = setup.registry;
-    await registry.init();
-  });
-
-  test('should run npm install json body', async () => {
-    const { tempFolder } = await prepareGenericEmptyProject(
-      'something',
-      '1.0.0-patch',
-      registry.port,
-      registry.getToken(),
-      registry.getRegistryUrl(),
-      { react: '18.2.0' }
-    );
-    const resp = await pnpm(
-      { cwd: tempFolder },
-      'install',
-      '--reporter=default',
-      ...addRegistry(registry.getRegistryUrl())
-    );
-    expect(resp.stdout).toMatch(/react/);
-  });
-
-  afterAll(async () => {
-    registry.stop();
-  });
-});

e2e/cli/e2e-pnpm7/jest.config.js

@@ -1,3 +0,0 @@
-const config = require('../jest.config');
-
-module.exports = { ...config };

e2e/cli/e2e-pnpm7/ping.spec.ts

@@ -1,24 +0,0 @@
-import { addRegistry, initialSetup } from '@verdaccio/test-cli-commons';
-
-import { pnpm } from './utils';
-
-describe('ping registry', () => {
-  jest.setTimeout(10000);
-  let registry;
-
-  beforeAll(async () => {
-    const setup = await initialSetup();
-    registry = setup.registry;
-    await registry.init();
-  });
-
-  test('should ping registry', async () => {
-    const resp = await pnpm({}, 'ping', '--json', ...addRegistry(registry.getRegistryUrl()));
-    const parsedBody = JSON.parse(resp.stdout as string);
-    expect(parsedBody.registry).toEqual(registry.getRegistryUrl() + '/');
-  });
-
-  afterAll(async () => {
-    registry.stop();
-  });
-});

e2e/cli/e2e-pnpm7/publish.spec.ts

@@ -1,41 +0,0 @@
-import { addRegistry, initialSetup, prepareGenericEmptyProject } from '@verdaccio/test-cli-commons';
-
-import { pnpm } from './utils';
-
-describe('install a package', () => {
-  jest.setTimeout(10000);
-  let registry;
-
-  beforeAll(async () => {
-    const setup = await initialSetup();
-    registry = setup.registry;
-    await registry.init();
-  });
-
-  test.each([['verdaccio-memory', 'verdaccio', '@verdaccio/foo', '@verdaccio/some-foo']])(
-    'should publish a package %s',
-    async (pkgName) => {
-      const { tempFolder } = await prepareGenericEmptyProject(
-        pkgName,
-        '1.0.0-patch',
-        registry.port,
-        registry.getToken(),
-        registry.getRegistryUrl()
-      );
-      const resp = await pnpm(
-        { cwd: tempFolder },
-        'publish',
-        '--json',
-        ...addRegistry(registry.getRegistryUrl())
-      );
-      const parsedBody = JSON.parse(resp.stdout as string);
-      expect(parsedBody.name).toEqual(pkgName);
-      expect(parsedBody.files).toBeDefined();
-      expect(parsedBody.files).toBeDefined();
-    }
-  );
-
-  afterAll(async () => {
-    registry.stop();
-  });
-});

e2e/cli/e2e-pnpm7/search.spec.ts

@@ -1,33 +0,0 @@
-import { addRegistry, initialSetup } from '@verdaccio/test-cli-commons';
-
-import { pnpm } from './utils';
-
-describe('search a package', () => {
-  jest.setTimeout(10000);
-  let registry;
-
-  beforeAll(async () => {
-    const setup = await initialSetup();
-    registry = setup.registry;
-    await registry.init();
-  });
-
-  test('should search a package', async () => {
-    const resp = await pnpm(
-      {},
-      'search',
-      '@verdaccio/cli',
-      '--json',
-      ...addRegistry(registry.getRegistryUrl())
-    );
-    const parsedBody = JSON.parse(resp.stdout as string);
-    const pkgFind = parsedBody.find((item) => {
-      return item.name === '@verdaccio/cli';
-    });
-    expect(pkgFind.name).toEqual('@verdaccio/cli');
-  });
-
-  afterAll(async () => {
-    registry.stop();
-  });
-});

e2e/cli/e2e-pnpm7/star.spec.ts

@@ -1,89 +0,0 @@
-import {
-  addRegistry,
-  initialSetup,
-  pnpmUtils,
-  prepareGenericEmptyProject,
-} from '@verdaccio/test-cli-commons';
-
-import { pnpm } from './utils';
-
-describe('star a package', () => {
-  jest.setTimeout(20000);
-  let registry;
-
-  beforeAll(async () => {
-    const setup = await initialSetup();
-    registry = setup.registry;
-    await registry.init();
-  });
-
-  test.each([['@verdaccio/foo']])('should star a package %s', async (pkgName) => {
-    const { tempFolder } = await prepareGenericEmptyProject(
-      pkgName,
-      '1.0.0-patch',
-      registry.port,
-      registry.getToken(),
-      registry.getRegistryUrl()
-    );
-
-    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-    const resp = await pnpm(
-      { cwd: tempFolder },
-      'star',
-      pkgName,
-      ...addRegistry(registry.getRegistryUrl())
-    );
-    expect(resp.stdout).toEqual(`★  ${pkgName}`);
-  });
-
-  test.each([['@verdaccio/bar']])('should unstar a package %s', async (pkgName) => {
-    const { tempFolder } = await prepareGenericEmptyProject(
-      pkgName,
-      '1.0.0-patch',
-      registry.port,
-      registry.getToken(),
-      registry.getRegistryUrl()
-    );
-
-    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-    const resp = await pnpm(
-      { cwd: tempFolder },
-      'star',
-      pkgName,
-      ...addRegistry(registry.getRegistryUrl())
-    );
-    expect(resp.stdout).toEqual(`★  ${pkgName}`);
-
-    const resp1 = await pnpm(
-      { cwd: tempFolder },
-      'unstar',
-      pkgName,
-      ...addRegistry(registry.getRegistryUrl())
-    );
-    expect(resp1.stdout).toEqual(`☆  ${pkgName}`);
-  });
-
-  test('should list stars of a user %s', async () => {
-    const pkgName = '@verdaccio/stars';
-    const { tempFolder } = await prepareGenericEmptyProject(
-      pkgName,
-      '1.0.0-patch',
-      registry.port,
-      registry.getToken(),
-      registry.getRegistryUrl()
-    );
-    await pnpmUtils.publish(pnpm, tempFolder, pkgName, registry);
-    await pnpm({ cwd: tempFolder }, 'star', pkgName, ...addRegistry(registry.getRegistryUrl()));
-    const resp = await pnpm(
-      { cwd: tempFolder },
-      'stars',
-      ...addRegistry(registry.getRegistryUrl())
-    );
-    // side effects: this result is affected the the package published in the previous step
-    expect(resp.stdout).toEqual(`@verdaccio/foo@verdaccio/stars`);
-  });
-
-  afterAll(async () => {
-    registry.stop();
-  });
-});

e2e/cli/e2e-pnpm7/tsconfig.json

@@ -1,8 +0,0 @@
-{
-  "extends": "../../../tsconfig.reference.json",
-  "references": [
-    {
-      "path": "../cli-commons"
-    }
-  ]
-}

e2e/cli/e2e-pnpm8/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "pnpm": "^8.0.0-alpha.0"
+    "pnpm": "8.15.5"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-pnpm9/package.json

@@ -1,10 +1,10 @@
 {
   "private": true,
-  "name": "@verdaccio/e2e-cli-pnpm7",
+  "name": "@verdaccio/e2e-cli-pnpm9",
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "pnpm": "^7.27.1"
+    "pnpm": "9.0.0-alpha.10"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn1/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "yarn": "1.22.21"
+    "yarn": "1.22.22"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn3/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "@yarnpkg/cli-dist": "3.8.0"
+    "@yarnpkg/cli-dist": "3.8.1"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn4/package.json

@@ -3,7 +3,7 @@
   "name": "@verdaccio/e2e-cli-yarn4",
   "version": "1.0.1",
   "dependencies": {
-    "@yarnpkg/cli-dist": "4.1.0",
+    "@yarnpkg/cli-dist": "4.1.1",
     "@verdaccio/test-cli-commons": "workspace:1.1.0"
   },
   "scripts": {

e2e/ui/package.json

@@ -3,9 +3,9 @@
   "name": "@verdaccio/e2e-ui",
   "version": "2.0.0",
   "devDependencies": {
-    "verdaccio": "workspace:7.0.0-next-7.12",
-    "@verdaccio/core": "workspace:7.0.0-next-7.12",
-    "@verdaccio/config": "workspace:7.0.0-next-7.12",
+    "verdaccio": "workspace:7.0.0-next-7.16",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
     "debug": "4.3.4",
     "cypress": "^13.6.0",

netlify.toml

@@ -1,7 +1,7 @@
 [[headers]]
 for = "/*"
 [headers.values]
-X-Frame-Options = "DENY"
+X-Frame-Options = "SAMEORIGIN"
 X-XSS-Protection = "1; mode=block"
 X-Content-Type-Options = "nosniff"
 Referrer-Policy = "no-referrer"

packages/api/CHANGELOG.md

@@ -1,5 +1,62 @@
 # @verdaccio/api
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- Updated dependencies [e5624e1]
+- Updated dependencies [5bfab62]
+  - @verdaccio/store@7.0.0-next-7.16
+  - @verdaccio/logger@7.0.0-next-7.16
+  - @verdaccio/middleware@7.0.0-next-7.16
+  - @verdaccio/auth@7.0.0-next-7.16
+  - @verdaccio/core@7.0.0-next-7.16
+  - @verdaccio/config@7.0.0-next-7.16
+  - @verdaccio/utils@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [7400830]
+- Updated dependencies [bd8703e]
+  - @verdaccio/store@7.0.0-next-7.15
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/auth@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/middleware@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- Updated dependencies [b0946b2]
+- Updated dependencies [f967a69]
+- Updated dependencies [4dc62a8]
+- Updated dependencies [253cc13]
+  - @verdaccio/middleware@7.0.0-next-7.14
+  - @verdaccio/store@7.0.0-next-7.14
+  - @verdaccio/auth@7.0.0-next-7.14
+  - @verdaccio/core@7.0.0-next-7.14
+  - @verdaccio/config@7.0.0-next-7.14
+  - @verdaccio/utils@7.0.0-next-7.14
+  - @verdaccio/logger@7.0.0-next-7.14
+
+## 7.0.0-next-7.13
+
+### Patch Changes
+
+- Updated dependencies [a99a4bb]
+  - @verdaccio/config@7.0.0-next-7.13
+  - @verdaccio/auth@7.0.0-next-7.13
+  - @verdaccio/middleware@7.0.0-next-7.13
+  - @verdaccio/store@7.0.0-next-7.13
+  - @verdaccio/logger@7.0.0-next-7.13
+  - @verdaccio/core@7.0.0-next-7.13
+  - @verdaccio/utils@7.0.0-next-7.13
+
 ## 7.0.0-next-7.12
 
 ### Patch Changes

packages/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/api",
-  "version": "7.0.0-next-7.12",
+  "version": "7.0.0-next-7.16",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,25 +38,25 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.12",
-    "@verdaccio/config": "workspace:7.0.0-next-7.12",
-    "@verdaccio/core": "workspace:7.0.0-next-7.12",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.12",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.12",
-    "@verdaccio/store": "workspace:7.0.0-next-7.12",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.12",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.16",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.16",
+    "@verdaccio/store": "workspace:7.0.0-next-7.16",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.16",
     "abortcontroller-polyfill": "1.7.5",
     "body-parser": "1.20.2",
     "cookies": "0.9.0",
     "debug": "4.3.4",
-    "express": "4.18.2",
+    "express": "4.19.2",
     "lodash": "4.17.21",
     "mime": "2.6.0",
     "semver": "7.6.0"
   },
   "devDependencies": {
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "mockdate": "3.0.5",
     "nock": "13.5.1",
     "supertest": "6.3.4"

packages/auth/CHANGELOG.md

@@ -1,5 +1,61 @@
 # @verdaccio/auth
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.16
+- @verdaccio/loaders@7.0.0-next-7.16
+- verdaccio-htpasswd@12.0.0-next-7.16
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/config@7.0.0-next-7.16
+- @verdaccio/utils@7.0.0-next-7.16
+- @verdaccio/signature@7.0.0-next-7.5
+
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/loaders@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - verdaccio-htpasswd@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- 4dc62a8: fix: adduser error message grammar (@tobbe in #4586)
+- Updated dependencies [b6d5652]
+  - @verdaccio/signature@7.0.0-next-7.4
+  - @verdaccio/core@7.0.0-next-7.14
+  - @verdaccio/config@7.0.0-next-7.14
+  - @verdaccio/loaders@7.0.0-next-7.14
+  - verdaccio-htpasswd@12.0.0-next-7.14
+  - @verdaccio/utils@7.0.0-next-7.14
+  - @verdaccio/logger@7.0.0-next-7.14
+
+## 7.0.0-next-7.13
+
+### Patch Changes
+
+- Updated dependencies [a99a4bb]
+  - @verdaccio/config@7.0.0-next-7.13
+  - @verdaccio/loaders@7.0.0-next-7.13
+  - verdaccio-htpasswd@12.0.0-next-7.13
+  - @verdaccio/signature@7.0.0-next.3
+  - @verdaccio/logger@7.0.0-next-7.13
+  - @verdaccio/core@7.0.0-next-7.13
+  - @verdaccio/utils@7.0.0-next-7.13
+
 ## 7.0.0-next-7.12
 
 ### Patch Changes

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/auth",
-  "version": "7.0.0-next-7.12",
+  "version": "7.0.0-next-7.16",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,21 +38,21 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.12",
-    "@verdaccio/config": "workspace:7.0.0-next-7.12",
-    "@verdaccio/loaders": "workspace:7.0.0-next-7.12",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.12",
-    "@verdaccio/signature": "workspace:7.0.0-next.3",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.12",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/loaders": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
+    "@verdaccio/signature": "workspace:7.0.0-next-7.5",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.16",
     "debug": "4.3.4",
     "lodash": "4.17.21",
-    "verdaccio-htpasswd": "workspace:12.0.0-next-7.12"
+    "verdaccio-htpasswd": "workspace:12.0.0-next-7.16"
   },
   "devDependencies": {
-    "express": "4.18.2",
+    "express": "4.19.2",
     "supertest": "6.3.4",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.12",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.16",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/auth/src/auth.ts

@@ -13,7 +13,6 @@ import {
   pluginUtils,
   warningUtils,
 } from '@verdaccio/core';
-import '@verdaccio/core';
 import { asyncLoadPlugin } from '@verdaccio/loaders';
 import { logger } from '@verdaccio/logger';
 import {
@@ -21,6 +20,7 @@ import {
   aesEncryptDeprecated,
   parseBasicPayload,
   signPayload,
+  utils as signatureUtils,
 } from '@verdaccio/signature';
 import {
   AllowAccess,
@@ -239,7 +239,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
           password,
           function (err: VerdaccioError | null, ok?: boolean | string): void {
             if (err) {
-              debug('the user %o could not being added. Error: %o', user, err?.message);
+              debug('the user %o could not be added. Error: %o', user, err?.message);
               return cb(err);
             }
             if (ok) {
@@ -481,14 +481,9 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     next: Function
   ): void {
     debug('handle legacy api middleware');
-    debug('api middleware secret %o', typeof secret === 'string');
+    debug('api middleware has a secret? %o', typeof secret === 'string');
     debug('api middleware authorization %o', typeof authorization === 'string');
-    const credentials: any = getMiddlewareCredentials(
-      security,
-      secret,
-      authorization,
-      this.config?.getEnhancedLegacySignature()
-    );
+    const credentials: any = getMiddlewareCredentials(security, secret, authorization);
     debug('api middleware credentials %o', credentials?.name);
     if (credentials) {
       const { user, password } = credentials;
@@ -588,13 +583,12 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
    * Encrypt a string.
    */
   public aesEncrypt(value: string): string | void {
-    // enhancedLegacySignature enables modern aes192 algorithm signature
-    if (this.config?.getEnhancedLegacySignature()) {
-      debug('signing with enhaced aes legacy');
+    if (this.secret.length === signatureUtils.TOKEN_VALID_LENGTH) {
+      debug('signing with enhanced aes legacy');
       const token = aesEncrypt(value, this.secret);
       return token;
     } else {
-      debug('signing with enhaced aes deprecated legacy');
+      debug('signing with enhanced aes deprecated legacy');
       // deprecated aes (legacy) signature, only must be used for legacy version
       const token = aesEncryptDeprecated(Buffer.from(value), this.secret).toString('base64');
       return token;

packages/auth/src/signature.ts

@@ -1,66 +0,0 @@
-import buildDebug from 'debug';
-import _ from 'lodash';
-
-import { TOKEN_BASIC, TOKEN_BEARER } from '@verdaccio/core';
-import { aesDecrypt, parseBasicPayload } from '@verdaccio/signature';
-import { Security } from '@verdaccio/types';
-
-import { AuthMiddlewarePayload } from './types';
-import {
-  convertPayloadToBase64,
-  isAESLegacy,
-  parseAuthTokenHeader,
-  verifyJWTPayload,
-} from './utils';
-
-const debug = buildDebug('verdaccio:auth:utils');
-
-export function parseAESCredentials(authorizationHeader: string, secret: string) {
-  debug('parseAESCredentials');
-  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
-
-  // basic is deprecated and should not be enforced
-  // basic is currently being used for functional test
-  if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
-    debug('legacy header basic');
-    const credentials = convertPayloadToBase64(token).toString();
-
-    return credentials;
-  } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
-    debug('legacy header bearer');
-    const credentials = aesDecrypt(token, secret);
-
-    return credentials;
-  }
-}
-
-export function getMiddlewareCredentials(
-  security: Security,
-  secretKey: string,
-  authorizationHeader: string
-): AuthMiddlewarePayload {
-  debug('getMiddlewareCredentials');
-  // comment out for debugging purposes
-  if (isAESLegacy(security)) {
-    debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey);
-    if (!credentials) {
-      debug('parse legacy credentials failed');
-      return;
-    }
-
-    const parsedCredentials = parseBasicPayload(credentials);
-    if (!parsedCredentials) {
-      debug('parse legacy basic payload credentials failed');
-      return;
-    }
-
-    return parsedCredentials;
-  }
-  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
-
-  debug('is jwt');
-  if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
-    return verifyJWTPayload(token, secretKey);
-  }
-}

packages/auth/src/utils.ts

@@ -40,12 +40,8 @@ export function parseAuthTokenHeader(authorizationHeader: string): AuthTokenHead
   return { scheme, token };
 }
 
-export function parseAESCredentials(
-  authorizationHeader: string,
-  secret: string,
-  enhanced: boolean
-) {
-  debug('parseAESCredentials');
+export function parseAESCredentials(authorizationHeader: string, secret: string) {
+  debug('parseAESCredentials init');
   const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
 
   // basic is deprecated and should not be enforced
@@ -57,27 +53,29 @@ export function parseAESCredentials(
     return credentials;
   } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
     debug('legacy header bearer');
-    debug('legacy header enhanced?', enhanced);
-    const credentials = enhanced
-      ? aesDecrypt(token.toString(), secret)
-      : // FUTURE: once deprecated legacy is removed this logic won't be longer need it
-        aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
-
-    return credentials;
+    debug('secret length %o', secret.length);
+    const isLegacyUnsecure = secret.length > 32;
+    debug('is legacy unsecure %o', isLegacyUnsecure);
+    if (isLegacyUnsecure) {
+      debug('legacy unsecure enabled');
+      return aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
+    } else {
+      debug('legacy secure enabled');
+      return aesDecrypt(token.toString(), secret);
+    }
   }
 }
 
 export function getMiddlewareCredentials(
   security: Security,
   secretKey: string,
-  authorizationHeader: string,
-  enhanced: boolean = true
+  authorizationHeader: string
 ): AuthMiddlewarePayload {
-  debug('getMiddlewareCredentials');
+  debug('getMiddlewareCredentials init');
   // comment out for debugging purposes
   if (isAESLegacy(security)) {
     debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey, enhanced);
+    const credentials = parseAESCredentials(authorizationHeader, secretKey);
     if (!credentials) {
       debug('parse legacy credentials failed');
       return;

packages/auth/test/auth.spec.ts

@@ -601,16 +601,14 @@ describe('AuthTest', () => {
           });
         });
 
-        describe('deprecated legacy handling forceEnhancedLegacySignature=false', () => {
+        describe('deprecated legacy handling', () => {
           test('should handle valid auth token', async () => {
             const payload = 'juan:password';
             // const token = await signPayload(remoteUser, '12345');
-            const config: Config = new AppConfig(
-              { ...authProfileConf },
-              { forceEnhancedLegacySignature: false }
-            );
+            const config: Config = new AppConfig({ ...authProfileConf });
             // intended to force key generator (associated with mocks above)
-            config.checkSecretKey(undefined);
+            // 64 characters secret long
+            config.checkSecretKey('35fabdd29b820d39125e76e6d85cc294');
             const auth = new Auth(config);
             await auth.init();
             const token = auth.aesEncrypt(payload) as string;
@@ -624,10 +622,7 @@ describe('AuthTest', () => {
 
           test('should handle invalid auth token', async () => {
             const payload = 'juan:password';
-            const config: Config = new AppConfig(
-              { ...authPluginFailureConf },
-              { forceEnhancedLegacySignature: false }
-            );
+            const config: Config = new AppConfig({ ...authPluginFailureConf });
             // intended to force key generator (associated with mocks above)
             config.checkSecretKey(undefined);
             const auth = new Auth(config);
@@ -691,8 +686,7 @@ describe('AuthTest', () => {
               {
                 ...authProfileConf,
                 ...{ security: { api: { jwt: { sign: { expiresIn: '29d' } } } } },
-              },
-              { forceEnhancedLegacySignature: false }
+              }
             );
             // intended to force key generator (associated with mocks above)
             config.checkSecretKey(undefined);
@@ -700,7 +694,6 @@ describe('AuthTest', () => {
             await auth.init();
             const token = (await auth.jwtEncrypt(
               createRemoteUser('jwt_user', [ROLES.ALL]),
-              // @ts-expect-error
               config.security.api.jwt.sign
             )) as string;
             const app = await getServer(auth);

packages/cli/CHANGELOG.md

@@ -1,5 +1,43 @@
 # @verdaccio/cli
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.16
+- @verdaccio/node-api@7.0.0-next-7.16
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/config@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/node-api@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/node-api@7.0.0-next-7.14
+- @verdaccio/core@7.0.0-next-7.14
+- @verdaccio/config@7.0.0-next-7.14
+- @verdaccio/logger@7.0.0-next-7.14
+
+## 7.0.0-next-7.13
+
+### Patch Changes
+
+- Updated dependencies [a99a4bb]
+  - @verdaccio/config@7.0.0-next-7.13
+  - @verdaccio/node-api@7.0.0-next-7.13
+  - @verdaccio/logger@7.0.0-next-7.13
+  - @verdaccio/core@7.0.0-next-7.13
+
 ## 7.0.0-next-7.12
 
 ### Patch Changes

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/cli",
-  "version": "7.0.0-next-7.12",
+  "version": "7.0.0-next-7.16",
   "author": {
     "name": "Juan Picado",
     "email": "juanpicado19@gmail.com"
@@ -43,10 +43,10 @@
     "start": "ts-node src/index.ts"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.12",
-    "@verdaccio/config": "workspace:7.0.0-next-7.12",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.12",
-    "@verdaccio/node-api": "workspace:7.0.0-next-7.12",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/config": "workspace:7.0.0-next-7.16",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.16",
+    "@verdaccio/node-api": "workspace:7.0.0-next-7.16",
     "clipanion": "3.2.1",
     "envinfo": "7.11.0",
     "kleur": "4.1.5",

packages/config/CHANGELOG.md

@@ -1,5 +1,39 @@
 # @verdaccio/config
 
+## 7.0.0-next-7.16
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.16
+- @verdaccio/utils@7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
+## 7.0.0-next-7.14
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.14
+- @verdaccio/utils@7.0.0-next-7.14
+
+## 7.0.0-next-7.13
+
+### Patch Changes
+
+- a99a4bb: fix config builder erroring when passed partial config
+  - @verdaccio/core@7.0.0-next-7.13
+  - @verdaccio/utils@7.0.0-next-7.13
+
 ## 7.0.0-next-7.12
 
 ### Patch Changes

packages/config/README.md

@@ -1,5 +1,74 @@
 # @verdaccio/config
 
+## Overview
+
+The `@verdaccio/config` package provides a powerful configuration builder constructor for programmatically creating configuration objects for Verdaccio, a lightweight private npm proxy registry. With this package, users can easily manage various configuration aspects such as package access, uplinks, security settings, authentication, logging, and storage options.
+
+## Installation
+
+You can install via npm:
+
+```bash
+npm install @verdaccio/config
+```
+
+## Usage
+
+To start using `@verdaccio/config`, import the `ConfigBuilder` class and begin constructing your configuration object:
+
+## `ConfigBuilder` constructor
+
+The `ConfigBuilder` class is a helper configuration builder constructor used to programmatically create configuration objects for testing or other purposes.
+
+```typescript
+
+import { ConfigBuilder } from '@verdaccio/config';
+
+// Create a new configuration builder instance
+const config = ConfigBuilder.build({ security: { api: { legacy: false } } });
+
+// Add package access configuration
+configBuilder.addPackageAccess('@scope/*', { access: 'read', publish: 'write' });
+
+// Add an uplink configuration
+configBuilder.addUplink('npmjs', { url: 'https://registry.npmjs.org/' });
+
+// Add security configuration
+configBuilder.addSecurity({ allow_offline: true });
+
+// Get the configuration object
+const config = configBuilder.getConfig();
+
+// Get the configuration yaml text
+const config = configBuilder.getAsYaml();
+```
+
+### Methods
+
+- `addPackageAccess(pattern: string, pkgAccess: PackageAccessYaml)`: Adds package access configuration.
+- `addUplink(id: string, uplink: UpLinkConf)`: Adds an uplink configuration.
+- `addSecurity(security: Partial<Security>)`: Adds security configuration.
+- `addAuth(auth: Partial<AuthConf>)`: Adds authentication configuration.
+- `addLogger(log: LoggerConfItem)`: Adds logger configuration.
+- `addStorage(storage: string | object)`: Adds storage configuration.
+- `getConfig(): ConfigYaml`: Retrieves the configuration object.
+- `getAsYaml(): string`: Retrieves the configuration object as YAML format.
+
+## `getDefaultConfig`
+
+This method is available in the package's index and retrieves the default configuration object.
+
+```typescript
+import { getDefaultConfig } from '@verdaccio/config';
+
+const defaultConfig = getDefaultConfig();
+```
+
+## Other Methods
+
+- `fromJStoYAML(config: ConfigYaml): string`: Converts a JavaScript configuration object to YAML format.
+- `parseConfigFile(filePath: string): ConfigYaml`: Parses a configuration file from the specified path and returns the configuration object.
+
 ### License
 
 Verdaccio is [MIT licensed](https://github.com/verdaccio/verdaccio/blob/master/LICENSE)

packages/config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/config",
-  "version": "7.0.0-next-7.12",
+  "version": "7.0.0-next-7.16",
   "description": "logger",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,8 +38,8 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.12",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.12",
+    "@verdaccio/core": "workspace:7.0.0-next-7.16",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.16",
     "debug": "4.3.4",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",

packages/config/src/builder.ts

@@ -19,8 +19,7 @@ export default class ConfigBuilder {
   private config: ConfigYaml;
 
   public constructor(config?: Partial<ConfigYaml>) {
-    // @ts-ignore
-    this.config = config ?? { uplinks: {}, packages: {}, security: {} };
+    this.config = merge(config, { uplinks: {}, packages: {}, security: {} });
   }
 
   public static build(config?: Partial<ConfigYaml>): ConfigBuilder {

packages/config/src/config.ts

@@ -36,6 +36,13 @@ export const defaultUserRateLimiting = {
   max: 1000,
 };
 
+export function isNodeVersionGreaterThan21() {
+  const [major, minor] = process.versions.node.split('.').map(Number);
+  return major > 21 || (major === 21 && minor >= 0);
+}
+
+const TOKEN_VALID_LENGTH = 32;
+
 /**
  * Coordinates the application configuration
  */
@@ -56,21 +63,20 @@ class Config implements AppConfig {
   public plugins: string | void | null;
   public security: Security;
   public serverSettings: ServerSettingsConf;
+  private configOverrideOptions: { forceMigrateToSecureLegacySignature: boolean };
   // @ts-ignore
   public secret: string;
   public flags: FlagsConfig;
   public userRateLimit: RateLimit;
-  private configOptions: { forceEnhancedLegacySignature: boolean };
   public constructor(
     config: ConfigYaml & { config_path: string },
     // forceEnhancedLegacySignature is a property that
     // allows switch a new legacy aes signature token signature
     // for older versions do not want to have this new signature model
     // this property must be false
-    configOptions = { forceEnhancedLegacySignature: true }
+    configOverrideOptions = { forceMigrateToSecureLegacySignature: true }
   ) {
     const self = this;
-    this.configOptions = configOptions;
     this.storage = process.env.VERDACCIO_STORAGE_PATH || config.storage;
     if (!config.configPath) {
       // backport self_path for previous to version 6
@@ -80,11 +86,21 @@ class Config implements AppConfig {
         throw new Error('configPath property is required');
       }
     }
+    this.configOverrideOptions = configOverrideOptions;
     this.configPath = config.configPath;
     this.self_path = this.configPath;
     debug('config path: %s', this.configPath);
     this.plugins = config.plugins;
-    this.security = _.merge(defaultSecurity, config.security);
+    this.security = _.merge(
+      // override the default security configuration via constructor
+      _.merge(defaultSecurity, {
+        api: {
+          migrateToSecureLegacySignature:
+            this.configOverrideOptions.forceMigrateToSecureLegacySignature,
+        },
+      }),
+      config.security
+    );
     this.serverSettings = serverSettings;
     this.flags = {
       searchRemote: config.flags?.searchRemote ?? true,
@@ -135,14 +151,8 @@ class Config implements AppConfig {
     }
   }
 
-  public getEnhancedLegacySignature() {
-    if (typeof this?.security.enhancedLegacySignature !== 'undefined') {
-      if (this.security.enhancedLegacySignature === true) {
-        return true;
-      }
-      return false;
-    }
-    return this.configOptions.forceEnhancedLegacySignature;
+  public getMigrateToSecureLegacySignature() {
+    return this.security.api.migrateToSecureLegacySignature;
   }
 
   public getConfigPath() {
@@ -158,36 +168,70 @@ class Config implements AppConfig {
   }
 
   /**
-   * Store or create whether receive a secret key
+   * Verify if the secret complies with the required structure
+   *  - If the secret is not provided, it will generate a new one
+   *    - For any Node.js version the new secret will be 32 characters long (to allow compatibility with modern Node.js versions)
+   *  - If the secret is provided:
+   *    - If Node.js 22 or higher, the secret must be 32 characters long thus the application will fail on startup
+   *    - If Node.js 21 or lower, the secret will be used as is but will display a deprecation warning
+   *    - If the property `security.api.migrateToSecureLegacySignature` is provided and set to true, the secret will be
+   *      generated with the new signature model
    * @secret external secret key
    */
   public checkSecretKey(secret?: string): string {
-    debug('check secret key');
+    debug('checking secret key init');
     if (typeof secret === 'string' && _.isEmpty(secret) === false) {
+      debug('checking secret key length %s', secret.length);
+      if (secret.length > TOKEN_VALID_LENGTH) {
+        if (isNodeVersionGreaterThan21()) {
+          debug('is node version greater than 21');
+          if (this.getMigrateToSecureLegacySignature() === true) {
+            this.secret = generateRandomSecretKey();
+            debug('rewriting secret key with length %s', this.secret.length);
+            return this.secret;
+          }
+          // oops, user needs to generate a new secret key
+          debug(
+            'secret does not comply with the required length, current length  %d, application will fail on startup',
+            secret.length
+          );
+          throw new Error(
+            `Invalid storage secret key length, must be 32 characters long but is ${secret.length}. 
+            The secret length in Node.js 22 or higher must be 32 characters long. Please consider generate a new one. 
+            Learn more at https://verdaccio.org/docs/configuration/#.verdaccio-db`
+          );
+        } else {
+          debug('is node version lower than 22');
+          if (this.getMigrateToSecureLegacySignature() === true) {
+            this.secret = generateRandomSecretKey();
+            debug('rewriting secret key with length %s', this.secret.length);
+            return this.secret;
+          }
+          debug('triggering deprecation warning for secret key length %s', secret.length);
+          // still using Node.js versions previous to 22, but we need to emit a deprecation warning
+          // deprecation warning, secret key is too long and must be 32
+          // this will be removed in the next major release and will produce an error
+          warningUtils.emit(Codes.VERWAR007);
+          this.secret = secret;
+          return this.secret;
+        }
+      } else if (secret.length === TOKEN_VALID_LENGTH) {
+        debug('detected valid secret key length %s', secret.length);
+        this.secret = secret;
+        return this.secret;
+      }
+      debug('reusing previous key with length %s', secret.length);
       this.secret = secret;
-      debug('reusing previous key');
-      return secret;
-    }
-    // generate a new a secret key
-    // FUTURE: this might be an external secret key, perhaps within config file?
-    debug('generating a new secret key');
-
-    if (this.getEnhancedLegacySignature()) {
-      debug('key generated with "enhanced" legacy signature user config');
-      this.secret = generateRandomSecretKey();
+      return this.secret;
     } else {
-      debug('key generated with legacy signature user config');
-      this.secret = generateRandomHexString(32);
-    }
-    // set this to false allow use old token signature and is not recommended
-    // only use for migration reasons, major release will remove this property and
-    // set it by default
-    if (this.security?.enhancedLegacySignature === false) {
-      warningUtils.emit(Codes.VERWAR005);
-    }
+      // generate a new a secret key
+      // FUTURE: this might be an external secret key, perhaps within config file?
+      debug('generating a new secret key');
+      this.secret = generateRandomSecretKey();
+      debug('generated a new secret key length %s', this.secret?.length);
 
-    debug('generated a new secret key length %s', this.secret?.length);
-    return this.secret;
+      return this.secret;
+    }
   }
 }
 

packages/config/src/security.ts

@@ -13,6 +13,7 @@ const defaultWebTokenOptions: JWTOptions = {
 
 const defaultApiTokenConf: APITokenOptions = {
   legacy: true,
+  migrateToSecureLegacySignature: true,
 };
 
 export const defaultSecurity: Security = {

packages/config/src/token.ts

@@ -1,9 +1,11 @@
 import { randomBytes } from 'crypto';
 
+// TODO: code duplicated at @verdaccio/signature
 export const TOKEN_VALID_LENGTH = 32;
 
 /**
  * Secret key must have 32 characters.
+ * // TODO: code duplicated at @verdaccio/signature
  */
 export function generateRandomSecretKey(): string {
   return randomBytes(TOKEN_VALID_LENGTH).toString('base64').substring(0, TOKEN_VALID_LENGTH);

packages/config/test/builder.spec.ts

@@ -67,5 +67,58 @@ describe('Config builder', () => {
       .addStorage('/tmp/verdaccio')
       .addSecurity({ api: { legacy: true } });
     expect(config.getAsYaml()).toMatchSnapshot();
+
+    expect(config.getConfig()).toEqual({
+      uplinks: {
+        upstream: {
+          url: 'https://registry.verdaccio.org',
+        },
+        upstream2: {
+          url: 'https://registry.verdaccio.org',
+        },
+      },
+      packages: {
+        'upstream/*': {
+          access: 'public',
+          publish: 'foo, bar',
+          unpublish: 'foo, bar',
+          proxy: 'some',
+        },
+      },
+      security: {
+        api: {
+          legacy: true,
+        },
+      },
+      log: {
+        level: 'info',
+        type: 'stdout',
+        format: 'json',
+      },
+      storage: '/tmp/verdaccio',
+    });
+  });
+
+  test('should merge configurations', () => {
+    // @ts-expect-error
+    const config = ConfigBuilder.build({ security: { api: { legacy: false } } });
+    config.addSecurity({ web: { verify: {}, sign: { algorithm: 'ES256' } } });
+    config.addStorage('/tmp/verdaccio');
+    expect(config.getConfig()).toEqual({
+      security: {
+        api: {
+          legacy: false,
+        },
+        web: {
+          verify: {},
+          sign: {
+            algorithm: 'ES256',
+          },
+        },
+      },
+      uplinks: {},
+      packages: {},
+      storage: '/tmp/verdaccio',
+    });
   });
 });

packages/config/test/config.spec.ts

@@ -6,9 +6,12 @@ import {
   DEFAULT_REGISTRY,
   DEFAULT_UPLINK,
   ROLES,
+  TOKEN_VALID_LENGTH,
   WEB_TITLE,
   defaultSecurity,
+  generateRandomSecretKey,
   getDefaultConfig,
+  isNodeVersionGreaterThan21,
   parseConfigFile,
 } from '../src';
 import { parseConfigurationFile } from './utils';
@@ -19,6 +22,8 @@ const resolveConf = (conf) => {
   return path.join(__dirname, `../src/conf/${name}${ext.startsWith('.') ? ext : '.yaml'}`);
 };
 
+const itif = (condition) => (condition ? it : it.skip);
+
 const checkDefaultUplink = (config) => {
   expect(_.isObject(config.uplinks[DEFAULT_UPLINK])).toBeTruthy();
   expect(config.uplinks[DEFAULT_UPLINK].url).toMatch(DEFAULT_REGISTRY);
@@ -94,32 +99,85 @@ describe('check basic content parsed file', () => {
 describe('checkSecretKey', () => {
   test('with default.yaml and pre selected secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(config.checkSecretKey('12345')).toEqual('12345');
+    expect(config.checkSecretKey(generateRandomSecretKey())).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
   test('with default.yaml and void secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
+    const secret = config.checkSecretKey();
+    expect(typeof secret === 'string').toBeTruthy();
+    expect(secret).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
-  test('with default.yaml and emtpy string secret', () => {
+  test('with default.yaml and empty string secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(typeof config.checkSecretKey('') === 'string').toBeTruthy();
+    const secret = config.checkSecretKey('');
+    expect(typeof secret === 'string').toBeTruthy();
+    expect(secret).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
-  test('with enhanced legacy signature', () => {
+  test('with default.yaml and valid string secret length', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    config.security.enhancedLegacySignature = true;
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
-    expect(config.secret.length).toBe(32);
+    expect(typeof config.checkSecretKey(generateRandomSecretKey()) === 'string').toBeTruthy();
   });
 
-  test('without enhanced legacy signature', () => {
-    const config = new Config(parseConfigFile(resolveConf('default')));
-    config.security.enhancedLegacySignature = false;
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
-    expect(config.secret.length).toBe(64);
+  test('with default.yaml migrate a valid string secret length', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: true,
+    });
+    expect(
+      // 64 characters secret long
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
   });
+
+  // only runs on Node.js 22 or higher
+  itif(isNodeVersionGreaterThan21())('with enhanced legacy signature Node 22 or higher', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: false,
+    });
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(() =>
+      // 64 characters secret long
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toThrow();
+  });
+
+  itif(isNodeVersionGreaterThan21())('with enhanced legacy signature Node 22 or higher', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: false,
+    });
+    config.security.api.migrateToSecureLegacySignature = true;
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
+  });
+
+  itif(isNodeVersionGreaterThan21() === false)(
+    'with old unsecure legacy signature Node 21 or lower',
+    () => {
+      const config = new Config(parseConfigFile(resolveConf('default')));
+      config.security.api.migrateToSecureLegacySignature = false;
+      // 64 characters secret long
+      // eslint-disable-next-line jest/no-standalone-expect
+      expect(
+        config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+      ).toHaveLength(64);
+    }
+  );
+
+  test('with migration to new legacy signature Node 21 or lower', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')));
+    config.security.api.migrateToSecureLegacySignature = true;
+    // 64 characters secret long
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
+  });
+
+  test.todo('test emit warning with secret key');
 });
 
 describe('getMatchedPackagesSpec', () => {

packages/core/core/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @verdaccio/core
 
+## 7.0.0-next-7.16
+
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+## 7.0.0-next-7.14
+
+## 7.0.0-next-7.13
+
 ## 7.0.0-next-7.12
 
 ## 7.0.0-next-7.11