chore: update versions (next-7) (#4525)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.changeset/olive-bananas-wink.md

@@ -0,0 +1,7 @@
+---
+'@verdaccio/store': patch
+'@verdaccio/tarball': patch
+---
+
+- Fixes polynomial regular expression when determining the file name of tarball
+- Add tests for extracting tarball name

.changeset/pink-apples-nail.md

@@ -0,0 +1,7 @@
+---
+'@verdaccio/ui-theme': minor
+'@verdaccio/ui-components': minor
+'@verdaccio/config': minor
+---
+
+feat: forbidden user interface

.changeset/pre.json

@@ -1,6 +1,6 @@
 {
   "mode": "pre",
-  "tag": "next",
+  "tag": "next-7",
   "initialVersions": {
     "@verdaccio/test-cli-commons": "1.1.0",
     "@verdaccio/e2e-cli-npm6": "1.0.1",
@@ -64,9 +64,18 @@
     "eight-squids-judge",
     "long-jars-collect",
     "old-turkeys-heal",
+    "olive-bananas-wink",
     "perfect-chairs-act",
+    "pink-apples-nail",
+    "real-socks-vanish",
     "shiny-worms-retire",
+    "shy-carrots-compare",
     "shy-garlics-cry",
-    "weak-fans-explain"
+    "spicy-birds-flow",
+    "strange-points-repair",
+    "thirty-toes-swim",
+    "weak-fans-explain",
+    "wild-otters-talk",
+    "young-donuts-own"
   ]
 }

.changeset/real-socks-vanish.md

@@ -0,0 +1,5 @@
+---
+'verdaccio': patch
+---
+
+chore: test release

.changeset/shy-carrots-compare.md

@@ -0,0 +1,14 @@
+---
+'@verdaccio/server': minor
+'@verdaccio/test-helper': minor
+'@verdaccio/types': minor
+'@verdaccio/middleware': minor
+'@verdaccio/core': minor
+'@verdaccio/signature': minor
+'@verdaccio/url': minor
+'@verdaccio/config': minor
+'@verdaccio/auth': minor
+'@verdaccio/api': minor
+---
+
+refactor: auth with legacy sign support

.changeset/spicy-birds-flow.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/store': patch
+'@verdaccio/test-helper': patch
+---
+
+fix: store readme when publishing locally

.changeset/strange-points-repair.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/ui-theme': patch
+'@verdaccio/ui-components': patch
+---
+
+fix: render READMEs with correct font and highlighting

.changeset/thirty-toes-swim.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/ui-theme': patch
+'@verdaccio/ui-components': patch
+---
+
+fix: ui dialog break pages on open due remark error

.changeset/wild-otters-talk.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/api': patch
+---
+
+fix: bug on change password npm profile

.changeset/young-donuts-own.md

@@ -0,0 +1,5 @@
+---
+'@verdaccio/config': patch
+---
+
+chore(config): increase test coverage

.github/workflows/changesets.yml

@@ -25,16 +25,16 @@ jobs:
           fetch-depth: 0
 
       - name: setup node.js
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
         env:
           NODE_AUTH_TOKEN: ${{ secrets.REGISTRY_AUTH_TOKEN }}
 
-      - name: install pnpm
-        run: npm i pnpm@8.9.0 -g
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.REGISTRY_AUTH_TOKEN }}
+      - name: Install pnpm
+        run: |
+          corepack enable
+          corepack install
 
       - name: setup pnpm config
         run: pnpm config set store-dir $PNPM_CACHE_FOLDER

.github/workflows/ci-windows.yml

@@ -20,7 +20,7 @@ jobs:
     steps:
     - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
     - name: Node
-      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
       with:
         node-version-file: '.nvmrc'
     - name: Install pnpm
@@ -36,7 +36,7 @@ jobs:
     - name: Install
       run: pnpm install --registry http://localhost:4873
     - name: Cache .pnpm-store
-      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
       with:
         path: ~/.pnpm-store
         key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -49,12 +49,12 @@ jobs:
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -73,12 +73,12 @@ jobs:
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -102,12 +102,12 @@ jobs:
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node ${{ matrix.node_version }}
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node_version }}
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -127,12 +127,12 @@ jobs:
     name: UI Test E2E
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: npm i pnpm@latest-8 -g
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/workflows/ci.yml

@@ -29,7 +29,7 @@ jobs:
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
@@ -43,7 +43,7 @@ jobs:
       - name: Install
         run: pnpm install  --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -56,14 +56,14 @@ jobs:
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -81,14 +81,14 @@ jobs:
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -100,25 +100,25 @@ jobs:
       - name: Lint
         run: pnpm format:check
   test:
-    needs: [format, lint]
+    needs: [prepare]
     strategy:
       fail-fast: true
       matrix:
         os: [ubuntu-latest]
-        node_version: [18, 20]
+        node_version: [18, 20, 21]
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node ${{ matrix.node_version }}
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node_version }}
       - name: Install pnpm
         run: |
           corepack enable
-          corepack prepare --activate pnpm@8.9.0
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+          corepack prepare
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
@@ -138,14 +138,14 @@ jobs:
     if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
           corepack install
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}

.github/workflows/codeql-analysis.yml

@@ -34,7 +34,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2
+        uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v2
 
       # Override language selection by uncommenting this and choosing your languages
       # with:
@@ -42,7 +42,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2
+        uses: github/codeql-action/autobuild@47b3d888fe66b639e431abf22ebca059152f1eea # v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -56,4 +56,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2
+        uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v2

.github/workflows/docker-proxy-apache-e2e.yml

@@ -12,7 +12,8 @@ jobs:
   docker:
     timeout-minutes: 10
     runs-on: ubuntu-latest
-
+    env:
+      NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
       uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
@@ -21,15 +22,21 @@ jobs:
       run: docker-compose -f "./e2e/docker/apache-verdaccio/docker-compose.yaml" up -d --build
 
     - name: Install node
-      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
       with:
-        node-version: 18
+        node-version-file: '.nvmrc'
+    - name: npm setup
+      run: |
+        npm config set fetch-retries="10"
+        npm config set fetch-retry-factor="50"
+        npm config set fetch-retry-mintimeout="20000"
+        npm config set fetch-retry-maxtimeout="80000"          
     - name: verdaccio cli
       run: npm install -g verdaccio --registry http://localhost
     - name: gastby cli 
       run:  npm install -g gatsby-cli --registry http://localhost
-    - name: netlify cli 
-      run:  npm install -g netlify-cli --registry http://localhost
+    # - name: netlify cli 
+    #   run:  npm install -g netlify-cli --registry http://localhost
     - name: angular cli 
       run:  npm install -g @angular/cli --registry http://localhost
 

.github/workflows/docker-proxy-nginx-e2e.yml

@@ -9,7 +9,8 @@ jobs:
   docker:
     timeout-minutes: 10
     runs-on: ubuntu-latest
-
+    env:
+      NODE_OPTIONS: --max_old_space_size=4096
     steps:
     - name: Checkout
       uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
@@ -18,12 +19,12 @@ jobs:
       run: docker-compose -f "./e2e/docker/proxy-nginx/docker-compose.yaml" up -d --build
 
     - name: Install node
-      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
       with:
-        node-version: 18
+        node-version-file: '.nvmrc'
     - name: npm setup
       run: |
-        npm config set fetch-retries="5"
+        npm config set fetch-retries="10"
         npm config set fetch-retry-factor="50"
         npm config set fetch-retry-mintimeout="20000"
         npm config set fetch-retry-maxtimeout="80000"      
@@ -31,8 +32,8 @@ jobs:
       run: npm install -g verdaccio --registry http://localhost
     - name: gastby cli 
       run:  npm install -g gatsby-cli --registry http://localhost
-    - name: netlify cli 
-      run:  npm install -g netlify-cli --registry http://localhost
+    #- name: netlify cli 
+    #  run:  npm install -g netlify-cli --registry http://localhost
     - name: angular cli 
       run:  npm install -g @angular/cli --registry http://localhost
 

.github/workflows/e2e-ci.yml

@@ -3,6 +3,9 @@ name: E2E CLI
 on: [pull_request]
 permissions:
   contents: read
+concurrency:
+  group: e2e-ci-${{ github.ref }}
+  cancel-in-progress: true
 jobs:
   prepare:
     runs-on: ubuntu-latest
@@ -17,13 +20,13 @@ jobs:
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
-          corepack prepare --activate pnpm@8.9.0
+          corepack prepare 
       - name: set store
         run: |
           mkdir ~/.pnpm-store
@@ -31,7 +34,7 @@ jobs:
       - name: Install
         run: pnpm install --reporter=silence --ignore-scripts --registry http://localhost:4873
       - name: Cache .pnpm-store
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -43,14 +46,14 @@ jobs:
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node 16
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
-          corepack prepare --activate pnpm@8.9.0
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+          corepack prepare 
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -62,7 +65,7 @@ jobs:
       - name: build
         run: pnpm build
       - name: Cache packages
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         id: cache-packages
         with:
           path: ./packages/
@@ -77,10 +80,10 @@ jobs:
       #     key: test-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
       #     restore-keys: |
       #       test-
-  e2e-cli:
+  e2e-cli-npm:
     needs: [prepare, build]
     strategy:
-      fail-fast: false
+      fail-fast: false      
       matrix:
         pkg:
           [
@@ -88,28 +91,21 @@ jobs:
             npm7,
             npm8,
             npm9,
-            npm10,
-            pnpm6,
-            pnpm7,
-            pnpm8,
-            yarn1,
-            yarn2,
-            yarn3,
-            yarn4,
+            npm10
           ]
-        node: [16, 18, 19]
+        node: [20, 21]
     name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: ${{ matrix.node }}
       - name: Install pnpm
         run: |
           corepack enable
-          corepack prepare --activate pnpm@8.9.0
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+          corepack prepare 
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
           key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -118,7 +114,7 @@ jobs:
           pnpm config set store-dir ~/.pnpm-store
       - name: Install
         run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
-      - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ./packages/
           key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
@@ -130,3 +126,94 @@ jobs:
         run: pnpm --filter @verdaccio/test-cli-commons build
       - name: Test CLI
         run: NODE_ENV=production pnpm test --filter ...@verdaccio/e2e-cli-${{matrix.pkg}}
+  # TODO: fix pnpm setup
+  # e2e-cli-pnpm:
+  #   needs: [prepare, build]
+  #   strategy:
+  #     fail-fast: true
+  #     matrix:
+  #       pkg:
+  #         [          
+  #           pnpm6,
+  #           pnpm7,
+  #           pnpm8          
+  #         ]
+  #       node: [20, 21]
+  #   name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+  #     - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+  #       with:
+  #         node-version: ${{ matrix.node }}
+  #     - name: Install pnpm
+  #       run: |
+  #         corepack enable
+  #         corepack prepare
+  #     - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+  #       with:
+  #         path: ~/.pnpm-store
+  #         key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+  #     - name: set store
+  #       run: |
+  #         pnpm config set store-dir ~/.pnpm-store
+  #     - name: Install
+  #       run: pnpm install --loglevel debug --ignore-scripts --registry http://localhost:4873
+  #     - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+  #       with:
+  #         path: ./packages/
+  #         key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+  #     # - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # tag=v3
+  #     #   with:
+  #     #     path: ./e2e/
+  #     #     key: test-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+  #     - name: build e2e
+  #       run: pnpm --filter @verdaccio/test-cli-commons build
+  #     - name: Test CLI
+  #       run: NODE_ENV=production pnpm test --filter ...@verdaccio/e2e-cli-${{matrix.pkg}}
+  e2e-cli-yarn:
+    needs: [prepare, build]
+    strategy:
+      fail-fast: false
+      matrix:
+        pkg:
+          [           
+            yarn1,
+            yarn2,
+            yarn3,
+            yarn4
+          ]
+        node: [20, 21]
+    name: ${{ matrix.pkg }}/ ubuntu-latest / ${{ matrix.node }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
+        with:
+          node-version: ${{ matrix.node }}
+      - name: Install pnpm
+        run: |
+          corepack enable
+          corepack prepare 
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        with:
+          path: ~/.pnpm-store
+          key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+      - name: set store
+        run: |
+          pnpm config set store-dir ~/.pnpm-store
+      - name: Install
+        run: pnpm install --offline --reporter=silence --ignore-scripts --registry http://localhost:4873
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
+        with:
+          path: ./packages/
+          key: pkg-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+      # - uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # tag=v3
+      #   with:
+      #     path: ./e2e/
+      #     key: test-${{ hashFiles('pnpm-lock.yaml') }}-${{ github.run_id }}-${{ github.sha }}
+      - name: build e2e
+        run: pnpm --filter @verdaccio/test-cli-commons build
+      - name: Test CLI
+        run: NODE_ENV=production pnpm test --filter ...@verdaccio/e2e-cli-${{matrix.pkg}}
+      

.github/workflows/e2e-ui.yml

@@ -3,6 +3,9 @@ name: E2E UI
 on: [pull_request]
 permissions:
   contents: read
+concurrency:
+  group: e2e-ui-${{ github.ref }}
+  cancel-in-progress: true  
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -17,13 +20,13 @@ jobs:
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
       - name: Use Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
       - name: Install pnpm
         run: |
           corepack enable
-          corepack install
+          corepack prepare
       - name: Install
         run: pnpm install --reporter=silence --registry http://localhost:4873
       - name: build

.github/workflows/static-data.yml

@@ -23,7 +23,7 @@ jobs:
         with:
           persist-credentials: false
           fetch-depth: 0
-      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version: 18.x
       - name: install pnpm

.github/workflows/ui-components.yml

@@ -2,13 +2,6 @@ name: UI Components
 
 on: 
   workflow_dispatch:
-  pull_request:
-    paths:
-    - .github/workflows/ui-components.yml
-    - 'packages/ui-components/**'
-    - 'package.json'
-    - 'pnpm-workspace.yaml'
-    - 'pnpm-lock.yaml'
 
 permissions:
   contents: read  #  to fetch code (actions/checkout)
@@ -30,12 +23,12 @@ jobs:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
       - name: Use Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
           node-version-file: '.nvmrc'
 
       - name: Cache pnpm modules
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         env:
           cache-name: cache-pnpm-modules
         with:

.github/workflows/website.yml

@@ -2,10 +2,6 @@ name: Verdaccio Website CI
 
 on:
   workflow_dispatch:
-  pull_request:
-    paths:
-        - 'website/**'
-        - './.github/workflows/website.yml'
   schedule:
     - cron: '0 0 * * *' 
 
@@ -20,125 +16,60 @@ jobs:
       pull-requests: write  #  to comment on pull-requests
 
     runs-on: ubuntu-latest
+    name: setup verdaccio
+    services:
+      verdaccio:
+        image: verdaccio/verdaccio:5
+        ports:
+          - 4873:4873
+        env:
+          NODE_ENV: production    
     env:
       NODE_OPTIONS: --max_old_space_size=4096
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
-      - name: Use Node 16
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # tag=v3
+      - name: Node
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v3
         with:
-          node-version: 16
-
-      - name: Cache pnpm modules
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
-        env:
-          cache-name: cache-pnpm-modules
+          node-version-file: '.nvmrc'
+      - name: Install pnpm
+        run: |
+          corepack enable
+          corepack install
+      - name: set store
+        run: |
+          mkdir ~/.pnpm-store
+          pnpm config set store-dir ~/.pnpm-store
+      - name: Install
+        run: pnpm install  --registry http://localhost:4873
+      - name: Cache .pnpm-store
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: ~/.pnpm-store
-          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ matrix.node-version }}-${{ hashFiles('**/pnpm-lock.yaml') }}
+          key: pnpm-${{ hashFiles('pnpm-lock.yaml') }}
           restore-keys: |
-            ${{ runner.os }}-build-${{ env.cache-name }}-${{ matrix.node-version }}-
-
-      - uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # tag=v2.4.0
-        with:
-          version: latest-8
-          run_install: |
-            - recursive: true
-              args: [--frozen-lockfile]
+            pnpm-          
       - name: Build 
         run: pnpm build
       - name: Build Translations percentage
         run: pnpm --filter @verdaccio/crowdin-translations build
       - name: Cache Docusaurus Build
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3
         with:
           path: website/node_modules/.cache/webpack
           key: cache/webpack-${{github.ref}}-${{ hashFiles('**/pnpm-lock.yaml') }}
           restore-keys: cache/webpack-${{github.ref}}
-
-      # Will deploy to production on:
-        # 1st: When a push occurs on master branch
-        # 2nd: When we force the worflow dispatch through the UI
       - name: Build Production
-        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
+        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
         env:
           CROWDIN_VERDACCIO_API_KEY: ${{ secrets.CROWDIN_VERDACCIO_API_KEY }}
           SENTRY_KEY: ${{ secrets.SENTRY_KEY }}
           CONTEXT: production
-        run: pnpm --filter @verdaccio/website netlify:build:production
-
-      - name: 🔥 Deploy Production Netlify
-        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
-        uses: semoal/action-netlify-deploy@1a53f098745bf78555d11b436f5ee3af87e6b566
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          netlify-auth-token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-          netlify-site-id: ${{ secrets.NETLIFY_SITE_ID }}
-          build-dir: './website/build'
-
-      # Will deploy to Preview URL, only when a pull request is open with changes on the website
-      - name: Build Deployment Preview
+        run: pnpm --filter @verdaccio/website netlify:build
+      - name: Deploy to Netlify
         env:
-          CONTEXT: deploy-preview
-        run: pnpm --filter ...@verdaccio/website netlify:build:deployPreview
+          NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
+          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+        run: pnpm --filter ...@verdaccio/website netlify:deploy 
 
-      - name: 🤖 Deploy Preview Netlify
-        if: github.repository == 'verdaccio/verdaccio'
-        uses: semoal/action-netlify-deploy@1a53f098745bf78555d11b436f5ee3af87e6b566
-        id: netlify_preview
-        with:
-          draft: true
-          comment-on-pull-request: true
-          github-deployment-is-production: false
-          github-deployment-is-transient: true
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          netlify-auth-token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-          netlify-site-id: ${{ secrets.NETLIFY_SITE_ID }}
-          build-dir: './website/build'
-
-      - name: Audit preview URL with Lighthouse
-        if: github.repository == 'verdaccio/verdaccio'
-        id: lighthouse_audit
-        uses: treosh/lighthouse-ci-action@03becbfc543944dd6e7534f7ff768abb8a296826 # tag=10.1.0
-        with:
-          urls: |
-            ${{ steps.netlify_preview.outputs.preview-url }}
-          uploadArtifacts: true
-          temporaryPublicStorage: true
-
-      - name: Format lighthouse score
-        id: format_lighthouse_score
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # tag=v6
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            const result = ${{ steps.lighthouse_audit.outputs.manifest }}[0].summary
-            const links = ${{ steps.lighthouse_audit.outputs.links }}
-            const formatResult = (res) => Math.round((res * 100))
-            Object.keys(result).forEach(key => result[key] = formatResult(result[key]))
-            const score = res => res >= 90 ? '🟢' : res >= 50 ? '🟠' : '🔴'
-            const comment = [
-                `⚡️ [Lighthouse report](${Object.values(links)[0]}) for the changes in this PR:`,
-                '| Category | Score |',
-                '| --- | --- |',
-                `| ${score(result.performance)} Performance | ${result.performance} |`,
-                `| ${score(result.accessibility)} Accessibility | ${result.accessibility} |`,
-                `| ${score(result['best-practices'])} Best practices | ${result['best-practices']} |`,
-                `| ${score(result.seo)} SEO | ${result.seo} |`,
-                ' ',
-                `*Lighthouse ran on [${Object.keys(links)[0]}](${Object.keys(links)[0]})*`
-            ].join('\n')
-             core.setOutput("comment", comment);
-
-      - name: Add comment to PR
-        if: github.repository == 'verdaccio/verdaccio'
-        id: comment_to_pr
-        uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2
-        with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          number: ${{ github.event.issue.number }}
-          delete: true
-          header: lighthouse
-          message: |
-            ${{ steps.format_lighthouse_score.outputs.comment }}

.netlify/netlify-plugin-pnpm/index.js

@@ -1,10 +0,0 @@
-module.exports = {
-  onPreBuild: async ({ utils: { build, run } }) => {
-    try {
-      await run.command("npm install -g pnpm")
-      await run.command("pnpm install --ignore-scripts --frozen-lockfile")
-    } catch (error) {
-      return build.failBuild(error)
-    }
-  }
-}

.netlify/netlify-plugin-pnpm/manifest.yml

@@ -1,2 +0,0 @@
-name: netlify-plugin-pnpm
-inputs: []

.npmrc

@@ -1,3 +1,2 @@
 always-auth = true
-loglevel=info
 fetch-retries="10"

.prettierrc

@@ -0,0 +1,15 @@
+{
+  "endOfLine": "lf",
+  "useTabs": false,
+  "printWidth": 100,
+  "tabWidth": 2,
+  "singleQuote": true,
+  "bracketSpacing": true,
+  "trailingComma": "es5",
+  "semi": true,
+  "plugins": ["@trivago/prettier-plugin-sort-imports"],
+  "importOrder": ["^@verdaccio/(.*)$", "^[./]"],
+  "importOrderSeparation": true,
+  "importOrderParserPlugins": ["typescript", "classProperties", "jsx"],
+  "importOrderSortSpecifiers": true
+}

.vscode/settings.json

@@ -1,13 +1,10 @@
 // Place your settings in this file to overwrite default and user settings.
 {
   "files.exclude": {
-    "**/.nyc_output": true,
     "**/build": false,
     "**/coverage": true,
     ".idea": true,
-    "storage_default_storage": true,
-    ".yarn": true
   },
-  "editor.formatOnSave": true,
-  "typescript.tsdk": "node_modules/typescript/lib"
+  "editor.defaultFormatter": "esbenp.prettier-vscode",
+  "editor.formatOnSave": true
 }

CONTRIBUTING.md

@@ -29,6 +29,8 @@ The Verdaccio project is split into several areas, the first three hosted in the
 
 ## Prepare local setup {#local-setup}
 
+**Note**: The size of the Verdaccio project is quite significant. Unzipped it is about 33 MB. However, a full build with all node_modules installed takes about **2.8 GB** of disk space (~190k files)!
+
 Verdaccio uses [pnpm](https://pnpm.io) as the package manager for development in this repository.
 
 If you are using pnpm for the first time the [pnpm configuration documentation](https://pnpm.io/configuring) may be useful to avoid any potential problems with the following steps.
@@ -46,16 +48,15 @@ We use [corepack](https://github.com/nodejs/corepack) to install and use a speci
 ```shell
 nvm install
 corepack enable
-corepack install
 ```
 
 `pnpm` version will be updated mainly by the maintainers but if you would like to set it to a specific version, you can do so by running the following command:
 
-```shell
-corepack use pnpm@8.9.1
-```
+> `packageManager` at the `package.json` defines the default version to be used.
 
-It will update the `package.json` file with the new version of pnpm in the `packageManager` field.
+```shell
+corepack prepare
+```
 
 With pnpm installed, the first step is installing all dependencies:
 
@@ -77,14 +78,14 @@ pnpm build
 pnpm test
 ```
 
-Verdaccio is a mono repository. To run the tests for for a specific package:
+Verdaccio is a mono repository. To run the tests for a specific package:
 
 ```shell
 cd packages/store
 pnpm test
 ```
 
-or an specific test in that package:
+or a specific test in that package:
 
 ```shell
 pnpm test test/merge.dist.tags.spec.ts
@@ -128,7 +129,7 @@ The user interface is split in two packages, the `/packages/plugins/ui-theme` an
 
 Go to `/packages/ui-component` and run `pnpm watch` to enable _babel_ in watch mode, every change on the components will be hot reloaded in combination with the `pnpm start` command.
 
-Any change on the server packages, must be build independently (server do not has hot reload, `pnpm start` should be triggered again).
+Any change on the server packages, must be build independently (server does not have hot reload, `pnpm start` should be triggered again).
 
 Any interaction with the server should be done through the port `8000` eg: `npm login --registry http://localhost:8000` .
 
@@ -141,7 +142,7 @@ Any interaction with the server should be done through the port `8000` eg: `npm
 
 #### Debugging compiled code {#debugging-compiled-code}
 
-Currently you can only run pre-compiled packages in debug mode. To enable debug
+Currently, you can only run pre-compiled packages in debug mode. To enable debug
 while running add the `verdaccio` namespace using the `DEBUG` environment
 variable, like this:
 
@@ -163,7 +164,7 @@ of the output is sent to the logger module.
 
 #### Testing your changes in a local registry {#testing-local-registry}
 
-Once you have perform your changes in the code base, the build and tests passes you can publish a local version:
+Once you have performed your changes in the code base, the build and tests passes you can publish a local version:
 
 - Ensure you have built all modules by running `pnpm build` (or the one you have modified)
 - Run `pnpm local:publish:release` to launch a local registry and publish all packages into it. This command will be alive until server is killed (Control Key + C)
@@ -180,7 +181,7 @@ npm i -g verdaccio --registry=http://localhost:4873
 verdaccio
 ```
 
-If you perform more changes in the source code, repeat this process, there is not _hot reloading_ support.
+If you perform more changes in the source code, repeat this process, there is no _hot reloading_ support.
 
 ## Feature Request {#feature-request}
 
@@ -207,7 +208,7 @@ a report in our [issue tracker](https://github.com/verdaccio/verdaccio/issues),
 > **NOTE: Verdaccio still does not support all npm commands. Some were not
 > considered important and others have not been requested yet.**
 
-### What's is not considered a bug?
+### What is not considered a bug?
 
 - _Third party integrations_: proxies integrations, external plugins
 - _Package managers_: If a package manager does not support a specific command
@@ -271,7 +272,7 @@ information on [rebasing](https://git-scm.com/book/en/v2/Git-Branching-Rebasing)
 
 #### Caveats
 
-Feel free to commit as much times you want in your branch, but keep on mind on
+Feel free to commit as many times you want in your branch, but keep on mind on
 this repository we `git squash` on merge by default, as we like to maintain a
 clean git history.
 
@@ -358,7 +359,7 @@ The last step is to confirm your changeset or abort the operation:
 🦋  info /Users/user/verdaccio.clone/.changeset/light-scissors-smell.md
 ```
 
-Once the changeset is added (all will have an unique name) you can freely edit
+Once the changeset is added (all will have a unique name) you can freely edit
 using markdown, adding additional information, code snippets or whatever else
 you consider to be relevant.
 
@@ -394,7 +395,7 @@ For adding a new **language** on the UI follow these steps:
 1. Ensure the **language** has been enabled, must be visible in the `crowdin` platform.
 2. Find in the explorer the file `en.US.json` in the path `packages/plugins/ui-theme/src/i18n/crowdin/ui.json` and complete the translations, **not need to find approval on this**.
 3. Into the project, add a new field into `packages/plugins/ui-theme/src/i18n/crowdin/ui.json` file, in the section `lng`, the new language, eg: `{ lng: {korean:"Korean"}}`. (This file is English based, once the PR has been merged, this string will be available in crowdin for translate to the targeted language).
-4. Add the language, [flag icon](https://www.npmjs.com/package/country-flag-icons), and the menu key fort he new language eg: `menuKey: 'lng.korean'` to the file `packages/plugins/ui-theme/src/i18n/enabledLanguages.ts`.
+4. Add the language, [flag icon](https://www.npmjs.com/package/country-flag-icons), and the menu key for the new language eg: `menuKey: 'lng.korean'` to the file `packages/plugins/ui-theme/src/i18n/enabledLanguages.ts`.
 5. For local testing, read `packages/plugins/ui-theme/src/i18n/ABOUT_TRANSLATIONS.md`.
 6. Add a `changeset` file, see more info below.
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=${BUILDPLATFORM:-linux/amd64} node:18-alpine as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} node:21-alpine as builder
 
 ENV NODE_ENV=development \
     VERDACCIO_BUILD_REGISTRY=https://registry.npmjs.org
@@ -20,7 +20,7 @@ RUN npm -g i pnpm@8.9.0 && \
 # NODE_ENV=production pnpm install --frozen-lockfile --ignore-scripts
 # RUN pnpm install --prod --ignore-scripts
 
-FROM node:18-alpine
+FROM node:21-alpine
 LABEL maintainer="https://github.com/verdaccio/verdaccio"
 
 ENV VERDACCIO_APPDIR=/opt/verdaccio \

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 Verdaccio contributors
+Copyright (c) 2024 Verdaccio contributors
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,4 +1,4 @@
-[![BannerUK](https://cdn.verdaccio.dev/readme/banner-uk.svg)](https://donate.redcrossredcrescent.org/ua/donate/~my-donation?_cv=1)
+[![BannerHelp](https://cdn.verdaccio.dev/readme/banner-uk.svg)](https://u24.gov.ua)
 
 > Verdaccio stands for **peace**, stop the war, we will be yellow / blue 🇺🇦 until that happens.
 
@@ -33,7 +33,6 @@ Google Cloud Storage** or create your own plugin.
 [![MIT](https://img.shields.io/github/license/mashape/apistatus.svg)](https://github.com/verdaccio/verdaccio/blob/master/LICENSE)
 [![Crowdin](https://d322cqt584bo4o.cloudfront.net/verdaccio/localized.svg)](https://crowdin.com/project/verdaccio)
 
-[![Twitter followers](https://img.shields.io/twitter/follow/verdaccio_npm.svg?style=social&label=Follow)](https://twitter.com/verdaccio_npm)
 [![Github](https://img.shields.io/github/stars/verdaccio/verdaccio.svg?style=social&label=Stars)](https://github.com/verdaccio/verdaccio/stargazers)
 [![StandWithUkraine](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/badges/StandWithUkraine.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)
 
@@ -88,7 +87,7 @@ Learn more [here](https://verdaccio.org/docs/dev-plugins) how to develop plugins
 
 ## Donations
 
-Verdaccio is run by **volunteers**; nobody is working full-time on it. If you find this project to be useful and would like to support its development, consider do a long support donation - **and your logo will be on this section of the readme.**
+Verdaccio is run by **volunteers**; nobody is working full-time on it. If you find this project to be useful and would like to support its development, consider doing a long support donation - **and your logo will be on this section of the readme.**
 
 **[Donate](https://github.com/sponsors/verdaccio)** 💵👍🏻 starting from _$1/month_ or just one single contribution.
 
@@ -114,7 +113,7 @@ If you want to use a modified version of some 3rd-party package (for example, yo
 ### E2E Testing
 
 Verdaccio has proved to be a lightweight registry that can be
-booted in a couple of seconds, fast enough for any CI. Many open source projects use verdaccio for end to end testing, to mention some examples, **create-react-app**, **mozilla neutrino**, **pnpm**, **storybook**, **babel.js**, **angular-cli** or **docusaurus**. You can read more in [here](https://verdaccio.org/docs/e2e).
+booted in a couple of seconds, fast enough for any CI. Many open source projects use Verdaccio for end to end testing, to mention some examples, **create-react-app**, **mozilla neutrino**, **pnpm**, **storybook**, **babel.js**, **angular-cli** or **docusaurus**. You can read more in [here](https://verdaccio.org/docs/e2e).
 
 Furthermore, here few examples how to start:
 
@@ -201,7 +200,7 @@ docker pull verdaccio/verdaccio:nightly-master
 
 Available as [tags](https://hub.docker.com/r/verdaccio/verdaccio/tags/).
 
-### Running verdaccio using Docker
+### Running Verdaccio using Docker
 
 To run the docker container:
 
@@ -213,35 +212,35 @@ Docker examples are available [in this repository](https://github.com/verdaccio/
 
 ## Compatibility
 
-Verdaccio aims to support all features of a standard npm client that make sense to support in private repository. Unfortunately, it isn't always possible.
+Verdaccio aims to support all features of a standard npm client that make sense to support in a private repository. Unfortunately, it isn't always possible.
 
 ### Basic features
 
-- Installing packages (npm install, npm upgrade, etc.) - **supported**
-- Publishing packages (npm publish) - **supported**
+- Installing packages (`npm install`, `npm update`, etc.) - **supported**
+- Publishing packages (`npm publish`) - **supported**
 
 ### Advanced package control
 
-- Unpublishing packages (npm unpublish) - **supported**
-- Tagging (npm tag) - **supported**
-- Deprecation (npm deprecate) - **supported**
+- Unpublishing packages (`npm unpublish`) - **supported**
+- Tagging (`npm dist-tag`) - **supported**
+- Deprecation (`npm deprecate`) - **supported**
 
 ### User management
 
-- Registering new users (npm adduser {newuser}) - **supported**
-- Change password (npm profile set password) - **supported**
-- Transferring ownership (npm owner add {user} {pkg}) - not supported, _PR-welcome_
-- Token (npm token) - **supported**
+- Registering new users (`npm adduser {newuser}`) - **supported**
+- Change password (`npm profile set password`) - **supported**
+- Transferring ownership (`npm owner add {user} {pkg}`) - not supported, _PR-welcome_
+- Token (`npm token`) - **supported**
 
-### Miscellany
+### Miscellaneous
 
-- Searching (npm search) - **supported** (cli / browser)
-- Ping (npm ping) - **supported**
-- Starring (npm star, npm unstar, npm stars) - **supported**
+- Searching (`npm search`) - **supported** (cli / browser)
+- Ping (`npm ping`) - **supported**
+- Starring (`npm star`, `npm unstar`, `npm stars`) - **supported**
 
 ### Security
 
-- npm/yarn audit - **supported**
+- Audit (`npm/yarn audit`) - **supported**
 
 ## Report a vulnerability
 
@@ -270,7 +269,7 @@ Thanks to the following companies to help us to achieve our goals providing free
 | ![priscilawebdev](https://avatars2.githubusercontent.com/u/29228205?s=120&v=4) | ![DanielRuf](https://avatars3.githubusercontent.com/u/827205?s=120&v=4)  |
 | [@priscilawebdev](https://twitter.com/priscilawebdev)                          | [@DanielRufde](https://twitter.com/DanielRufde)                          |
 
-You can find and chat with then over Discord, click [here](http://chat.verdaccio.org) or follow them at _Twitter_.
+You can find and chat with them over Discord, click [here](http://chat.verdaccio.org) or follow them at _Twitter_.
 
 ## Who is using Verdaccio?
 
@@ -324,7 +323,7 @@ This project exists thanks to all the people who contribute. [[Contribute](CONTR
 
 ### FAQ / Contact / Troubleshoot
 
-If you have any issue you can try the following options, do no desist to ask or check our issues database, perhaps someone has asked already what you are looking for.
+If you have any issue you can try the following options. Do no hesitate to ask or check our issues database. Perhaps someone has asked already what you are looking for.
 
 - [Blog](https://verdaccio.org/blog/)
 - [Donations](https://github.com/sponsors/verdaccio)

docker-examples/v6/plugins/docker-local-plugin/plugins/verdaccio-docker-memory/lib/local-memory.js

@@ -91,8 +91,8 @@ class LocalMemory {
       (_this$data = this.data) === null || _this$data === void 0
         ? void 0
         : (_this$data$list = _this$data.list) === null || _this$data$list === void 0
-        ? void 0
-        : _this$data$list.length
+          ? void 0
+          : _this$data$list.length
     );
     return Promise.resolve(
       (_this$data2 = this.data) === null || _this$data2 === void 0 ? void 0 : _this$data2.list

e2e/cli/cli-commons/package.json

@@ -5,16 +5,16 @@
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
   "devDependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next.4",
-    "@verdaccio/core": "workspace:7.0.0-next.4",
-    "@verdaccio/types": "workspace:12.0.0-next.1",
+    "@verdaccio/config": "workspace:7.0.0-next-7.11",
+    "@verdaccio/core": "workspace:7.0.0-next-7.11",
+    "@verdaccio/types": "workspace:12.0.0-next.2",
     "debug": "4.3.4",
-    "fs-extra": "10.1.0",
+    "fs-extra": "11.2.0",
+    "get-port": "5.1.1",
     "got": "11.8.6",
     "js-yaml": "4.1.0",
-    "get-port": "5.1.1",
     "lodash": "4.17.21",
-    "verdaccio": "workspace:7.0.0-next.4"
+    "verdaccio": "workspace:7.0.0-next-7.11"
   },
   "scripts": {
     "test": "jest",

e2e/cli/e2e-npm10/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "10.1.0"
+    "npm": "10.4.0"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm6/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.7.1"
+    "npm": "9.9.2"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm7/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.7.1"
+    "npm": "9.9.2"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm8/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.7.1"
+    "npm": "9.9.2"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-npm9/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "npm": "9.7.1"
+    "npm": "9.9.2"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn1/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "yarn": "1.22.19"
+    "yarn": "1.22.21"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn2/audit.spec.ts

@@ -18,7 +18,7 @@ describe('audit a package yarn 2', () => {
       {
         packageName: '@scope/name',
         version: '1.0.0',
-        dependencies: { jquery: '3.0.0' },
+        dependencies: { aaa: 'latest' },
         devDependencies: {},
       }
     );
@@ -27,6 +27,9 @@ describe('audit a package yarn 2', () => {
 
   test('should run yarn npm audit info json body', async () => {
     await yarn(projectFolder, 'install');
+    // this might fails if the dependency used above has vulnerabilities
+    // always try to use ar real dependency that does not have such issues
+    // yarn berry uses exit 1 if has error https://github.com/yarnpkg/berry/pull/4358
     const resp = await yarn(projectFolder, 'npm', 'audit', '--json');
     const parsedBody = JSON.parse(resp.stdout as string);
     expect(parsedBody.advisories).toBeDefined();

e2e/cli/e2e-yarn3/audit.spec.ts

@@ -12,13 +12,13 @@ describe('audit a package yarn 3', () => {
     registry = setup.registry;
     await registry.init();
     const { tempFolder } = await yarnModernUtils.prepareYarnModernProject(
-      'yarn-2',
+      'yarn-3',
       registry.getRegistryUrl(),
       getYarnCommand(),
       {
         packageName: '@scope/name',
         version: '1.0.0',
-        dependencies: { jquery: '3.0.0' },
+        dependencies: { aaa: 'latest' },
         devDependencies: {},
       }
     );
@@ -27,6 +27,9 @@ describe('audit a package yarn 3', () => {
 
   test('should run yarn npm audit info json body', async () => {
     await yarn(projectFolder, 'install');
+    // this might fails if the dependency used above has vulnerabilities
+    // always try to use ar real dependency that does not have such issues
+    // yarn berry uses exit 1 if has error https://github.com/yarnpkg/berry/pull/4358
     const resp = await yarn(projectFolder, 'npm', 'audit', '--json');
     const parsedBody = JSON.parse(resp.stdout as string);
     expect(parsedBody.advisories).toBeDefined();

e2e/cli/e2e-yarn3/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.1",
   "dependencies": {
     "@verdaccio/test-cli-commons": "workspace:1.1.0",
-    "@yarnpkg/cli-dist": "3.4.1"
+    "@yarnpkg/cli-dist": "3.8.0"
   },
   "scripts": {
     "test": "jest"

e2e/cli/e2e-yarn4/package.json

@@ -3,7 +3,7 @@
   "name": "@verdaccio/e2e-cli-yarn4",
   "version": "1.0.1",
   "dependencies": {
-    "@yarnpkg/cli-dist": "4.0.0-rc.39",
+    "@yarnpkg/cli-dist": "4.1.0",
     "@verdaccio/test-cli-commons": "workspace:1.1.0"
   },
   "scripts": {

e2e/ui/README.md

@@ -8,6 +8,12 @@
   - Check sidebar
   - Check protected packages works
 
+## Running test locally
+
+- Ensure no other verdaccio server is running, cypress will spawn it's own registry instance
+- To run all test: `pnpm test`
+- To run single test: `pnpm test -- --spec 'cypress/e2e/home.cy.ts'`
+
 ## Contribute
 
 More tests could be added to verify UI works as expected.

e2e/ui/cypress.config.ts

@@ -9,6 +9,14 @@ import { generatePackageMetadata } from '@verdaccio/test-helper';
 
 let registry1;
 export default defineConfig({
+  retries: {
+    runMode: 5,
+    openMode: 0,
+  },
+  // Enable this to see debug screenshots on test failure
+  // screenshotOnRunFailure: true,
+  // Enable this to see debug video on test failure
+  // video: true,
   e2e: {
     setupNodeEvents(on) {
       on('before:run', async () => {

e2e/ui/cypress/e2e/home.cy.ts

@@ -32,4 +32,49 @@ describe('home spec', () => {
     cy.visit(`${ctx.url}/-/web/detail/@verdaccio/not-found`);
     cy.getByTestId('404').contains(`Sorry, we couldn't find it.`);
   });
+
+  it('should open dialog settings tabs are present', () => {
+    cy.visit(ctx.url);
+    cy.getByTestId('header--tooltip-settings').click();
+
+    cy.contains('Package Managers');
+    cy.contains('Translations');
+  });
+
+  it('should close dialog settings tabs are present', () => {
+    cy.visit(ctx.url);
+    cy.getByTestId('header--tooltip-settings').click();
+    cy.get('#registryInfo--dialog-close').click();
+    // check for content at the dialog should not be there
+    cy.get('#panel1a-header').should('not.exist');
+  });
+
+  it('should expand npm dialog registry details', () => {
+    cy.visit(ctx.url);
+    cy.getByTestId('header--tooltip-settings').click();
+    cy.get('#panel1a-header').click();
+    cy.contains(/npm set registry/);
+    cy.contains(/npm adduser --registry/);
+    cy.contains(/npm profile set password/);
+  });
+
+  it('should expand pnpm dialog registry details', () => {
+    cy.visit(ctx.url);
+    cy.getByTestId('header--tooltip-settings').click();
+    cy.get('#panel3a-header').click();
+    cy.contains(/pnpm set registry/);
+    cy.contains(/pnpm adduser --registry/);
+    cy.contains(/pnpm profile set password/);
+  });
+
+  it('should expand yarn dialog registry details', () => {
+    cy.visit(ctx.url);
+    cy.getByTestId('header--tooltip-settings').click();
+    cy.get('#panel2a-header').click();
+    // some initial explanation
+    cy.contains(/Yarn classic configuration differs from Yarn/);
+    // smoke test matches, (this is deelpy tested in the unit test)
+    cy.contains(/.yarnrc.yml/);
+    cy.contains(/npmRegistryServer:/);
+  });
 });

e2e/ui/package.json

@@ -3,12 +3,12 @@
   "name": "@verdaccio/e2e-ui",
   "version": "2.0.0",
   "devDependencies": {
-    "verdaccio": "workspace:7.0.0-next.4",
-    "@verdaccio/core": "workspace:7.0.0-next.4",
-    "@verdaccio/config": "workspace:7.0.0-next.4",
-    "@verdaccio/test-helper": "workspace:3.0.0-next.0",
+    "verdaccio": "workspace:7.0.0-next-7.11",
+    "@verdaccio/core": "workspace:7.0.0-next-7.11",
+    "@verdaccio/config": "workspace:7.0.0-next-7.11",
+    "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
     "debug": "4.3.4",
-    "cypress": "^11.2.0",
+    "cypress": "^13.6.0",
     "get-port": "5.1.1"
   },
   "scripts": {

jest/config.js

@@ -4,7 +4,7 @@ module.exports = {
     '^.+\\.(js|ts)$': 'babel-jest',
   },
   verbose: false,
-  collectCoverage: true,
+  collectCoverage: false,
   coverageReporters: ['text', 'html'],
   collectCoverageFrom: ['src/**/*.ts', '!**/node_modules/**', '!**/partials/**', '!**/fixture/**'],
   coveragePathIgnorePatterns: ['node_modules', 'fixtures'],

netlify.toml

@@ -1,19 +1,7 @@
-[build]
-  command = "pnpm build"
-  publish = "build/"
-
-[build.environment]
-  NPM_FLAGS="--prefix=/dev/null"
-  NODE_VERSION = "14"
-
-[context.production]
-  command = "pnpm netlify:build:production"
-
-[context.deploy-preview]
-  command = "pnpm netlify:build:deployPreview"
-
-[context.branch-deploy]
-  command = "pnpm netlify:build:deployPreview"
-
-[[plugins]]
-package = "../.netlify/netlify-plugin-pnpm"
+[[headers]]
+for = "/*"
+[headers.values]
+X-Frame-Options = "DENY"
+X-XSS-Protection = "1; mode=block"
+X-Content-Type-Options = "nosniff"
+Referrer-Policy = "no-referrer"

package.json

@@ -15,92 +15,92 @@
     "url": "https://opencollective.com/verdaccio"
   },
   "devDependencies": {
-    "@babel/cli": "7.23.0",
-    "@babel/core": "7.23.2",
-    "@babel/eslint-parser": "7.22.15",
-    "@babel/node": "7.22.19",
+    "@babel/cli": "7.23.9",
+    "@babel/core": "7.23.9",
+    "@babel/eslint-parser": "7.23.3",
+    "@babel/node": "7.23.9",
     "@babel/plugin-proposal-class-properties": "7.18.6",
-    "@babel/plugin-proposal-decorators": "7.23.2",
+    "@babel/plugin-proposal-decorators": "7.23.9",
     "@babel/plugin-proposal-export-namespace-from": "7.18.9",
-    "@babel/plugin-proposal-function-sent": "7.22.5",
+    "@babel/plugin-proposal-function-sent": "7.23.3",
     "@babel/plugin-proposal-json-strings": "7.18.6",
     "@babel/plugin-proposal-nullish-coalescing-operator": "7.18.6",
     "@babel/plugin-proposal-numeric-separator": "7.18.6",
     "@babel/plugin-proposal-object-rest-spread": "7.20.7",
     "@babel/plugin-proposal-optional-chaining": "7.21.0",
-    "@babel/plugin-proposal-throw-expressions": "7.22.5",
+    "@babel/plugin-proposal-throw-expressions": "7.23.3",
     "@babel/plugin-syntax-dynamic-import": "7.8.3",
     "@babel/plugin-syntax-import-meta": "7.10.4",
-    "@babel/plugin-transform-async-to-generator": "7.22.5",
-    "@babel/plugin-transform-classes": "7.22.15",
-    "@babel/plugin-transform-runtime": "7.23.2",
-    "@babel/preset-env": "7.23.2",
-    "@babel/preset-react": "7.22.15",
-    "@babel/preset-typescript": "7.23.2",
-    "@babel/register": "7.22.15",
-    "@babel/runtime": "7.23.2",
-    "@changesets/changelog-github": "0.4.8",
-    "@changesets/cli": "2.24.4",
+    "@babel/plugin-transform-async-to-generator": "7.23.3",
+    "@babel/plugin-transform-classes": "7.23.8",
+    "@babel/plugin-transform-runtime": "7.23.9",
+    "@babel/preset-env": "7.23.9",
+    "@babel/preset-react": "7.23.3",
+    "@babel/preset-typescript": "7.23.3",
+    "@babel/register": "7.23.7",
+    "@babel/runtime": "7.23.9",
+    "@changesets/changelog-github": "0.5.0",
+    "@changesets/cli": "2.27.1",
     "@changesets/get-dependents-graph": "1.3.6",
-    "@crowdin/cli": "3.14.0",
+    "@crowdin/cli": "3.16.1",
     "@dianmora/contributors": "5.0.0",
     "@emotion/react": "11.10.6",
     "@emotion/styled": "11.10.6",
-    "@testing-library/dom": "9.3.3",
-    "@testing-library/jest-dom": "6.1.4",
-    "@testing-library/react": "14.0.0",
-    "@trivago/prettier-plugin-sort-imports": "^4.2.0",
-    "@types/async": "3.2.21",
-    "@types/body-parser": "1.19.2",
-    "@types/connect": "3.4.36",
-    "@types/cookiejar": "2.1.2",
-    "@types/debug": "^4.1.9",
-    "@types/express": "4.17.18",
-    "@types/express-serve-static-core": "4.17.37",
-    "@types/http-errors": "2.0.2",
-    "@types/jest": "29.5.5",
-    "@types/jsonwebtoken": "9.0.3",
-    "@types/lodash": "4.14.199",
-    "@types/mime": "3.0.2",
+    "@testing-library/dom": "9.3.4",
+    "@testing-library/jest-dom": "6.4.2",
+    "@testing-library/user-event": "14.5.2",
+    "aria-query": "5.1.3",
+    "@testing-library/react": "14.2.1",
+    "@trivago/prettier-plugin-sort-imports": "4.3.0",
+    "@types/body-parser": "1.19.5",
+    "@types/connect": "3.4.38",
+    "@types/cookiejar": "2.1.5",
+    "@types/debug": "4.1.12",
+    "@types/express": "4.17.21",
+    "@types/express-serve-static-core": "4.17.42",
+    "@types/http-errors": "2.0.4",
+    "@types/jest": "29.5.11",
+    "@types/jsonwebtoken": "9.0.5",
+    "@types/lodash": "4.14.202",
+    "@types/mime": "3.0.4",
     "@types/minimatch": "5.1.2",
-    "@types/node": "20.8.3",
-    "@types/node-fetch": "2.6.6",
-    "@types/qs": "6.9.8",
-    "@types/range-parser": "1.2.5",
-    "@types/react": "18.2.25",
-    "@types/react-dom": "18.2.11",
+    "@types/node": "20.11.7",
+    "@types/node-fetch": "2.6.11",
+    "@types/qs": "6.9.11",
+    "@types/range-parser": "1.2.7",
+    "@types/react": "18.2.48",
+    "@types/react-dom": "18.2.18",
     "@types/react-router-dom": "5.3.3",
-    "@types/react-virtualized": "9.21.23",
+    "@types/react-virtualized": "9.21.29",
     "@types/redux": "3.6.0",
-    "@types/request": "2.48.9",
-    "@types/semver": "7.5.3",
-    "@types/send": "0.17.2",
-    "@types/serve-static": "1.15.3",
-    "@types/superagent": "4.1.19",
-    "@types/supertest": "2.0.14",
+    "@types/semver": "7.5.6",
+    "@types/send": "0.17.4",
+    "@types/serve-static": "1.15.5",
+    "@types/superagent": "4.1.24",
+    "@types/supertest": "2.0.16",
     "@types/testing-library__jest-dom": "6.0.0",
-    "@types/validator": "13.11.2",
-    "@types/webpack": "5.28.3",
-    "@types/webpack-env": "1.18.2",
-    "@typescript-eslint/eslint-plugin": "6.9.0",
-    "@typescript-eslint/parser": "6.9.0",
+    "@types/validator": "13.11.8",
+    "@types/webpack": "5.28.5",
+    "@types/webpack-env": "1.18.4",
+    "@typescript-eslint/eslint-plugin": "6.19.1",
+    "@typescript-eslint/parser": "6.19.1",
     "@verdaccio/crowdin-translations": "workspace:*",
     "@verdaccio/eslint-config": "workspace:*",
     "@verdaccio/types": "workspace:*",
     "@verdaccio/ui-theme": "workspace:*",
-    "@vitest/coverage-v8": "^0.34.6",
+    "@vitest/coverage-v8": "0.34.6",
     "babel-core": "7.0.0-bridge.0",
     "babel-jest": "29.7.0",
     "babel-plugin-dynamic-import-node": "2.3.3",
     "babel-plugin-emotion": "11.0.0",
-    "concurrently": "6.5.1",
+    "concurrently": "8.2.2",
     "cross-env": "7.0.3",
     "debug": "4.3.4",
     "detect-secrets": "1.0.6",
-    "eslint": "8.52.0",
-    "fs-extra": "10.1.0",
+    "eslint": "8.56.0",
+    "fs-extra": "11.2.0",
     "got": "11.8.6",
-    "husky": "7.0.4",
+    "husky": "8.0.3",
     "in-publish": "2.0.1",
     "jest": "29.7.0",
     "jest-diff": "29.7.0",
@@ -110,23 +110,24 @@
     "jest-junit": "16.0.0",
     "kleur": "4.1.5",
     "lint-staged": "11.2.6",
-    "nock": "13.3.3",
-    "nodemon": "2.0.22",
-    "npm-run-all": "4.1.5",
-    "prettier": "2.8.8",
+    "nock": "13.5.1",
+    "nodemon": "3.0.3",
+    "npm-run-all2": "5.0.2",
+    "prettier": "3.2.2",
     "react": "18.2.0",
     "react-dom": "18.2.0",
-    "rimraf": "3.0.2",
-    "selfsigned": "1.10.14",
-    "supertest": "6.3.3",
-    "ts-node": "10.9.1",
-    "typescript": "5.2.2",
-    "update-ts-references": "2.6.1",
+    "rimraf": "5.0.5",
+    "selfsigned": "2.4.1",
+    "supertest": "6.3.4",
+    "ts-node": "10.9.2",
+    "typescript": "5.3.3",
+    "undici-types": "5.28.2",
+    "update-ts-references": "3.2.1",
     "verdaccio-audit": "workspace:*",
     "verdaccio-auth-memory": "workspace:*",
     "verdaccio-htpasswd": "workspace:*",
     "verdaccio-memory": "workspace:*",
-    "vitest": "^0.34.3"
+    "vitest": "0.34.6"
   },
   "scripts": {
     "prepare": "husky install",
@@ -136,7 +137,7 @@
     "docker": "docker build -t verdaccio/verdaccio:local . --no-cache",
     "format": "prettier --write \"**/*.{js,jsx,ts,tsx,json,yml,yaml,md}\"",
     "format:check": "prettier --check \"**/*.{js,jsx,ts,tsx,json,yml,yaml,md}\"",
-    "lint": "eslint --max-warnings 100 \"**/*.{js,jsx,ts,tsx}\"",
+    "lint": "eslint --max-warnings 70 \"**/*.{js,jsx,ts,tsx}\"",
     "test": "pnpm --filter \"./packages/**\" test",
     "test:e2e:cli": "pnpm --filter ...@verdaccio/e2e-cli-* test -- --coverage=false",
     "test:e2e:ui": "pnpm --filter ...@verdaccio/e2e-ui test",
@@ -172,12 +173,6 @@
     "local:publish": "cross-env npm_config_registry=http://localhost:4873 changeset publish --no-git-tag",
     "local:publish:release": "concurrently \"pnpm local:registry\" \"pnpm local:publish\""
   },
-  "pnpm": {
-    "overrides": {
-      "got": "11.8.5",
-      "p-cancelable": "2.1.1"
-    }
-  },
   "engines": {
     "node": ">=18"
   },
@@ -186,5 +181,5 @@
     "*.{js,jsx,ts,tsx,json,yml,yaml,md}": "prettier --write",
     "*.{js,jsx,ts,tsx}": "eslint --cache --fix"
   },
-  "packageManager": "pnpm@8.9.0+sha256.8f5264ad1d100da11a6add6bb8a94c6f1e913f9e9261b2a551fabefad2ec0fec"
+  "packageManager": "pnpm@8.14.0+sha256.9cebf61abd83f68177b29484da72da9751390eaad46dfc3072d266bfbb1ba7bf"
 }

packages/api/CHANGELOG.md

@@ -1,5 +1,99 @@
 # @verdaccio/api
 
+## 7.0.0-next-7.11
+
+### Patch Changes
+
+- Updated dependencies [c9962fe]
+  - @verdaccio/config@7.0.0-next-7.11
+  - @verdaccio/auth@7.0.0-next-7.11
+  - @verdaccio/middleware@7.0.0-next-7.11
+  - @verdaccio/store@7.0.0-next-7.11
+  - @verdaccio/core@7.0.0-next-7.11
+  - @verdaccio/utils@7.0.0-next-7.11
+  - @verdaccio/logger@7.0.0-next-7.11
+
+## 7.0.0-next-7.10
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.10
+- @verdaccio/config@7.0.0-next-7.10
+- @verdaccio/auth@7.0.0-next-7.10
+- @verdaccio/middleware@7.0.0-next-7.10
+- @verdaccio/store@7.0.0-next-7.10
+- @verdaccio/utils@7.0.0-next-7.10
+- @verdaccio/logger@7.0.0-next-7.10
+
+## 7.0.0-next-7.9
+
+### Patch Changes
+
+- Updated dependencies [c807f0c]
+  - @verdaccio/store@7.0.0-next-7.9
+  - @verdaccio/core@7.0.0-next-7.9
+  - @verdaccio/config@7.0.0-next-7.9
+  - @verdaccio/auth@7.0.0-next-7.9
+  - @verdaccio/middleware@7.0.0-next-7.9
+  - @verdaccio/utils@7.0.0-next-7.9
+  - @verdaccio/logger@7.0.0-next-7.9
+
+## 7.0.0-next-7.8
+
+### Patch Changes
+
+- 74cd588: fix: bug on change password npm profile
+  - @verdaccio/core@7.0.0-next-7.8
+  - @verdaccio/config@7.0.0-next-7.8
+  - @verdaccio/auth@7.0.0-next-7.8
+  - @verdaccio/middleware@7.0.0-next-7.8
+  - @verdaccio/store@7.0.0-next-7.8
+  - @verdaccio/utils@7.0.0-next-7.8
+  - @verdaccio/logger@7.0.0-next-7.8
+
+## 7.0.0-next-7.7
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.7
+- @verdaccio/config@7.0.0-next-7.7
+- @verdaccio/auth@7.0.0-next-7.7
+- @verdaccio/middleware@7.0.0-next-7.7
+- @verdaccio/store@7.0.0-next-7.7
+- @verdaccio/utils@7.0.0-next-7.7
+- @verdaccio/logger@7.0.0-next-7.7
+
+## 7.0.0-next.6
+
+### Patch Changes
+
+- Updated dependencies [e14b064]
+- Updated dependencies [4d96324]
+  - @verdaccio/store@7.0.0-next.6
+  - @verdaccio/config@7.0.0-next.6
+  - @verdaccio/auth@7.0.0-next.6
+  - @verdaccio/middleware@7.0.0-next.6
+  - @verdaccio/core@7.0.0-next.6
+  - @verdaccio/utils@7.0.0-next.6
+  - @verdaccio/logger@7.0.0-next.6
+
+## 7.0.0-next.5
+
+### Minor Changes
+
+- f047cc8: refactor: auth with legacy sign support
+
+### Patch Changes
+
+- Updated dependencies [f047cc8]
+  - @verdaccio/middleware@7.0.0-next.5
+  - @verdaccio/core@7.0.0-next.5
+  - @verdaccio/config@7.0.0-next.5
+  - @verdaccio/auth@7.0.0-next.5
+  - @verdaccio/store@7.0.0-next.5
+  - @verdaccio/logger@7.0.0-next.5
+  - @verdaccio/utils@7.0.0-next.5
+
 ## 7.0.0-next.4
 
 ### Patch Changes

packages/api/jest.config.js

@@ -1,10 +1,3 @@
 const config = require('../../jest/config');
 
-module.exports = Object.assign({}, config, {
-  coverageThreshold: {
-    global: {
-      // FIXME: increase to 90
-      lines: 60,
-    },
-  },
-});
+module.exports = Object.assign({}, config, {});

packages/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/api",
-  "version": "7.0.0-next.4",
+  "version": "7.0.0-next-7.11",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,29 +38,28 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next.4",
-    "@verdaccio/config": "workspace:7.0.0-next.4",
-    "@verdaccio/core": "workspace:7.0.0-next.4",
-    "@verdaccio/logger": "workspace:7.0.0-next.4",
-    "@verdaccio/middleware": "workspace:7.0.0-next.4",
-    "@verdaccio/store": "workspace:7.0.0-next.4",
-    "@verdaccio/utils": "workspace:7.0.0-next.4",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.11",
+    "@verdaccio/config": "workspace:7.0.0-next-7.11",
+    "@verdaccio/core": "workspace:7.0.0-next-7.11",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.11",
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.11",
+    "@verdaccio/store": "workspace:7.0.0-next-7.11",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.11",
     "abortcontroller-polyfill": "1.7.5",
     "body-parser": "1.20.2",
-    "cookies": "0.8.0",
+    "cookies": "0.9.0",
     "debug": "4.3.4",
     "express": "4.18.2",
     "lodash": "4.17.21",
     "mime": "2.6.0",
-    "semver": "7.5.4"
+    "semver": "7.6.0"
   },
   "devDependencies": {
-    "@verdaccio/server": "workspace:7.0.0-next.4",
-    "@verdaccio/test-helper": "workspace:3.0.0-next.0",
-    "@verdaccio/types": "workspace:12.0.0-next.1",
+    "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
+    "@verdaccio/types": "workspace:12.0.0-next.2",
     "mockdate": "3.0.5",
-    "nock": "13.3.3",
-    "supertest": "6.3.3"
+    "nock": "13.5.1",
+    "supertest": "6.3.4"
   },
   "funding": {
     "type": "opencollective",

packages/api/src/v1/profile.ts

@@ -81,15 +81,17 @@ export default function (route: Router, auth: Auth, config: Config): void {
           /* eslint new-cap:off */
         }
 
+        if (_.isEmpty(password.old)) {
+          return next(errorUtils.getBadRequest('old password is required'));
+        }
+
         auth.changePassword(
           name,
           password.old,
           password.new,
           (err, isUpdated): $NextFunctionVer => {
             if (_.isNull(err) === false) {
-              return next(
-                errorUtils.getCode(err.status, err.message) || errorUtils.getConflict(err.message)
-              );
+              return next(errorUtils.getForbidden(err.message));
             }
 
             if (isUpdated) {

packages/api/test/integration/config/profile.yaml

@@ -0,0 +1,27 @@
+auth:
+  htpasswd:
+    file: ./htpasswd-profile
+web:
+  enable: true
+  title: verdaccio
+
+uplinks:
+
+log: { type: stdout, format: pretty, level: trace }
+
+packages:
+  '@*/*':
+    access: $all
+    publish: $all
+    unpublish: $all
+    proxy: npmjs
+  'verdaccio':
+    access: $all
+    publish: $all
+  '**':
+    access: $all
+    publish: $all
+    unpublish: $all
+    proxy: npmjs
+
+_debug: true

packages/api/test/integration/config/user.jwt.yaml

@@ -10,7 +10,7 @@ auth:
 
 uplinks:
   ver:
-    url: https://registry.verdaccio.org
+    url: https://registry.npmjs.org
 
 security:
   api:

packages/api/test/integration/config/user.yaml

@@ -7,7 +7,7 @@ web:
 
 uplinks:
   ver:
-    url: https://registry.verdaccio.org
+    url: https://registry.npmjs.org
 
 log: { type: stdout, format: pretty, level: trace }
 

packages/api/test/integration/package.spec.ts

@@ -26,8 +26,8 @@ describe('package', () => {
     });
 
     test.each([
-      ['foo', 'foo-1.0.0.tgz'],
-      ['@scope/foo', 'foo-1.0.0.tgz'],
+      ['foo2', 'foo2-1.0.0.tgz'],
+      ['@scope/foo2', 'foo2-1.0.0.tgz'],
     ])('should fails if tarball does not exist', async (pkg, fileName) => {
       await publishVersion(app, pkg, '1.0.1');
       return await supertest(app)

packages/api/test/integration/profile.spec.ts

@@ -0,0 +1,111 @@
+import supertest from 'supertest';
+
+import { HEADERS, HEADER_TYPE, HTTP_STATUS, TOKEN_BEARER } from '@verdaccio/core';
+import { buildToken } from '@verdaccio/utils';
+
+import { createUser, initializeServer } from './_helper';
+
+describe('profile ', () => {
+  describe('get profile ', () => {
+    test('should return Unauthorized if header token is missing', async () => {
+      const app = await initializeServer('profile.yaml');
+      return supertest(app)
+        .get('/-/npm/v1/user')
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.UNAUTHORIZED);
+    });
+
+    test('should return user details', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .get('/-/npm/v1/user')
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.OK);
+    });
+  });
+  describe('post profile ', () => {
+    test('should return Unauthorized if header token is missing', async () => {
+      const app = await initializeServer('profile.yaml');
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({})
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.UNAUTHORIZED);
+    });
+
+    test('should return handle to short new password', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ password: { new: '_' } })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.UNAUTHORIZED);
+    });
+
+    test('should return handle to missing old password', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ password: { new: 'fooooo', old: undefined } })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.BAD_REQUEST);
+    });
+
+    test('should return handle to missing password', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ another: '_' })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.INTERNAL_ERROR);
+    });
+
+    test('should return handle change password', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ password: { new: 'good password_.%#@$@#$@#', old: 'test' } })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.OK);
+    });
+
+    test('should return handle change password failure', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ password: { new: 'good password_.%#@$@#$@#', old: 'test_do_not_match' } })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.FORBIDDEN);
+    });
+
+    test('should handle tfa ( two factor auth) disabled', async () => {
+      const app = await initializeServer('profile.yaml');
+      const credentials = { name: 'test', password: 'test' };
+      const response = await createUser(app, credentials.name, credentials.password);
+      return supertest(app)
+        .post('/-/npm/v1/user')
+        .send({ tfa: '_' })
+        .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, response.body.token))
+        .expect(HEADER_TYPE.CONTENT_TYPE, HEADERS.JSON_CHARSET)
+        .expect(HTTP_STATUS.SERVICE_UNAVAILABLE);
+    });
+  });
+});

packages/auth/CHANGELOG.md

@@ -1,5 +1,96 @@
 # @verdaccio/auth
 
+## 7.0.0-next-7.11
+
+### Patch Changes
+
+- Updated dependencies [c9962fe]
+  - @verdaccio/config@7.0.0-next-7.11
+  - @verdaccio/loaders@7.0.0-next-7.11
+  - verdaccio-htpasswd@12.0.0-next-7.11
+  - @verdaccio/signature@7.0.0-next.3
+  - @verdaccio/core@7.0.0-next-7.11
+  - @verdaccio/utils@7.0.0-next-7.11
+  - @verdaccio/logger@7.0.0-next-7.11
+
+## 7.0.0-next-7.10
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.10
+- @verdaccio/config@7.0.0-next-7.10
+- @verdaccio/loaders@7.0.0-next-7.10
+- verdaccio-htpasswd@12.0.0-next-7.10
+- @verdaccio/utils@7.0.0-next-7.10
+- @verdaccio/signature@7.0.0-next.3
+- @verdaccio/logger@7.0.0-next-7.10
+
+## 7.0.0-next-7.9
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.9
+- @verdaccio/config@7.0.0-next-7.9
+- @verdaccio/loaders@7.0.0-next-7.9
+- verdaccio-htpasswd@12.0.0-next-7.9
+- @verdaccio/utils@7.0.0-next-7.9
+- @verdaccio/signature@7.0.0-next.3
+- @verdaccio/logger@7.0.0-next-7.9
+
+## 7.0.0-next-7.8
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.8
+- @verdaccio/config@7.0.0-next-7.8
+- @verdaccio/loaders@7.0.0-next-7.8
+- verdaccio-htpasswd@12.0.0-next-7.8
+- @verdaccio/utils@7.0.0-next-7.8
+- @verdaccio/signature@7.0.0-next.3
+- @verdaccio/logger@7.0.0-next-7.8
+
+## 7.0.0-next-7.7
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.7
+- @verdaccio/config@7.0.0-next-7.7
+- @verdaccio/loaders@7.0.0-next-7.7
+- verdaccio-htpasswd@12.0.0-next-7.7
+- @verdaccio/utils@7.0.0-next-7.7
+- @verdaccio/signature@7.0.0-next.3
+- @verdaccio/logger@7.0.0-next-7.7
+
+## 7.0.0-next.6
+
+### Patch Changes
+
+- Updated dependencies [4d96324]
+  - @verdaccio/config@7.0.0-next.6
+  - @verdaccio/loaders@7.0.0-next.6
+  - verdaccio-htpasswd@12.0.0-next.6
+  - @verdaccio/signature@7.0.0-next.3
+  - @verdaccio/core@7.0.0-next.6
+  - @verdaccio/utils@7.0.0-next.6
+  - @verdaccio/logger@7.0.0-next.6
+
+## 7.0.0-next.5
+
+### Minor Changes
+
+- f047cc8: refactor: auth with legacy sign support
+
+### Patch Changes
+
+- Updated dependencies [f047cc8]
+  - @verdaccio/core@7.0.0-next.5
+  - @verdaccio/signature@7.0.0-next.3
+  - @verdaccio/config@7.0.0-next.5
+  - @verdaccio/loaders@7.0.0-next.5
+  - @verdaccio/logger@7.0.0-next.5
+  - verdaccio-htpasswd@12.0.0-next.5
+  - @verdaccio/utils@7.0.0-next.5
+
 ## 7.0.0-next.4
 
 ### Patch Changes

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/auth",
-  "version": "7.0.0-next.4",
+  "version": "7.0.0-next-7.11",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,19 +38,21 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next.4",
-    "@verdaccio/config": "workspace:7.0.0-next.4",
-    "@verdaccio/loaders": "workspace:7.0.0-next.4",
-    "@verdaccio/logger": "workspace:7.0.0-next.4",
-    "@verdaccio/signature": "workspace:7.0.0-next.2",
-    "@verdaccio/utils": "workspace:7.0.0-next.4",
+    "@verdaccio/core": "workspace:7.0.0-next-7.11",
+    "@verdaccio/config": "workspace:7.0.0-next-7.11",
+    "@verdaccio/loaders": "workspace:7.0.0-next-7.11",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.11",
+    "@verdaccio/signature": "workspace:7.0.0-next.3",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.11",
     "debug": "4.3.4",
-    "express": "4.18.2",
     "lodash": "4.17.21",
-    "verdaccio-htpasswd": "workspace:12.0.0-next.4"
+    "verdaccio-htpasswd": "workspace:12.0.0-next-7.11"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.1"
+    "express": "4.18.2",
+    "supertest": "6.3.4",
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.11",
+    "@verdaccio/types": "workspace:12.0.0-next.2"
   },
   "funding": {
     "type": "opencollective",

packages/auth/src/auth.ts

@@ -1,5 +1,4 @@
 import buildDebug from 'debug';
-import { NextFunction, Request, Response } from 'express';
 import _ from 'lodash';
 import { HTPasswd } from 'verdaccio-htpasswd';
 
@@ -12,22 +11,36 @@ import {
   VerdaccioError,
   errorUtils,
   pluginUtils,
+  warningUtils,
 } from '@verdaccio/core';
+import '@verdaccio/core';
 import { asyncLoadPlugin } from '@verdaccio/loaders';
 import { logger } from '@verdaccio/logger';
-import { aesEncrypt, parseBasicPayload, signPayload } from '@verdaccio/signature';
+import {
+  aesEncrypt,
+  aesEncryptDeprecated,
+  parseBasicPayload,
+  signPayload,
+} from '@verdaccio/signature';
 import {
   AllowAccess,
   Callback,
   Config,
   JWTSignOptions,
-  Logger,
   PackageAccess,
   RemoteUser,
   Security,
 } from '@verdaccio/types';
 import { getMatchedPackagesSpec, isFunction, isNil } from '@verdaccio/utils';
 
+import {
+  $RequestExtend,
+  $ResponseExtend,
+  AESPayload,
+  IAuthMiddleware,
+  NextFunction,
+  TokenEncryption,
+} from './types';
 import {
   convertPayloadToBase64,
   getDefaultPlugins,
@@ -40,25 +53,6 @@ import {
 
 const debug = buildDebug('verdaccio:auth');
 
-export interface TokenEncryption {
-  jwtEncrypt(user: RemoteUser, signOptions: JWTSignOptions): Promise<string>;
-  aesEncrypt(buf: string): string | void;
-}
-
-// remove
-export interface AESPayload {
-  user: string;
-  password: string;
-}
-export interface IAuthMiddleware {
-  apiJWTmiddleware(): $NextFunctionVer;
-  webUIJWTmiddleware(): $NextFunctionVer;
-}
-
-export type $RequestExtend = Request & { remote_user?: any; log: Logger };
-export type $ResponseExtend = Response & { cookies?: any };
-export type $NextFunctionVer = NextFunction & any;
-
 class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
   public config: Config;
   public secret: string;
@@ -75,6 +69,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
 
   public async init() {
     let plugins = (await this.loadPlugin()) as pluginUtils.Auth<unknown>[];
+
     debug('auth plugins found %s', plugins.length);
     if (!plugins || plugins.length === 0) {
       plugins = this.loadDefaultPlugin();
@@ -226,29 +221,32 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     debug('add user %o', user);
 
     (function next(): void {
+      let method = 'adduser';
       const plugin = plugins.shift() as pluginUtils.Auth<Config>;
-      if (typeof plugin.adduser !== 'function') {
+      // @ts-expect-error future major (7.x) should remove this section
+      if (typeof plugin.adduser === 'undefined' && typeof plugin.add_user === 'function') {
+        method = 'add_user';
+        warningUtils.emit(warningUtils.Codes.VERWAR006);
+      }
+      // @ts-ignore
+      if (typeof plugin[method] !== 'function') {
         next();
       } else {
-        // @ts-expect-error future major (7.x) should remove this section
-        if (typeof plugin.adduser === 'undefined' && typeof plugin.add_user === 'function') {
-          throw errorUtils.getInternalError(
-            'add_user method not longer supported, rename to adduser'
-          );
-        }
-
-        plugin.adduser(
+        // TODO: replace by adduser whenever add_user deprecation method has been removed
+        // @ts-ignore
+        plugin[method](
           user,
           password,
           function (err: VerdaccioError | null, ok?: boolean | string): void {
             if (err) {
-              debug('the user  %o could not being added. Error: %o', user, err?.message);
+              debug('the user %o could not being added. Error: %o', user, err?.message);
               return cb(err);
             }
             if (ok) {
               debug('the user %o has been added', user);
               return self.authenticate(user, password, cb);
             }
+            debug('user could not be added, skip to next auth plugin');
             next();
           }
         );
@@ -375,7 +373,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     })();
   }
 
-  public apiJWTmiddleware() {
+  public apiJWTmiddleware(): any {
     debug('jwt middleware');
     const plugins = this.plugins.slice(0);
     const helpers = { createAnonymousRemoteUser, createRemoteUser };
@@ -387,8 +385,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
 
     return (req: $RequestExtend, res: $ResponseExtend, _next: NextFunction) => {
       req.pause();
-
-      const next = function (err?: VerdaccioError): any {
+      const next = function (err?: VerdaccioError): NextFunction {
         req.resume();
         // uncomment this to reject users with bad auth headers
         // return _next.apply(null, arguments)
@@ -398,13 +395,14 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
           req.remote_user.error = err.message;
         }
 
-        return _next();
+        return _next() as unknown as NextFunction;
       };
 
-      if (this._isRemoteUserValid(req.remote_user)) {
-        debug('jwt has a valid authentication header');
-        return next();
-      }
+      // FUTURE: disabled, not removed yet but seems unreacable code
+      // if (this._isRemoteUserValid(req.remote_user)) {
+      //   debug('jwt has a valid authentication header');
+      //   return next();
+      // }
 
       // in case auth header does not exist we return anonymous function
       const remoteUser = createAnonymousRemoteUser();
@@ -425,20 +423,20 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
 
       if (isAESLegacy(security)) {
         debug('api middleware using legacy auth token');
-        this._handleAESMiddleware(req, security, secret, authorization, next);
+        this.handleAESMiddleware(req, security, secret, authorization, next);
       } else {
         debug('api middleware using JWT auth token');
-        this._handleJWTAPIMiddleware(req, security, secret, authorization, next);
+        this.handleJWTAPIMiddleware(req, security, secret, authorization, next);
       }
     };
   }
 
-  private _handleJWTAPIMiddleware(
+  private handleJWTAPIMiddleware(
     req: $RequestExtend,
     security: Security,
     secret: string,
     authorization: string,
-    next: Function
+    next: any
   ): void {
     debug('handle JWT api middleware');
     const { scheme, token } = parseAuthTokenHeader(authorization);
@@ -475,7 +473,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     }
   }
 
-  private _handleAESMiddleware(
+  private handleAESMiddleware(
     req: $RequestExtend,
     security: Security,
     secret: string,
@@ -485,7 +483,12 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     debug('handle legacy api middleware');
     debug('api middleware secret %o', typeof secret === 'string');
     debug('api middleware authorization %o', typeof authorization === 'string');
-    const credentials: any = getMiddlewareCredentials(security, secret, authorization);
+    const credentials: any = getMiddlewareCredentials(
+      security,
+      secret,
+      authorization,
+      this.config?.getEnhancedLegacySignature()
+    );
     debug('api middleware credentials %o', credentials?.name);
     if (credentials) {
       const { user, password } = credentials;
@@ -515,7 +518,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
   /**
    * JWT middleware for WebUI
    */
-  public webUIJWTmiddleware(): $NextFunctionVer {
+  public webUIJWTmiddleware() {
     return (req: $RequestExtend, res: $ResponseExtend, _next: NextFunction): void => {
       if (this._isRemoteUserValid(req.remote_user)) {
         return _next();
@@ -525,7 +528,7 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
       const next = (err: VerdaccioError | void): void => {
         req.resume();
         if (err) {
-          // req.remote_user.error = err.message;
+          req.remote_user.error = err.message;
           res.status(err.statusCode).send(err.message);
         }
 
@@ -576,7 +579,6 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
       name,
       groups: groupedGroups,
     };
-
     const token: string = await signPayload(payload, this.secret, signOptions);
 
     return token;
@@ -586,7 +588,17 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
    * Encrypt a string.
    */
   public aesEncrypt(value: string): string | void {
-    return aesEncrypt(value, this.secret);
+    // enhancedLegacySignature enables modern aes192 algorithm signature
+    if (this.config?.getEnhancedLegacySignature()) {
+      debug('signing with enhaced aes legacy');
+      const token = aesEncrypt(value, this.secret);
+      return token;
+    } else {
+      debug('signing with enhaced aes deprecated legacy');
+      // deprecated aes (legacy) signature, only must be used for legacy version
+      const token = aesEncryptDeprecated(Buffer.from(value), this.secret).toString('base64');
+      return token;
+    }
   }
 }
 

packages/auth/src/index.ts

@@ -1,2 +1,3 @@
 export { Auth } from './auth';
 export * from './utils';
+export * from './types';

packages/auth/src/signature-legacy.ts

@@ -0,0 +1,66 @@
+import buildDebug from 'debug';
+import _ from 'lodash';
+
+import { TOKEN_BASIC, TOKEN_BEARER } from '@verdaccio/core';
+import { aesDecryptDeprecated as aesDecrypt, parseBasicPayload } from '@verdaccio/signature';
+import { Security } from '@verdaccio/types';
+
+import { AuthMiddlewarePayload } from './types';
+import {
+  convertPayloadToBase64,
+  isAESLegacy,
+  parseAuthTokenHeader,
+  verifyJWTPayload,
+} from './utils';
+
+const debug = buildDebug('verdaccio:auth:utils');
+
+export function parseAESCredentials(authorizationHeader: string, secret: string) {
+  debug('parseAESCredentials');
+  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
+
+  // basic is deprecated and should not be enforced
+  // basic is currently being used for functional test
+  if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
+    debug('legacy header basic');
+    const credentials = convertPayloadToBase64(token).toString();
+
+    return credentials;
+  } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
+    debug('legacy header bearer');
+    const credentials = aesDecrypt(Buffer.from(token), secret);
+
+    return credentials;
+  }
+}
+
+export function getMiddlewareCredentials(
+  security: Security,
+  secretKey: string,
+  authorizationHeader: string
+): AuthMiddlewarePayload {
+  debug('getMiddlewareCredentials');
+  // comment out for debugging purposes
+  if (isAESLegacy(security)) {
+    debug('is legacy');
+    const credentials = parseAESCredentials(authorizationHeader, secretKey);
+    if (typeof credentials !== 'string') {
+      debug('parse legacy credentials failed');
+      return;
+    }
+
+    const parsedCredentials = parseBasicPayload(credentials);
+    if (!parsedCredentials) {
+      debug('parse legacy basic payload credentials failed');
+      return;
+    }
+
+    return parsedCredentials;
+  }
+  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
+
+  debug('is jwt');
+  if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
+    return verifyJWTPayload(token, secretKey);
+  }
+}

packages/auth/src/signature.ts

@@ -0,0 +1,66 @@
+import buildDebug from 'debug';
+import _ from 'lodash';
+
+import { TOKEN_BASIC, TOKEN_BEARER } from '@verdaccio/core';
+import { aesDecrypt, parseBasicPayload } from '@verdaccio/signature';
+import { Security } from '@verdaccio/types';
+
+import { AuthMiddlewarePayload } from './types';
+import {
+  convertPayloadToBase64,
+  isAESLegacy,
+  parseAuthTokenHeader,
+  verifyJWTPayload,
+} from './utils';
+
+const debug = buildDebug('verdaccio:auth:utils');
+
+export function parseAESCredentials(authorizationHeader: string, secret: string) {
+  debug('parseAESCredentials');
+  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
+
+  // basic is deprecated and should not be enforced
+  // basic is currently being used for functional test
+  if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
+    debug('legacy header basic');
+    const credentials = convertPayloadToBase64(token).toString();
+
+    return credentials;
+  } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
+    debug('legacy header bearer');
+    const credentials = aesDecrypt(token, secret);
+
+    return credentials;
+  }
+}
+
+export function getMiddlewareCredentials(
+  security: Security,
+  secretKey: string,
+  authorizationHeader: string
+): AuthMiddlewarePayload {
+  debug('getMiddlewareCredentials');
+  // comment out for debugging purposes
+  if (isAESLegacy(security)) {
+    debug('is legacy');
+    const credentials = parseAESCredentials(authorizationHeader, secretKey);
+    if (!credentials) {
+      debug('parse legacy credentials failed');
+      return;
+    }
+
+    const parsedCredentials = parseBasicPayload(credentials);
+    if (!parsedCredentials) {
+      debug('parse legacy basic payload credentials failed');
+      return;
+    }
+
+    return parsedCredentials;
+  }
+  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
+
+  debug('is jwt');
+  if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
+    return verifyJWTPayload(token, secretKey);
+  }
+}

packages/auth/src/types.ts

@@ -0,0 +1,46 @@
+import { NextFunction, Request, Response } from 'express';
+
+import { VerdaccioError } from '@verdaccio/core';
+import { AuthPackageAllow, JWTSignOptions, Logger, RemoteUser } from '@verdaccio/types';
+
+export interface AESPayload {
+  user: string;
+  password: string;
+}
+
+export type BasicPayload = AESPayload | void;
+export type AuthMiddlewarePayload = RemoteUser | BasicPayload;
+
+export interface AuthTokenHeader {
+  scheme: string;
+  token: string;
+}
+export type AllowActionCallbackResponse = boolean | undefined;
+export type AllowActionCallback = (
+  error: VerdaccioError | null,
+  allowed?: AllowActionCallbackResponse
+) => void;
+
+export type AllowAction = (
+  user: RemoteUser,
+  pkg: AuthPackageAllow,
+  callback: AllowActionCallback
+) => void;
+
+export interface TokenEncryption {
+  jwtEncrypt(user: RemoteUser, signOptions: JWTSignOptions): Promise<string>;
+  aesEncrypt(buf: string): string | void;
+}
+
+export type ActionsAllowed = 'publish' | 'unpublish' | 'access';
+
+// remove
+export interface IAuthMiddleware {
+  apiJWTmiddleware(): $NextFunctionVer;
+  webUIJWTmiddleware(): $NextFunctionVer;
+}
+
+export type $RequestExtend = Request & { remote_user?: any; log: Logger };
+export type $ResponseExtend = Response & { cookies?: any };
+export type $NextFunctionVer = NextFunction & any;
+export { NextFunction };

packages/auth/src/utils.ts

@@ -7,36 +7,28 @@ import {
   HTTP_STATUS,
   TOKEN_BASIC,
   TOKEN_BEARER,
-  VerdaccioError,
   errorUtils,
   pluginUtils,
 } from '@verdaccio/core';
-import { aesDecrypt, parseBasicPayload, verifyPayload } from '@verdaccio/signature';
+import {
+  aesDecrypt,
+  aesDecryptDeprecated,
+  parseBasicPayload,
+  verifyPayload,
+} from '@verdaccio/signature';
 import { AuthPackageAllow, Config, Logger, RemoteUser, Security } from '@verdaccio/types';
 
-import { AESPayload, TokenEncryption } from './auth';
+import {
+  ActionsAllowed,
+  AllowAction,
+  AllowActionCallback,
+  AuthMiddlewarePayload,
+  AuthTokenHeader,
+  TokenEncryption,
+} from './types';
 
 const debug = buildDebug('verdaccio:auth:utils');
 
-export type BasicPayload = AESPayload | void;
-export type AuthMiddlewarePayload = RemoteUser | BasicPayload;
-
-export interface AuthTokenHeader {
-  scheme: string;
-  token: string;
-}
-export type AllowActionCallbackResponse = boolean | undefined;
-export type AllowActionCallback = (
-  error: VerdaccioError | null,
-  allowed?: AllowActionCallbackResponse
-) => void;
-
-export type AllowAction = (
-  user: RemoteUser,
-  pkg: AuthPackageAllow,
-  callback: AllowActionCallback
-) => void;
-
 /**
  * Split authentication header eg: Bearer [secret_token]
  * @param authorizationHeader auth token
@@ -48,7 +40,11 @@ export function parseAuthTokenHeader(authorizationHeader: string): AuthTokenHead
   return { scheme, token };
 }
 
-export function parseAESCredentials(authorizationHeader: string, secret: string) {
+export function parseAESCredentials(
+  authorizationHeader: string,
+  secret: string,
+  enhanced: boolean
+) {
   debug('parseAESCredentials');
   const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
 
@@ -61,7 +57,11 @@ export function parseAESCredentials(authorizationHeader: string, secret: string)
     return credentials;
   } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
     debug('legacy header bearer');
-    const credentials = aesDecrypt(token, secret);
+    debug('legacy header enhanced?', enhanced);
+    const credentials = enhanced
+      ? aesDecrypt(token.toString(), secret)
+      : // FUTURE: once deprecated legacy is removed this logic won't be longer need it
+        aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
 
     return credentials;
   }
@@ -70,13 +70,14 @@ export function parseAESCredentials(authorizationHeader: string, secret: string)
 export function getMiddlewareCredentials(
   security: Security,
   secretKey: string,
-  authorizationHeader: string
+  authorizationHeader: string,
+  enhanced: boolean = true
 ): AuthMiddlewarePayload {
   debug('getMiddlewareCredentials');
   // comment out for debugging purposes
   if (isAESLegacy(security)) {
     debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey);
+    const credentials = parseAESCredentials(authorizationHeader, secretKey, enhanced);
     if (!credentials) {
       debug('parse legacy credentials failed');
       return;
@@ -161,14 +162,15 @@ export function isAuthHeaderValid(authorization: string): boolean {
 export function getDefaultPlugins(logger: Logger): pluginUtils.Auth<Config> {
   return {
     authenticate(_user: string, _password: string, cb: pluginUtils.AuthCallback): void {
+      debug('triggered default authenticate method');
       cb(errorUtils.getForbidden(API_ERROR.BAD_USERNAME_PASSWORD));
     },
 
     adduser(_user: string, _password: string, cb: pluginUtils.AuthUserCallback): void {
+      debug('triggered default adduser method');
       return cb(errorUtils.getConflict(API_ERROR.BAD_USERNAME_PASSWORD));
     },
 
-    // FIXME: allow_action and allow_publish should be in the @verdaccio/types
     // @ts-ignore
     allow_access: allow_action('access', logger),
     // @ts-ignore
@@ -177,8 +179,6 @@ export function getDefaultPlugins(logger: Logger): pluginUtils.Auth<Config> {
   };
 }
 
-export type ActionsAllowed = 'publish' | 'unpublish' | 'access';
-
 export function allow_action(action: ActionsAllowed, logger: Logger): AllowAction {
   return function allowActionCallback(
     user: RemoteUser,
@@ -187,8 +187,13 @@ export function allow_action(action: ActionsAllowed, logger: Logger): AllowActio
   ): void {
     logger.trace({ remote: user.name }, `[auth/allow_action]: user: @{remote}`);
     const { name, groups } = user;
+    debug('allow_action "%s": groups %s', action, groups);
     const groupAccess = pkg[action] as string[];
-    const hasPermission = groupAccess.some((group) => name === group || groups.includes(group));
+    debug('allow_action "%s": groupAccess %s', action, groupAccess);
+    const hasPermission = groupAccess.some((group) => {
+      return name === group || groups.includes(group);
+    });
+    debug('package "%s" has permission "%s"', name, hasPermission);
     logger.trace(
       { pkgName: pkg.name, hasPermission, remote: user.name, groupAccess },
       `[auth/allow_action]: hasPermission? @{hasPermission} for user: @{remote}, package: @{pkgName}`
@@ -218,7 +223,8 @@ export function handleSpecialUnpublish(logger: Logger): any {
   return function (user: RemoteUser, pkg: AuthPackageAllow, callback: AllowActionCallback): void {
     const action = 'unpublish';
     // verify whether the unpublish prop has been defined
-    const isUnpublishMissing: boolean = _.isNil(pkg[action]);
+    const isUnpublishMissing: boolean = !pkg[action];
+    debug('is unpublish method missing ? %s', isUnpublishMissing);
     const hasGroups: boolean = isUnpublishMissing ? false : (pkg[action] as string[]).length > 0;
     logger.trace(
       { user: user.name, name: pkg.name, hasGroups },

packages/auth/test/auth.spec.ts

@@ -1,47 +1,79 @@
+import express from 'express';
 import path from 'path';
+import supertest from 'supertest';
 
-import { Config as AppConfig, ROLES, getDefaultConfig } from '@verdaccio/config';
-import { errorUtils } from '@verdaccio/core';
-import { setup } from '@verdaccio/logger';
+import { Config as AppConfig, ROLES, createRemoteUser, getDefaultConfig } from '@verdaccio/config';
+import {
+  API_ERROR,
+  HEADERS,
+  HTTP_STATUS,
+  SUPPORT_ERRORS,
+  TOKEN_BEARER,
+  errorUtils,
+} from '@verdaccio/core';
+import { logger, setup } from '@verdaccio/logger';
+import { errorReportingMiddleware, final, handleError } from '@verdaccio/middleware';
 import { Config } from '@verdaccio/types';
+import { buildToken } from '@verdaccio/utils';
 
-import { Auth } from '../src';
-import { authPluginFailureConf, authPluginPassThrougConf, authProfileConf } from './helper/plugin';
+import { $RequestExtend, Auth } from '../src';
+import {
+  authChangePasswordConf,
+  authPluginFailureConf,
+  authPluginPassThrougConf,
+  authProfileConf,
+} from './helper/plugin';
 
-setup({ level: 'debug', type: 'stdout' });
+setup({});
+
+// to avoid flaky test generate same ramdom key
+jest.mock('@verdaccio/utils', () => {
+  return {
+    ...jest.requireActual('@verdaccio/utils'),
+    // used by enhanced legacy aes signature (minimum 32 characters)
+    generateRandomSecretKey: () => 'GCYW/3IJzQI6GvPmy9sbMkFoiL7QLVw',
+    // used by legacy aes signature
+    generateRandomHexString: () =>
+      'ff065fcf7a8330ae37d3ea116328852f387ad7aa6defbe47fb68b1ea25f97446',
+  };
+});
 
 describe('AuthTest', () => {
-  test('should init correctly', async () => {
-    const config: Config = new AppConfig({ ...authProfileConf });
-    config.checkSecretKey('12345');
+  describe('default', () => {
+    test('should init correctly', async () => {
+      const config: Config = new AppConfig({ ...authProfileConf });
+      config.checkSecretKey('12345');
 
-    const auth: Auth = new Auth(config);
-    await auth.init();
-    expect(auth).toBeDefined();
-  });
-
-  test('should load default auth plugin', async () => {
-    const config: Config = new AppConfig({ ...authProfileConf, auth: undefined });
-    config.checkSecretKey('12345');
-
-    const auth: Auth = new Auth(config);
-    await auth.init();
-    expect(auth).toBeDefined();
-  });
-
-  test('should load custom algorithm', async () => {
-    const config: Config = new AppConfig({
-      ...authProfileConf,
-      auth: { htpasswd: { algorithm: 'sha1', file: './foo' } },
+      const auth: Auth = new Auth(config);
+      await auth.init();
+      expect(auth).toBeDefined();
     });
-    config.checkSecretKey('12345');
 
-    const auth: Auth = new Auth(config);
-    await auth.init();
-    expect(auth).toBeDefined();
+    test('should load default auth plugin', async () => {
+      const config: Config = new AppConfig({ ...authProfileConf, auth: undefined });
+      config.checkSecretKey('12345');
+
+      const auth: Auth = new Auth(config);
+      await auth.init();
+      expect(auth).toBeDefined();
+    });
   });
 
-  describe('test authenticate method', () => {
+  describe('utils', () => {
+    test('should load custom algorithm', async () => {
+      const config: Config = new AppConfig({
+        ...authProfileConf,
+        auth: { htpasswd: { algorithm: 'sha1', file: './foo' } },
+      });
+      config.checkSecretKey('12345');
+
+      const auth: Auth = new Auth(config);
+      await auth.init();
+      expect(auth).toBeDefined();
+    });
+  });
+
+  describe('authenticate', () => {
     describe('test authenticate states', () => {
       test('should be a success login', async () => {
         const config: Config = new AppConfig({ ...authProfileConf });
@@ -163,30 +195,519 @@ describe('AuthTest', () => {
         }
       });
     });
+
+    describe('test multiple authenticate methods', () => {
+      test('should skip falsy values', async () => {
+        const config: Config = new AppConfig({
+          ...getDefaultConfig(),
+          plugins: path.join(__dirname, './partials/plugin'),
+          auth: {
+            success: {},
+            'fail-invalid-method': {},
+          },
+        });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+
+        return new Promise((resolve) => {
+          auth.authenticate('foo', 'bar', (err, value) => {
+            expect(value).toEqual({
+              name: 'foo',
+              groups: ['test', ROLES.$ALL, '$authenticated', '@all', '@authenticated', 'all'],
+              real_groups: ['test'],
+            });
+            resolve(value);
+          });
+        });
+      });
+    });
   });
 
-  describe('test multiple authenticate methods', () => {
-    test('should skip falsy values', async () => {
+  describe('changePassword', () => {
+    test('should fail if the plugin does not provide implementation', async () => {
+      const config: Config = new AppConfig({ ...authProfileConf });
+      config.checkSecretKey('12345');
+      const auth: Auth = new Auth(config);
+      await auth.init();
+      expect(auth).toBeDefined();
+      const callback = jest.fn();
+
+      auth.changePassword('foo', 'bar', 'newFoo', callback);
+
+      expect(callback).toHaveBeenCalledTimes(1);
+      expect(callback).toHaveBeenCalledWith(
+        errorUtils.getInternalError(SUPPORT_ERRORS.PLUGIN_MISSING_INTERFACE)
+      );
+    });
+    test('should handle plugin does provide implementation', async () => {
+      const config: Config = new AppConfig({ ...authChangePasswordConf });
+      config.checkSecretKey('12345');
+      const auth: Auth = new Auth(config);
+      await auth.init();
+      expect(auth).toBeDefined();
+      const callback = jest.fn();
+      auth.add_user('foo', 'bar', jest.fn());
+      auth.changePassword('foo', 'bar', 'newFoo', callback);
+      expect(callback).toHaveBeenCalledTimes(1);
+      expect(callback).toHaveBeenCalledWith(null, true);
+    });
+  });
+
+  describe('allow_access', () => {
+    describe('no custom allow_access implementation provided', () => {
+      // when allow_access is not implemented, the groups must match
+      // exactly with the packages access group
+      test('should fails if groups do not match exactly', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        const groups = ['test'];
+
+        auth.allow_access(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(
+          errorUtils.getForbidden('user foo is not allowed to access package foo')
+        );
+      });
+
+      test('should success if groups do not match exactly', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        // $all comes from configuration file
+        const groups = [ROLES.$ALL];
+
+        auth.allow_access(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(null, true);
+      });
+    });
+  });
+
+  describe('allow_publish', () => {
+    describe('no custom allow_publish implementation provided', () => {
+      // when allow_access is not implemented, the groups must match
+      // exactly with the packages access group
+      test('should fails if groups do not match exactly', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        const groups = ['test'];
+
+        auth.allow_publish(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(
+          errorUtils.getForbidden('user foo is not allowed to publish package foo')
+        );
+      });
+
+      test('should success if groups do match exactly', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        // $all comes from configuration file
+        const groups = [ROLES.$AUTH];
+
+        auth.allow_publish(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(null, true);
+      });
+    });
+  });
+  describe('allow_unpublish', () => {
+    describe('no custom allow_unpublish implementation provided', () => {
+      test('should fails if groups do not match exactly', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+        config.checkSecretKey('12345');
+
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        const groups = ['test'];
+
+        auth.allow_unpublish(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(
+          errorUtils.getForbidden('user foo is not allowed to unpublish package foo')
+        );
+      });
+
+      test('should handle missing unpublish method (special case to handle legacy configurations)', async () => {
+        const config: Config = new AppConfig({
+          ...authProfileConf,
+          packages: {
+            ...authProfileConf.packages,
+            '**': {
+              access: ['$all'],
+              publish: ['$authenticated'],
+              // it forces publish handle the access
+              unpublish: undefined,
+              proxy: ['npmjs'],
+            },
+          },
+        });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        const groups = ['test'];
+
+        auth.allow_unpublish(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(
+          errorUtils.getForbidden('user foo is not allowed to publish package foo')
+        );
+      });
+
+      test('should success if groups do match exactly', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+        // $all comes from configuration file
+        const groups = [ROLES.$AUTH];
+
+        auth.allow_unpublish(
+          { packageName: 'foo' },
+          { name: 'foo', groups, real_groups: groups },
+          callback
+        );
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(null, true);
+      });
+    });
+  });
+
+  describe('add_user', () => {
+    describe('error handling', () => {
+      // when allow_access is not implemented, the groups must match
+      // exactly with the packages access group
+      test('should fails with bad password if adduser is not implemented', async () => {
+        const config: Config = new AppConfig({ ...authProfileConf });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+
+        auth.add_user('juan', 'password', callback);
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(
+          errorUtils.getConflict(API_ERROR.BAD_USERNAME_PASSWORD)
+        );
+      });
+
+      test('should fails if adduser fails internally (exception)', async () => {
+        const config: Config = new AppConfig({
+          ...getDefaultConfig(),
+          plugins: path.join(__dirname, './partials/plugin'),
+          auth: {
+            adduser: {},
+          },
+        });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+
+        // note: fail uas username make plugin fails
+        auth.add_user('fail', 'password', callback);
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(new Error('bad username'));
+      });
+
+      test('should skip to the next plugin and fails', async () => {
+        const config: Config = new AppConfig({
+          ...getDefaultConfig(),
+          plugins: path.join(__dirname, './partials/plugin'),
+          auth: {
+            adduser: {},
+            // plugin implement adduser with fail auth
+            fail: {},
+          },
+        });
+        config.checkSecretKey('12345');
+        const auth: Auth = new Auth(config);
+        await auth.init();
+        expect(auth).toBeDefined();
+
+        const callback = jest.fn();
+
+        // note: fail uas username make plugin fails
+        auth.add_user('skip', 'password', callback);
+
+        expect(callback).toHaveBeenCalledTimes(1);
+        expect(callback).toHaveBeenCalledWith(
+          errorUtils.getConflict(API_ERROR.BAD_USERNAME_PASSWORD)
+        );
+      });
+    });
+    test('should success if adduser', async () => {
       const config: Config = new AppConfig({
         ...getDefaultConfig(),
         plugins: path.join(__dirname, './partials/plugin'),
         auth: {
-          success: {},
-          'fail-invalid-method': {},
+          adduser: {},
         },
       });
       config.checkSecretKey('12345');
       const auth: Auth = new Auth(config);
       await auth.init();
+      expect(auth).toBeDefined();
 
-      return new Promise((resolve) => {
-        auth.authenticate('foo', 'bar', (err, value) => {
-          expect(value).toEqual({
-            name: 'foo',
-            groups: ['test', '$all', '$authenticated', '@all', '@authenticated', 'all'],
-            real_groups: ['test'],
+      const callback = jest.fn();
+
+      auth.add_user('something', 'password', callback);
+
+      expect(callback).toHaveBeenCalledTimes(1);
+      expect(callback).toHaveBeenCalledWith(null, {
+        groups: ['test', '$all', '$authenticated', '@all', '@authenticated', 'all'],
+        name: 'something',
+        real_groups: ['test'],
+      });
+    });
+    test('should handle legacy add_user method', async () => {
+      const config: Config = new AppConfig({
+        ...getDefaultConfig(),
+        plugins: path.join(__dirname, './partials/plugin'),
+        auth: {
+          'adduser-legacy': {},
+        },
+      });
+      config.checkSecretKey('12345');
+      const auth: Auth = new Auth(config);
+      await auth.init();
+      expect(auth).toBeDefined();
+
+      const callback = jest.fn();
+
+      auth.add_user('something', 'password', callback);
+
+      expect(callback).toHaveBeenCalledTimes(1);
+      expect(callback).toHaveBeenCalledWith(null, {
+        groups: ['test', '$all', '$authenticated', '@all', '@authenticated', 'all'],
+        name: 'something',
+        real_groups: ['test'],
+      });
+    });
+  });
+  describe('middlewares', () => {
+    describe('apiJWTmiddleware', () => {
+      const secret = '12345';
+      const getServer = async function (auth) {
+        const app = express();
+        app.use(express.json({ strict: false, limit: '10mb' }));
+        // @ts-expect-error
+        app.use(errorReportingMiddleware(logger));
+        app.use(auth.apiJWTmiddleware());
+        app.get('/*', (req, res, next) => {
+          if ((req as $RequestExtend).remote_user.error) {
+            next(new Error((req as $RequestExtend).remote_user.error));
+          } else {
+            // @ts-expect-error
+            next({ user: req?.remote_user });
+          }
+        });
+        // @ts-expect-error
+        app.use(handleError(logger));
+        // @ts-expect-error
+        app.use(final);
+        return app;
+      };
+      describe('legacy signature', () => {
+        describe('error cases', () => {
+          test('should handle invalid auth token', async () => {
+            const config: Config = new AppConfig({ ...authProfileConf });
+            config.checkSecretKey(secret);
+            const auth = new Auth(config);
+            await auth.init();
+            const app = await getServer(auth);
+            return supertest(app)
+              .get(`/`)
+              .set(HEADERS.AUTHORIZATION, 'Bearer foo')
+              .expect(HTTP_STATUS.INTERNAL_ERROR);
+          });
+
+          test('should handle missing auth header', async () => {
+            const config: Config = new AppConfig({ ...authProfileConf });
+            config.checkSecretKey(secret);
+            const auth = new Auth(config);
+            await auth.init();
+            const app = await getServer(auth);
+            return supertest(app).get(`/`).expect(HTTP_STATUS.OK);
+          });
+        });
+
+        describe('deprecated legacy handling forceEnhancedLegacySignature=false', () => {
+          test('should handle valid auth token', async () => {
+            const payload = 'juan:password';
+            // const token = await signPayload(remoteUser, '12345');
+            const config: Config = new AppConfig(
+              { ...authProfileConf },
+              { forceEnhancedLegacySignature: false }
+            );
+            // intended to force key generator (associated with mocks above)
+            config.checkSecretKey(undefined);
+            const auth = new Auth(config);
+            await auth.init();
+            const token = auth.aesEncrypt(payload) as string;
+            const app = await getServer(auth);
+            const res = await supertest(app)
+              .get(`/`)
+              .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, token))
+              .expect(HTTP_STATUS.OK);
+            expect(res.body.user.name).toEqual('juan');
+          });
+
+          test('should handle invalid auth token', async () => {
+            const payload = 'juan:password';
+            const config: Config = new AppConfig(
+              { ...authPluginFailureConf },
+              { forceEnhancedLegacySignature: false }
+            );
+            // intended to force key generator (associated with mocks above)
+            config.checkSecretKey(undefined);
+            const auth = new Auth(config);
+            await auth.init();
+            const token = auth.aesEncrypt(payload) as string;
+            const app = await getServer(auth);
+            return await supertest(app)
+              .get(`/`)
+              .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, token))
+              .expect(HTTP_STATUS.INTERNAL_ERROR);
+          });
+        });
+      });
+      describe('jwt signature', () => {
+        describe('error cases', () => {
+          test('should handle invalid auth token and return anonymous', async () => {
+            // @ts-expect-error
+            const config: Config = new AppConfig({
+              ...authProfileConf,
+              ...{ security: { api: { jwt: { sign: { expiresIn: '29d' } } } } },
+            });
+            config.checkSecretKey(secret);
+            const auth = new Auth(config);
+            await auth.init();
+            const app = await getServer(auth);
+            const res = await supertest(app)
+              .get(`/`)
+              .set(HEADERS.AUTHORIZATION, 'Bearer foo')
+              .expect(HTTP_STATUS.OK);
+            expect(res.body.user.groups).toEqual([
+              ROLES.$ALL,
+              ROLES.$ANONYMOUS,
+              ROLES.DEPRECATED_ALL,
+              ROLES.DEPRECATED_ANONYMOUS,
+            ]);
+          });
+
+          test('should handle missing auth header', async () => {
+            // @ts-expect-error
+            const config: Config = new AppConfig({
+              ...authProfileConf,
+              ...{ security: { api: { jwt: { sign: { expiresIn: '29d' } } } } },
+            });
+            config.checkSecretKey(secret);
+            const auth = new Auth(config);
+            await auth.init();
+            const app = await getServer(auth);
+            const res = await supertest(app).get(`/`).expect(HTTP_STATUS.OK);
+            expect(res.body.user.groups).toEqual([
+              ROLES.$ALL,
+              ROLES.$ANONYMOUS,
+              ROLES.DEPRECATED_ALL,
+              ROLES.DEPRECATED_ANONYMOUS,
+            ]);
+          });
+        });
+        describe('valid signature handlers', () => {
+          test('should handle valid auth token', async () => {
+            const config: Config = new AppConfig(
+              // @ts-expect-error
+              {
+                ...authProfileConf,
+                ...{ security: { api: { jwt: { sign: { expiresIn: '29d' } } } } },
+              },
+              { forceEnhancedLegacySignature: false }
+            );
+            // intended to force key generator (associated with mocks above)
+            config.checkSecretKey(undefined);
+            const auth = new Auth(config);
+            await auth.init();
+            const token = (await auth.jwtEncrypt(
+              createRemoteUser('jwt_user', [ROLES.ALL]),
+              // @ts-expect-error
+              config.security.api.jwt.sign
+            )) as string;
+            const app = await getServer(auth);
+            const res = await supertest(app)
+              .get(`/`)
+              .set(HEADERS.AUTHORIZATION, buildToken(TOKEN_BEARER, token))
+              .expect(HTTP_STATUS.OK);
+            expect(res.body.user.name).toEqual('jwt_user');
           });
-          resolve(value);
         });
       });
     });

packages/auth/test/helper/plugin.ts

@@ -10,6 +10,14 @@ export const authProfileConf = {
   },
 };
 
+export const authChangePasswordConf = {
+  ...getDefaultConfig(),
+  plugins: path.join(__dirname, '../partials/plugin'),
+  auth: {
+    'change-password': {},
+  },
+};
+
 export const authPluginFailureConf = {
   ...getDefaultConfig(),
   plugins: path.join(__dirname, '../partials/plugin'),

packages/auth/test/partials/plugin/verdaccio-access-ok/access.js

@@ -0,0 +1,9 @@
+module.exports = function () {
+  return {
+    authenticate(user, pass, callback) {
+      // https://verdaccio.org/docs/en/dev-plugins#onsuccess
+      // this is a successful login and return a simple group
+      callback(null, ['test']);
+    },
+  };
+};

packages/auth/test/partials/plugin/verdaccio-access-ok/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "verdaccio-access-ok",
+  "main": "access.js",
+  "version": "1.0.0"
+}

packages/auth/test/partials/plugin/verdaccio-adduser-legacy/adduser.js

@@ -0,0 +1,25 @@
+module.exports = function () {
+  return {
+    authenticate(user, pass, callback) {
+      // https://verdaccio.org/docs/en/dev-plugins#onsuccess
+      // this is a successful login and return a simple group
+      callback(null, ['test']);
+    },
+    add_user(user, password, cb) {
+      if (user === 'fail') {
+        return cb(Error('bad username'));
+      }
+
+      if (user === 'password') {
+        return cb(Error('bad password'));
+      }
+
+      if (user === 'skip') {
+        // if wants to the next plugin
+        return cb(null, false);
+      }
+
+      cb(null, true);
+    },
+  };
+};

packages/auth/test/partials/plugin/verdaccio-adduser-legacy/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "verdaccio-adduser-legacy",
+  "main": "adduser.js",
+  "version": "1.0.0"
+}

packages/auth/test/partials/plugin/verdaccio-adduser/adduser.js

@@ -0,0 +1,25 @@
+module.exports = function () {
+  return {
+    authenticate(user, pass, callback) {
+      // https://verdaccio.org/docs/en/dev-plugins#onsuccess
+      // this is a successful login and return a simple group
+      callback(null, ['test']);
+    },
+    adduser(user, password, cb) {
+      if (user === 'fail') {
+        return cb(Error('bad username'));
+      }
+
+      if (user === 'password') {
+        return cb(Error('bad password'));
+      }
+
+      if (user === 'skip') {
+        // if wants to the next plugin
+        return cb(null, false);
+      }
+
+      cb(null, true);
+    },
+  };
+};

packages/auth/test/partials/plugin/verdaccio-adduser/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "verdaccio-adduser",
+  "main": "adduser.js",
+  "version": "1.0.0"
+}

packages/auth/test/partials/plugin/verdaccio-change-password/change.js

@@ -0,0 +1,32 @@
+module.exports = function () {
+  return {
+    users: [],
+    authenticate(user, pass, callback) {
+      // https://verdaccio.org/docs/en/dev-plugins#onsuccess
+      // this is a successful login and return a simple group
+      callback(null, ['test']);
+    },
+    changePassword(user, password, newPassword, cb) {
+      if (password === newPassword) {
+        return cb(Error('error password equal'));
+      }
+      return cb(null, true);
+    },
+    adduser(user, password, cb) {
+      if (user === 'fail') {
+        return cb(Error('bad username'));
+      }
+
+      if (user === 'password') {
+        return cb(Error('bad password'));
+      }
+
+      if (user === 'skip') {
+        // if wants to the next plugin
+        return cb(null, false);
+      }
+
+      cb(null, true);
+    },
+  };
+};

packages/auth/test/partials/plugin/verdaccio-change-password/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "verdaccio-change-password",
+  "main": "change.js",
+  "version": "1.0.0"
+}

packages/auth/test/partials/plugin/verdaccio-fail/fail.js

@@ -7,5 +7,8 @@ module.exports = function () {
       and success types respectively for testing purposes */
       callback(errorUtils.getInternalError(), false);
     },
+    adduser(user, password, cb) {
+      return cb(null, false);
+    },
   };
 };

packages/cli/CHANGELOG.md

@@ -1,5 +1,71 @@
 # @verdaccio/cli
 
+## 7.0.0-next-7.11
+
+### Patch Changes
+
+- Updated dependencies [c9962fe]
+  - @verdaccio/config@7.0.0-next-7.11
+  - @verdaccio/node-api@7.0.0-next-7.11
+  - @verdaccio/core@7.0.0-next-7.11
+  - @verdaccio/logger@7.0.0-next-7.11
+
+## 7.0.0-next-7.10
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.10
+- @verdaccio/config@7.0.0-next-7.10
+- @verdaccio/node-api@7.0.0-next-7.10
+- @verdaccio/logger@7.0.0-next-7.10
+
+## 7.0.0-next-7.9
+
+### Patch Changes
+
+- @verdaccio/node-api@7.0.0-next-7.9
+- @verdaccio/core@7.0.0-next-7.9
+- @verdaccio/config@7.0.0-next-7.9
+- @verdaccio/logger@7.0.0-next-7.9
+
+## 7.0.0-next-7.8
+
+### Patch Changes
+
+- @verdaccio/node-api@7.0.0-next-7.8
+- @verdaccio/core@7.0.0-next-7.8
+- @verdaccio/config@7.0.0-next-7.8
+- @verdaccio/logger@7.0.0-next-7.8
+
+## 7.0.0-next-7.7
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.7
+- @verdaccio/config@7.0.0-next-7.7
+- @verdaccio/node-api@7.0.0-next-7.7
+- @verdaccio/logger@7.0.0-next-7.7
+
+## 7.0.0-next.6
+
+### Patch Changes
+
+- Updated dependencies [4d96324]
+  - @verdaccio/config@7.0.0-next.6
+  - @verdaccio/node-api@7.0.0-next.6
+  - @verdaccio/core@7.0.0-next.6
+  - @verdaccio/logger@7.0.0-next.6
+
+## 7.0.0-next.5
+
+### Patch Changes
+
+- Updated dependencies [f047cc8]
+  - @verdaccio/core@7.0.0-next.5
+  - @verdaccio/config@7.0.0-next.5
+  - @verdaccio/node-api@7.0.0-next.5
+  - @verdaccio/logger@7.0.0-next.5
+
 ## 7.0.0-next.4
 
 ### Patch Changes
@@ -178,12 +244,12 @@
 - 8f43bf17d: feat: node api new structure based on promise
 
   ```js
-  import { runServer } from '@verdaccio/node-api';
+  import { runServer } from "@verdaccio/node-api";
   // or
-  import { runServer } from 'verdaccio';
+  import { runServer } from "verdaccio";
 
   const app = await runServer(); // default configuration
-  const app = await runServer('./config/config.yaml');
+  const app = await runServer("./config/config.yaml");
   const app = await runServer({ configuration });
   app.listen(4000, (event) => {
     // do something
@@ -1029,14 +1095,14 @@
 - 5c5057fc: feat: node api new structure based on promise
 
   ```js
-  import { runServer } from '@verdaccio/node-api';
+  import { runServer } from "@verdaccio/node-api";
   // or
-  import { runServer } from 'verdaccio';
+  import { runServer } from "verdaccio";
 
   const app = await runServer(); // default configuration
-  const app = await runServer('./config/config.yaml');
+  const app = await runServer("./config/config.yaml");
   const app = await runServer({ configuration });
-  app.listen(4000, event => {
+  app.listen(4000, (event) => {
     // do something
   });
   ```

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/cli",
-  "version": "7.0.0-next.4",
+  "version": "7.0.0-next-7.11",
   "author": {
     "name": "Juan Picado",
     "email": "juanpicado19@gmail.com"
@@ -43,17 +43,17 @@
     "start": "ts-node src/index.ts"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next.4",
-    "@verdaccio/config": "workspace:7.0.0-next.4",
-    "@verdaccio/logger": "workspace:7.0.0-next.4",
-    "@verdaccio/node-api": "workspace:7.0.0-next.4",
+    "@verdaccio/core": "workspace:7.0.0-next-7.11",
+    "@verdaccio/config": "workspace:7.0.0-next-7.11",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.11",
+    "@verdaccio/node-api": "workspace:7.0.0-next-7.11",
     "clipanion": "3.2.1",
-    "envinfo": "7.8.1",
+    "envinfo": "7.11.0",
     "kleur": "4.1.5",
-    "semver": "7.5.4"
+    "semver": "7.6.0"
   },
   "devDependencies": {
-    "ts-node": "10.9.1"
+    "ts-node": "10.9.2"
   },
   "funding": {
     "type": "opencollective",

packages/config/CHANGELOG.md

@@ -1,5 +1,64 @@
 # @verdaccio/config
 
+## 7.0.0-next-7.11
+
+### Minor Changes
+
+- c9962fe: feat: forbidden user interface
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.11
+- @verdaccio/utils@7.0.0-next-7.11
+
+## 7.0.0-next-7.10
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.10
+- @verdaccio/utils@7.0.0-next-7.10
+
+## 7.0.0-next-7.9
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.9
+- @verdaccio/utils@7.0.0-next-7.9
+
+## 7.0.0-next-7.8
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.8
+- @verdaccio/utils@7.0.0-next-7.8
+
+## 7.0.0-next-7.7
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.7
+- @verdaccio/utils@7.0.0-next-7.7
+
+## 7.0.0-next.6
+
+### Patch Changes
+
+- 4d96324: chore(config): increase test coverage
+  - @verdaccio/core@7.0.0-next.6
+  - @verdaccio/utils@7.0.0-next.6
+
+## 7.0.0-next.5
+
+### Minor Changes
+
+- f047cc8: refactor: auth with legacy sign support
+
+### Patch Changes
+
+- Updated dependencies [f047cc8]
+  - @verdaccio/core@7.0.0-next.5
+  - @verdaccio/utils@7.0.0-next.5
+
 ## 7.0.0-next.4
 
 ### Patch Changes
@@ -225,12 +284,12 @@
 - 8f43bf17d: feat: node api new structure based on promise
 
   ```js
-  import { runServer } from '@verdaccio/node-api';
+  import { runServer } from "@verdaccio/node-api";
   // or
-  import { runServer } from 'verdaccio';
+  import { runServer } from "verdaccio";
 
   const app = await runServer(); // default configuration
-  const app = await runServer('./config/config.yaml');
+  const app = await runServer("./config/config.yaml");
   const app = await runServer({ configuration });
   app.listen(4000, (event) => {
     // do something
@@ -1000,14 +1059,14 @@
 - 5c5057fc: feat: node api new structure based on promise
 
   ```js
-  import { runServer } from '@verdaccio/node-api';
+  import { runServer } from "@verdaccio/node-api";
   // or
-  import { runServer } from 'verdaccio';
+  import { runServer } from "verdaccio";
 
   const app = await runServer(); // default configuration
-  const app = await runServer('./config/config.yaml');
+  const app = await runServer("./config/config.yaml");
   const app = await runServer({ configuration });
-  app.listen(4000, event => {
+  app.listen(4000, (event) => {
     // do something
   });
   ```

packages/config/jest.config.js

@@ -3,8 +3,7 @@ const config = require('../../jest/config');
 module.exports = Object.assign({}, config, {
   coverageThreshold: {
     global: {
-      // FIXME: increase to 90
-      lines: 85,
+      lines: 90,
     },
   },
 });

packages/config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/config",
-  "version": "7.0.0-next.4",
+  "version": "7.0.0-next-7.11",
   "description": "logger",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,8 +38,8 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next.4",
-    "@verdaccio/utils": "workspace:7.0.0-next.4",
+    "@verdaccio/core": "workspace:7.0.0-next-7.11",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.11",
     "debug": "4.3.4",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",
@@ -48,7 +48,7 @@
   },
   "devDependencies": {
     "@types/minimatch": "5.1.2",
-    "@types/yup": "0.29.14"
+    "@types/yup": "0.32.0"
   },
   "funding": {
     "type": "opencollective",

packages/config/src/config.ts

@@ -63,6 +63,10 @@ class Config implements AppConfig {
   private configOptions: { forceEnhancedLegacySignature: boolean };
   public constructor(
     config: ConfigYaml & { config_path: string },
+    // forceEnhancedLegacySignature is a property that
+    // allows switch a new legacy aes signature token signature
+    // for older versions do not want to have this new signature model
+    // this property must be false
     configOptions = { forceEnhancedLegacySignature: true }
   ) {
     const self = this;
@@ -131,6 +135,16 @@ class Config implements AppConfig {
     }
   }
 
+  public getEnhancedLegacySignature() {
+    if (typeof this?.security.enhancedLegacySignature !== 'undefined') {
+      if (this.security.enhancedLegacySignature === true) {
+        return true;
+      }
+      return false;
+    }
+    return this.configOptions.forceEnhancedLegacySignature;
+  }
+
   public getConfigPath() {
     return this.configPath;
   }
@@ -156,24 +170,23 @@ class Config implements AppConfig {
     }
     // generate a new a secret key
     // FUTURE: this might be an external secret key, perhaps within config file?
-    debug('generate a new key');
-    //
-    if (this.configOptions.forceEnhancedLegacySignature) {
+    debug('generating a new secret key');
+
+    if (this.getEnhancedLegacySignature()) {
+      debug('key generated with "enhanced" legacy signature user config');
       this.secret = generateRandomSecretKey();
     } else {
-      this.secret =
-        this.security.enhancedLegacySignature === true
-          ? generateRandomSecretKey()
-          : generateRandomHexString(32);
-      // set this to false allow use old token signature and is not recommended
-      // only use for migration reasons, major release will remove this property and
-      // set it by default
-      if (this.security.enhancedLegacySignature === false) {
-        warningUtils.emit(Codes.VERWAR005);
-      }
+      debug('key generated with legacy signature user config');
+      this.secret = generateRandomHexString(32);
+    }
+    // set this to false allow use old token signature and is not recommended
+    // only use for migration reasons, major release will remove this property and
+    // set it by default
+    if (this.security?.enhancedLegacySignature === false) {
+      warningUtils.emit(Codes.VERWAR005);
     }
 
-    debug('generated a new secret key %s', this.secret?.length);
+    debug('generated a new secret key length %s', this.secret?.length);
     return this.secret;
   }
 }

packages/config/src/package-access.ts

@@ -1,9 +1,12 @@
 import assert from 'assert';
+import buildDebug from 'debug';
 import _ from 'lodash';
 
 import { errorUtils } from '@verdaccio/core';
 import { PackageAccess } from '@verdaccio/types';
 
+const debug = buildDebug('verdaccio:config:utils');
+
 export interface LegacyPackageList {
   [key: string]: PackageAccess;
 }
@@ -27,7 +30,7 @@ export const PACKAGE_ACCESS = {
 
 export function normalizeUserList(groupsList: any): any {
   const result: any[] = [];
-  if (_.isNil(groupsList)) {
+  if (_.isNil(groupsList) || _.isEmpty(groupsList)) {
     return result;
   }
 
@@ -61,6 +64,7 @@ export function normalisePackageAccess(packages: LegacyPackageList): LegacyPacka
   for (const pkg in packages) {
     if (Object.prototype.hasOwnProperty.call(packages, pkg)) {
       const packageAccess = packages[pkg];
+      debug('package access %s for %s ', packageAccess, pkg);
       const isInvalid = _.isObject(packageAccess) && _.isArray(packageAccess) === false;
       assert(isInvalid, `CONFIG: bad "'${pkg}'" package description (object expected)`);
 

packages/config/test/agent.spec.ts

@@ -0,0 +1,42 @@
+import { getUserAgent } from '../src';
+
+describe('getUserAgent', () => {
+  test('should return custom user agent when customUserAgent is true', () => {
+    const customUserAgent = true;
+    const version = '1.0.0';
+    const name = 'MyAgent';
+
+    const result = getUserAgent(customUserAgent, version, name);
+
+    expect(result).toBe('MyAgent/1.0.0');
+  });
+
+  test('should return custom user agent when customUserAgent is a non-empty string', () => {
+    const customUserAgent = 'CustomAgent/1.0.0';
+    const version = '1.0.0';
+    const name = 'MyAgent';
+
+    const result = getUserAgent(customUserAgent, version, name);
+
+    expect(result).toBe('CustomAgent/1.0.0');
+  });
+
+  test('should return "hidden" when customUserAgent is false', () => {
+    const customUserAgent = false;
+    const version = '1.0.0';
+    const name = 'MyAgent';
+
+    const result = getUserAgent(customUserAgent, version, name);
+
+    expect(result).toBe('hidden');
+  });
+
+  test('should return default user agent when customUserAgent is undefined', () => {
+    const version = '1.0.0';
+    const name = 'MyAgent';
+
+    const result = getUserAgent(undefined, version, name);
+
+    expect(result).toBe('MyAgent/1.0.0');
+  });
+});

packages/config/test/builder.spec.ts

@@ -13,6 +13,7 @@ describe('Config builder', () => {
         proxy: 'some',
       })
       .addLogger({ level: 'info', type: 'stdout', format: 'json' })
+      .addAuth({ htpasswd: { file: '.htpasswd' } })
       .addStorage('/tmp/verdaccio')
       .addSecurity({ api: { legacy: true } });
     expect(config.getConfig()).toEqual({
@@ -21,6 +22,11 @@ describe('Config builder', () => {
           legacy: true,
         },
       },
+      auth: {
+        htpasswd: {
+          file: '.htpasswd',
+        },
+      },
       storage: '/tmp/verdaccio',
       packages: {
         'upstream/*': {

packages/config/test/config.spec.ts

@@ -106,6 +106,20 @@ describe('checkSecretKey', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
     expect(typeof config.checkSecretKey('') === 'string').toBeTruthy();
   });
+
+  test('with enhanced legacy signature', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')));
+    config.security.enhancedLegacySignature = true;
+    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
+    expect(config.secret.length).toBe(32);
+  });
+
+  test('without enhanced legacy signature', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')));
+    config.security.enhancedLegacySignature = false;
+    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
+    expect(config.secret.length).toBe(64);
+  });
 });
 
 describe('getMatchedPackagesSpec', () => {
@@ -159,3 +173,18 @@ describe('VERDACCIO_STORAGE_PATH', () => {
     delete process.env.VERDACCIO_STORAGE_PATH;
   });
 });
+
+describe('configPath', () => {
+  test('should set configPath in config', () => {
+    const defaultConfig = parseConfigFile(resolveConf('default'));
+    const config = new Config(defaultConfig);
+    expect(config.getConfigPath()).toBe(path.join(__dirname, '../src/conf/default.yaml'));
+  });
+
+  test('should throw an error if configPath is not provided', () => {
+    const defaultConfig = parseConfigFile(resolveConf('default'));
+    defaultConfig.configPath = '';
+    defaultConfig.config_path = '';
+    expect(() => new Config(defaultConfig)).toThrow('configPath property is required');
+  });
+});

packages/config/test/package-access.spec.ts

@@ -1,7 +1,7 @@
 import _ from 'lodash';
 
 import { parseConfigFile } from '../src';
-import { PACKAGE_ACCESS, normalisePackageAccess } from '../src/package-access';
+import { PACKAGE_ACCESS, normalisePackageAccess, normalizeUserList } from '../src/package-access';
 import { parseConfigurationFile } from './utils';
 
 describe('Package access utilities', () => {
@@ -123,4 +123,30 @@ describe('Package access utilities', () => {
       expect(_.isArray(all.publish)).toBeTruthy();
     });
   });
+  describe('normaliseUserList', () => {
+    test('should normalize user list', () => {
+      const groupsList = 'admin superadmin';
+      const result = normalizeUserList(groupsList);
+      expect(result).toEqual(['admin', 'superadmin']);
+    });
+
+    test('should normalize empty user list', () => {
+      const groupsList = '';
+      const result = normalizeUserList(groupsList);
+      expect(result).toEqual([]);
+    });
+
+    test('should normalize user list array', () => {
+      const groupsList = ['admin', 'superadmin'];
+      const result = normalizeUserList(groupsList);
+      expect(result).toEqual(['admin', 'superadmin']);
+    });
+
+    test('should throw error for invalid user list', () => {
+      const groupsList = { group: 'admin' };
+      expect(() => {
+        normalizeUserList(groupsList);
+      }).toThrow('CONFIG: bad package acl (array or string expected): {"group":"admin"}');
+    });
+  });
 });

packages/core/core/CHANGELOG.md

@@ -1,5 +1,23 @@
 # @verdaccio/core
 
+## 7.0.0-next-7.11
+
+## 7.0.0-next-7.10
+
+## 7.0.0-next-7.9
+
+## 7.0.0-next-7.8
+
+## 7.0.0-next-7.7
+
+## 7.0.0-next.6
+
+## 7.0.0-next.5
+
+### Minor Changes
+
+- f047cc8: refactor: auth with legacy sign support
+
 ## 7.0.0-next.4
 
 ## 7.0.0-next.3

packages/core/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/core",
-  "version": "7.0.0-next.4",
+  "version": "7.0.0-next-7.11",
   "description": "core utilities",
   "keywords": [
     "private",
@@ -34,17 +34,17 @@
   },
   "dependencies": {
     "http-errors": "2.0.0",
-    "http-status-codes": "2.2.0",
-    "semver": "7.5.4",
+    "http-status-codes": "2.3.0",
+    "semver": "7.6.0",
     "ajv": "8.12.0",
     "process-warning": "1.0.0",
-    "core-js": "3.30.2"
+    "core-js": "3.35.0"
   },
   "devDependencies": {
     "lodash": "4.17.21",
     "typedoc": "0.23.25",
     "typedoc-plugin-missing-exports": "latest",
-    "@verdaccio/types": "workspace:12.0.0-next.1"
+    "@verdaccio/types": "workspace:12.0.0-next.2"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/core/src/warning-utils.ts

@@ -12,6 +12,7 @@ export enum Codes {
   VERWAR005 = 'VERWAR005',
   // deprecation warnings
   VERDEP003 = 'VERDEP003',
+  VERWAR006 = 'VERWAR006',
 }
 
 warningInstance.create(
@@ -52,6 +53,12 @@ warningInstance.create(
   'multiple addresses will be deprecated in the next major, only use one'
 );
 
+warningInstance.create(
+  verdaccioDeprecation,
+  Codes.VERWAR006,
+  'the auth plugin method "add_user" in the auth plugin is deprecated and will be removed in next major release, rename to "adduser"'
+);
+
 export function emit(code: string, a?: string, b?: string, c?: string) {
   warningInstance.emit(code, a, b, c);
 }

packages/core/file-locking/package.json

@@ -39,7 +39,7 @@
     "lockfile": "1.0.4"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.1"
+    "@verdaccio/types": "workspace:12.0.0-next.2"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/tarball/CHANGELOG.md

@@ -1,5 +1,64 @@
 # Change Log
 
+## 12.0.0-next-7.11
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.11
+- @verdaccio/url@12.0.0-next-7.11
+- @verdaccio/utils@7.0.0-next-7.11
+
+## 12.0.0-next-7.10
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.10
+- @verdaccio/url@12.0.0-next-7.10
+- @verdaccio/utils@7.0.0-next-7.10
+
+## 12.0.0-next-7.9
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.9
+- @verdaccio/url@12.0.0-next-7.9
+- @verdaccio/utils@7.0.0-next-7.9
+
+## 12.0.0-next-7.8
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.8
+- @verdaccio/url@12.0.0-next-7.8
+- @verdaccio/utils@7.0.0-next-7.8
+
+## 12.0.0-next-7.7
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.7
+- @verdaccio/url@12.0.0-next-7.7
+- @verdaccio/utils@7.0.0-next-7.7
+
+## 12.0.0-next.6
+
+### Patch Changes
+
+- e14b064: - Fixes polynomial regular expression when determining the file name of tarball
+  - Add tests for extracting tarball name
+  - @verdaccio/core@7.0.0-next.6
+  - @verdaccio/url@12.0.0-next.6
+  - @verdaccio/utils@7.0.0-next.6
+
+## 12.0.0-next.5
+
+### Patch Changes
+
+- Updated dependencies [f047cc8]
+  - @verdaccio/core@7.0.0-next.5
+  - @verdaccio/url@12.0.0-next.5
+  - @verdaccio/utils@7.0.0-next.5
+
 ## 12.0.0-next.4
 
 ### Patch Changes

packages/core/tarball/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/tarball",
-  "version": "12.0.0-next.4",
+  "version": "12.0.0-next-7.11",
   "description": "tarball utilities resolver",
   "keywords": [
     "private",
@@ -34,14 +34,14 @@
   },
   "dependencies": {
     "debug": "4.3.4",
-    "@verdaccio/core": "workspace:7.0.0-next.4",
-    "@verdaccio/url": "workspace:12.0.0-next.4",
-    "@verdaccio/utils": "workspace:7.0.0-next.4",
+    "@verdaccio/core": "workspace:7.0.0-next-7.11",
+    "@verdaccio/url": "workspace:12.0.0-next-7.11",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.11",
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.1",
-    "node-mocks-http": "1.13.0"
+    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "node-mocks-http": "1.14.1"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/tarball/src/index.ts

@@ -4,6 +4,6 @@ export {
   convertDistRemoteToLocalTarballUrls,
   convertDistVersionToLocalTarballsUrl,
 } from './convertDistRemoteToLocalTarballUrls';
-export { getLocalRegistryTarballUri } from './getLocalRegistryTarballUri';
+export { extractTarballFromUrl, getLocalRegistryTarballUri } from './getLocalRegistryTarballUri';
 
 export { RequestOptions };

packages/core/tarball/tests/getLocalRegistryTarballUri.spec.ts

@@ -0,0 +1,36 @@
+import { extractTarballFromUrl } from '../src';
+
+describe('extractTarballFromUrl', () => {
+  const metadata: any = {
+    name: 'npm_test',
+    versions: {
+      '1.0.0': {
+        dist: {
+          tarball: 'http://registry.org/npm_test/-/npm_test-1.0.0.tgz',
+        },
+      },
+      '1.0.1': {
+        dist: {
+          tarball: 'npm_test-1.0.1.tgz',
+        },
+      },
+      '1.0.2': {
+        dist: {
+          tarball: 'https://localhost/npm_test-1.0.2.tgz',
+        },
+      },
+    },
+  };
+
+  test('should return only name of tarball', () => {
+    expect(extractTarballFromUrl(metadata.versions['1.0.0'].dist.tarball)).toEqual(
+      'npm_test-1.0.0.tgz'
+    );
+    expect(extractTarballFromUrl(metadata.versions['1.0.1'].dist.tarball)).toEqual(
+      'npm_test-1.0.1.tgz'
+    );
+    expect(extractTarballFromUrl(metadata.versions['1.0.2'].dist.tarball)).toEqual(
+      'npm_test-1.0.2.tgz'
+    );
+  });
+});

packages/core/types/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log
 
+## 12.0.0-next.2
+
+### Minor Changes
+
+- f047cc8: refactor: auth with legacy sign support
+
 ## 12.0.0-next.1
 
 ### Major Changes
@@ -211,12 +217,12 @@
 - 8f43bf17d: feat: node api new structure based on promise
 
   ```js
-  import { runServer } from '@verdaccio/node-api';
+  import { runServer } from "@verdaccio/node-api";
   // or
-  import { runServer } from 'verdaccio';
+  import { runServer } from "verdaccio";
 
   const app = await runServer(); // default configuration
-  const app = await runServer('./config/config.yaml');
+  const app = await runServer("./config/config.yaml");
   const app = await runServer({ configuration });
   app.listen(4000, (event) => {
     // do something
@@ -808,14 +814,14 @@
 - 5c5057fc: feat: node api new structure based on promise
 
   ```js
-  import { runServer } from '@verdaccio/node-api';
+  import { runServer } from "@verdaccio/node-api";
   // or
-  import { runServer } from 'verdaccio';
+  import { runServer } from "verdaccio";
 
   const app = await runServer(); // default configuration
-  const app = await runServer('./config/config.yaml');
+  const app = await runServer("./config/config.yaml");
   const app = await runServer({ configuration });
-  app.listen(4000, event => {
+  app.listen(4000, (event) => {
     // do something
   });
   ```

packages/core/types/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/types",
-  "version": "12.0.0-next.1",
+  "version": "12.0.0-next.2",
   "description": "verdaccio types definitions",
   "keywords": [
     "private",

packages/core/types/src/configuration.ts

@@ -296,7 +296,7 @@ export interface Config extends Omit<ConfigYaml, 'packages' | 'security' | 'conf
   // security object defaults is added by the config file but optional in the yaml file
   security: Security;
   // @deprecated (pending adding the replacement)
-  checkSecretKey(token: string): string;
+  checkSecretKey(token: string | void): string;
   getMatchedPackagesSpec(storage: string): PackageAccess | void;
   // TODO: verify how to handle this in the future
   [key: string]: any;

packages/core/url/CHANGELOG.md

@@ -1,5 +1,52 @@
 # Change Log
 
+## 12.0.0-next-7.11
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.11
+
+## 12.0.0-next-7.10
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.10
+
+## 12.0.0-next-7.9
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.9
+
+## 12.0.0-next-7.8
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.8
+
+## 12.0.0-next-7.7
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next-7.7
+
+## 12.0.0-next.6
+
+### Patch Changes
+
+- @verdaccio/core@7.0.0-next.6
+
+## 12.0.0-next.5
+
+### Minor Changes
+
+- f047cc8: refactor: auth with legacy sign support
+
+### Patch Changes
+
+- Updated dependencies [f047cc8]
+  - @verdaccio/core@7.0.0-next.5
+
 ## 12.0.0-next.4
 
 ### Patch Changes