chore: update versions (next-7) (#4624)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.changeset/poor-seals-turn.md

@@ -0,0 +1,6 @@
+---
+'@verdaccio/tarball': patch
+'@verdaccio/store': patch
+---
+
+revert #4600

.changeset/pre.json

@@ -74,6 +74,7 @@
     "perfect-chairs-act",
     "pink-apples-nail",
     "pink-balloons-leave",
+    "poor-seals-turn",
     "quick-buses-scream",
     "real-socks-vanish",
     "sharp-wolves-carry",
@@ -87,6 +88,7 @@
     "thirty-toes-swim",
     "unlucky-cycles-sparkle",
     "weak-fans-explain",
+    "wet-balloons-give",
     "wicked-kiwis-check",
     "wicked-worms-wash",
     "wild-otters-talk",

.changeset/wet-balloons-give.md

@@ -0,0 +1,10 @@
+---
+'@verdaccio/types': minor
+'@verdaccio/core': minor
+'@verdaccio/signature': minor
+'@verdaccio/node-api': minor
+'@verdaccio/config': minor
+'@verdaccio/auth': minor
+---
+
+feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property

.github/workflows/ci.yml

@@ -108,7 +108,7 @@ jobs:
       fail-fast: true
       matrix:
         os: [ubuntu-latest]
-        node_version: [18, 20, 21]
+        node_version: [18, 20, 21, 22]
     name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/codeql-analysis.yml

@@ -34,7 +34,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c7f9125735019aa87cfc361530512d50ea439c71 # v2
+        uses: github/codeql-action/init@ceaec5c11a131e0d282ff3b6f095917d234caace # v2
 
       # Override language selection by uncommenting this and choosing your languages
       # with:
@@ -42,7 +42,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@c7f9125735019aa87cfc361530512d50ea439c71 # v2
+        uses: github/codeql-action/autobuild@ceaec5c11a131e0d282ff3b6f095917d234caace # v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -56,4 +56,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c7f9125735019aa87cfc361530512d50ea439c71 # v2
+        uses: github/codeql-action/analyze@ceaec5c11a131e0d282ff3b6f095917d234caace # v2

.github/workflows/website.yml

@@ -2,8 +2,6 @@ name: Verdaccio Website CI
 
 on:
   workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * *' 
 
 permissions:
   contents: read  #  to fetch code (actions/checkout)
@@ -69,6 +67,7 @@ jobs:
           CONTEXT: production
         run: pnpm --filter @verdaccio/website netlify:build
       - name: Deploy to Netlify
+        if: (github.event_name == 'push' && github.ref == 'refs/heads/master') || github.event_name == 'workflow_dispatch'
         env:
           NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}

docs/env.variables.md

@@ -5,12 +5,13 @@ internal features.
 
 #### VERDACCIO_LEGACY_ALGORITHM
 
-Allows to define the specific algorithm for the token
-signature which by default is `aes-256-ctr`
+Allows to define the specific algorithm for the token signature which by default is `aes-256-ctr`. The algorithm must be supported by `crypto.createCipheriv` and `crypto.createDecipheriv`.
+Read more here: https://nodejs.org/api/crypto.html#crypto_crypto_createcipheriv_algorithm_key_iv_options
 
 #### VERDACCIO_LEGACY_ENCRYPTION_KEY
 
-By default, the token stores in the database, but using this variable allows to get it from memory
+By default, the token stores in the database, but using this variable allows to get it from memory, the length must be 32 characters otherwise will throw an error.
+Read more here: https://nodejs.org/api/crypto.html#crypto_crypto_createcipheriv_algorithm_key_iv_options
 
 #### VERDACCIO_PUBLIC_URL
 

e2e/cli/cli-commons/package.json

@@ -5,16 +5,16 @@
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
   "devDependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "debug": "4.3.4",
     "fs-extra": "11.2.0",
     "get-port": "5.1.1",
     "got": "11.8.6",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",
-    "verdaccio": "workspace:7.0.0-next-7.14"
+    "verdaccio": "workspace:7.0.0-next-7.15"
   },
   "scripts": {
     "test": "jest",

e2e/ui/package.json

@@ -3,9 +3,9 @@
   "name": "@verdaccio/e2e-ui",
   "version": "2.0.0",
   "devDependencies": {
-    "verdaccio": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
+    "verdaccio": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
     "debug": "4.3.4",
     "cypress": "^13.6.0",

packages/api/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @verdaccio/api
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [7400830]
+- Updated dependencies [bd8703e]
+  - @verdaccio/store@7.0.0-next-7.15
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/auth@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/middleware@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/api",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,13 +38,13 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.14",
-    "@verdaccio/store": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.15",
+    "@verdaccio/store": "workspace:7.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "abortcontroller-polyfill": "1.7.5",
     "body-parser": "1.20.2",
     "cookies": "0.9.0",
@@ -56,7 +56,7 @@
   },
   "devDependencies": {
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "mockdate": "3.0.5",
     "nock": "13.5.1",
     "supertest": "6.3.4"

packages/auth/CHANGELOG.md

@@ -1,5 +1,22 @@
 # @verdaccio/auth
 
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/signature@7.0.0-next-7.5
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/loaders@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - verdaccio-htpasswd@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/auth",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,21 +38,21 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/loaders": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/signature": "workspace:7.0.0-next-7.4",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/loaders": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/signature": "workspace:7.0.0-next-7.5",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "debug": "4.3.4",
     "lodash": "4.17.21",
-    "verdaccio-htpasswd": "workspace:12.0.0-next-7.14"
+    "verdaccio-htpasswd": "workspace:12.0.0-next-7.15"
   },
   "devDependencies": {
     "express": "4.18.3",
     "supertest": "6.3.4",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/auth/src/auth.ts

@@ -13,7 +13,6 @@ import {
   pluginUtils,
   warningUtils,
 } from '@verdaccio/core';
-import '@verdaccio/core';
 import { asyncLoadPlugin } from '@verdaccio/loaders';
 import { logger } from '@verdaccio/logger';
 import {
@@ -21,6 +20,7 @@ import {
   aesEncryptDeprecated,
   parseBasicPayload,
   signPayload,
+  utils as signatureUtils,
 } from '@verdaccio/signature';
 import {
   AllowAccess,
@@ -481,14 +481,9 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
     next: Function
   ): void {
     debug('handle legacy api middleware');
-    debug('api middleware secret %o', typeof secret === 'string');
+    debug('api middleware has a secret? %o', typeof secret === 'string');
     debug('api middleware authorization %o', typeof authorization === 'string');
-    const credentials: any = getMiddlewareCredentials(
-      security,
-      secret,
-      authorization,
-      this.config?.getEnhancedLegacySignature()
-    );
+    const credentials: any = getMiddlewareCredentials(security, secret, authorization);
     debug('api middleware credentials %o', credentials?.name);
     if (credentials) {
       const { user, password } = credentials;
@@ -588,13 +583,12 @@ class Auth implements IAuthMiddleware, TokenEncryption, pluginUtils.IBasicAuth {
    * Encrypt a string.
    */
   public aesEncrypt(value: string): string | void {
-    // enhancedLegacySignature enables modern aes192 algorithm signature
-    if (this.config?.getEnhancedLegacySignature()) {
-      debug('signing with enhaced aes legacy');
+    if (this.secret.length === signatureUtils.TOKEN_VALID_LENGTH) {
+      debug('signing with enhanced aes legacy');
       const token = aesEncrypt(value, this.secret);
       return token;
     } else {
-      debug('signing with enhaced aes deprecated legacy');
+      debug('signing with enhanced aes deprecated legacy');
       // deprecated aes (legacy) signature, only must be used for legacy version
       const token = aesEncryptDeprecated(Buffer.from(value), this.secret).toString('base64');
       return token;

packages/auth/src/signature.ts

@@ -1,66 +0,0 @@
-import buildDebug from 'debug';
-import _ from 'lodash';
-
-import { TOKEN_BASIC, TOKEN_BEARER } from '@verdaccio/core';
-import { aesDecrypt, parseBasicPayload } from '@verdaccio/signature';
-import { Security } from '@verdaccio/types';
-
-import { AuthMiddlewarePayload } from './types';
-import {
-  convertPayloadToBase64,
-  isAESLegacy,
-  parseAuthTokenHeader,
-  verifyJWTPayload,
-} from './utils';
-
-const debug = buildDebug('verdaccio:auth:utils');
-
-export function parseAESCredentials(authorizationHeader: string, secret: string) {
-  debug('parseAESCredentials');
-  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
-
-  // basic is deprecated and should not be enforced
-  // basic is currently being used for functional test
-  if (scheme.toUpperCase() === TOKEN_BASIC.toUpperCase()) {
-    debug('legacy header basic');
-    const credentials = convertPayloadToBase64(token).toString();
-
-    return credentials;
-  } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
-    debug('legacy header bearer');
-    const credentials = aesDecrypt(token, secret);
-
-    return credentials;
-  }
-}
-
-export function getMiddlewareCredentials(
-  security: Security,
-  secretKey: string,
-  authorizationHeader: string
-): AuthMiddlewarePayload {
-  debug('getMiddlewareCredentials');
-  // comment out for debugging purposes
-  if (isAESLegacy(security)) {
-    debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey);
-    if (!credentials) {
-      debug('parse legacy credentials failed');
-      return;
-    }
-
-    const parsedCredentials = parseBasicPayload(credentials);
-    if (!parsedCredentials) {
-      debug('parse legacy basic payload credentials failed');
-      return;
-    }
-
-    return parsedCredentials;
-  }
-  const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
-
-  debug('is jwt');
-  if (_.isString(token) && scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
-    return verifyJWTPayload(token, secretKey);
-  }
-}

packages/auth/src/utils.ts

@@ -40,12 +40,8 @@ export function parseAuthTokenHeader(authorizationHeader: string): AuthTokenHead
   return { scheme, token };
 }
 
-export function parseAESCredentials(
-  authorizationHeader: string,
-  secret: string,
-  enhanced: boolean
-) {
-  debug('parseAESCredentials');
+export function parseAESCredentials(authorizationHeader: string, secret: string) {
+  debug('parseAESCredentials init');
   const { scheme, token } = parseAuthTokenHeader(authorizationHeader);
 
   // basic is deprecated and should not be enforced
@@ -57,27 +53,29 @@ export function parseAESCredentials(
     return credentials;
   } else if (scheme.toUpperCase() === TOKEN_BEARER.toUpperCase()) {
     debug('legacy header bearer');
-    debug('legacy header enhanced?', enhanced);
-    const credentials = enhanced
-      ? aesDecrypt(token.toString(), secret)
-      : // FUTURE: once deprecated legacy is removed this logic won't be longer need it
-        aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
-
-    return credentials;
+    debug('secret length %o', secret.length);
+    const isLegacyUnsecure = secret.length > 32;
+    debug('is legacy unsecure %o', isLegacyUnsecure);
+    if (isLegacyUnsecure) {
+      debug('legacy unsecure enabled');
+      return aesDecryptDeprecated(convertPayloadToBase64(token), secret).toString('utf-8');
+    } else {
+      debug('legacy secure enabled');
+      return aesDecrypt(token.toString(), secret);
+    }
   }
 }
 
 export function getMiddlewareCredentials(
   security: Security,
   secretKey: string,
-  authorizationHeader: string,
-  enhanced: boolean = true
+  authorizationHeader: string
 ): AuthMiddlewarePayload {
-  debug('getMiddlewareCredentials');
+  debug('getMiddlewareCredentials init');
   // comment out for debugging purposes
   if (isAESLegacy(security)) {
     debug('is legacy');
-    const credentials = parseAESCredentials(authorizationHeader, secretKey, enhanced);
+    const credentials = parseAESCredentials(authorizationHeader, secretKey);
     if (!credentials) {
       debug('parse legacy credentials failed');
       return;

packages/auth/test/auth.spec.ts

@@ -601,16 +601,14 @@ describe('AuthTest', () => {
           });
         });
 
-        describe('deprecated legacy handling forceEnhancedLegacySignature=false', () => {
+        describe('deprecated legacy handling', () => {
           test('should handle valid auth token', async () => {
             const payload = 'juan:password';
             // const token = await signPayload(remoteUser, '12345');
-            const config: Config = new AppConfig(
-              { ...authProfileConf },
-              { forceEnhancedLegacySignature: false }
-            );
+            const config: Config = new AppConfig({ ...authProfileConf });
             // intended to force key generator (associated with mocks above)
-            config.checkSecretKey(undefined);
+            // 64 characters secret long
+            config.checkSecretKey('35fabdd29b820d39125e76e6d85cc294');
             const auth = new Auth(config);
             await auth.init();
             const token = auth.aesEncrypt(payload) as string;
@@ -624,10 +622,7 @@ describe('AuthTest', () => {
 
           test('should handle invalid auth token', async () => {
             const payload = 'juan:password';
-            const config: Config = new AppConfig(
-              { ...authPluginFailureConf },
-              { forceEnhancedLegacySignature: false }
-            );
+            const config: Config = new AppConfig({ ...authPluginFailureConf });
             // intended to force key generator (associated with mocks above)
             config.checkSecretKey(undefined);
             const auth = new Auth(config);
@@ -691,8 +686,7 @@ describe('AuthTest', () => {
               {
                 ...authProfileConf,
                 ...{ security: { api: { jwt: { sign: { expiresIn: '29d' } } } } },
-              },
-              { forceEnhancedLegacySignature: false }
+              }
             );
             // intended to force key generator (associated with mocks above)
             config.checkSecretKey(undefined);
@@ -700,7 +694,6 @@ describe('AuthTest', () => {
             await auth.init();
             const token = (await auth.jwtEncrypt(
               createRemoteUser('jwt_user', [ROLES.ALL]),
-              // @ts-expect-error
               config.security.api.jwt.sign
             )) as string;
             const app = await getServer(auth);

packages/cli/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @verdaccio/cli
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/node-api@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/cli",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "author": {
     "name": "Juan Picado",
     "email": "juanpicado19@gmail.com"
@@ -43,10 +43,10 @@
     "start": "ts-node src/index.ts"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/node-api": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/node-api": "workspace:7.0.0-next-7.15",
     "clipanion": "3.2.1",
     "envinfo": "7.11.0",
     "kleur": "4.1.5",

packages/config/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @verdaccio/config
 
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/config",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "logger",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,8 +38,8 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "debug": "4.3.4",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",

packages/config/src/config.ts

@@ -36,6 +36,13 @@ export const defaultUserRateLimiting = {
   max: 1000,
 };
 
+export function isNodeVersionGreaterThan21() {
+  const [major, minor] = process.versions.node.split('.').map(Number);
+  return major > 21 || (major === 21 && minor >= 0);
+}
+
+const TOKEN_VALID_LENGTH = 32;
+
 /**
  * Coordinates the application configuration
  */
@@ -56,21 +63,20 @@ class Config implements AppConfig {
   public plugins: string | void | null;
   public security: Security;
   public serverSettings: ServerSettingsConf;
+  private configOverrideOptions: { forceMigrateToSecureLegacySignature: boolean };
   // @ts-ignore
   public secret: string;
   public flags: FlagsConfig;
   public userRateLimit: RateLimit;
-  private configOptions: { forceEnhancedLegacySignature: boolean };
   public constructor(
     config: ConfigYaml & { config_path: string },
     // forceEnhancedLegacySignature is a property that
     // allows switch a new legacy aes signature token signature
     // for older versions do not want to have this new signature model
     // this property must be false
-    configOptions = { forceEnhancedLegacySignature: true }
+    configOverrideOptions = { forceMigrateToSecureLegacySignature: true }
   ) {
     const self = this;
-    this.configOptions = configOptions;
     this.storage = process.env.VERDACCIO_STORAGE_PATH || config.storage;
     if (!config.configPath) {
       // backport self_path for previous to version 6
@@ -80,11 +86,21 @@ class Config implements AppConfig {
         throw new Error('configPath property is required');
       }
     }
+    this.configOverrideOptions = configOverrideOptions;
     this.configPath = config.configPath;
     this.self_path = this.configPath;
     debug('config path: %s', this.configPath);
     this.plugins = config.plugins;
-    this.security = _.merge(defaultSecurity, config.security);
+    this.security = _.merge(
+      // override the default security configuration via constructor
+      _.merge(defaultSecurity, {
+        api: {
+          migrateToSecureLegacySignature:
+            this.configOverrideOptions.forceMigrateToSecureLegacySignature,
+        },
+      }),
+      config.security
+    );
     this.serverSettings = serverSettings;
     this.flags = {
       searchRemote: config.flags?.searchRemote ?? true,
@@ -135,14 +151,8 @@ class Config implements AppConfig {
     }
   }
 
-  public getEnhancedLegacySignature() {
-    if (typeof this?.security.enhancedLegacySignature !== 'undefined') {
-      if (this.security.enhancedLegacySignature === true) {
-        return true;
-      }
-      return false;
-    }
-    return this.configOptions.forceEnhancedLegacySignature;
+  public getMigrateToSecureLegacySignature() {
+    return this.security.api.migrateToSecureLegacySignature;
   }
 
   public getConfigPath() {
@@ -158,36 +168,70 @@ class Config implements AppConfig {
   }
 
   /**
-   * Store or create whether receive a secret key
+   * Verify if the secret complies with the required structure
+   *  - If the secret is not provided, it will generate a new one
+   *    - For any Node.js version the new secret will be 32 characters long (to allow compatibility with modern Node.js versions)
+   *  - If the secret is provided:
+   *    - If Node.js 22 or higher, the secret must be 32 characters long thus the application will fail on startup
+   *    - If Node.js 21 or lower, the secret will be used as is but will display a deprecation warning
+   *    - If the property `security.api.migrateToSecureLegacySignature` is provided and set to true, the secret will be
+   *      generated with the new signature model
    * @secret external secret key
    */
   public checkSecretKey(secret?: string): string {
-    debug('check secret key');
+    debug('checking secret key init');
     if (typeof secret === 'string' && _.isEmpty(secret) === false) {
+      debug('checking secret key length %s', secret.length);
+      if (secret.length > TOKEN_VALID_LENGTH) {
+        if (isNodeVersionGreaterThan21()) {
+          debug('is node version greater than 21');
+          if (this.getMigrateToSecureLegacySignature() === true) {
+            this.secret = generateRandomSecretKey();
+            debug('rewriting secret key with length %s', this.secret.length);
+            return this.secret;
+          }
+          // oops, user needs to generate a new secret key
+          debug(
+            'secret does not comply with the required length, current length  %d, application will fail on startup',
+            secret.length
+          );
+          throw new Error(
+            `Invalid storage secret key length, must be 32 characters long but is ${secret.length}. 
+            The secret length in Node.js 22 or higher must be 32 characters long. Please consider generate a new one. 
+            Learn more at https://verdaccio.org/docs/configuration/#.verdaccio-db`
+          );
+        } else {
+          debug('is node version lower than 22');
+          if (this.getMigrateToSecureLegacySignature() === true) {
+            this.secret = generateRandomSecretKey();
+            debug('rewriting secret key with length %s', this.secret.length);
+            return this.secret;
+          }
+          debug('triggering deprecation warning for secret key length %s', secret.length);
+          // still using Node.js versions previous to 22, but we need to emit a deprecation warning
+          // deprecation warning, secret key is too long and must be 32
+          // this will be removed in the next major release and will produce an error
+          warningUtils.emit(Codes.VERWAR007);
+          this.secret = secret;
+          return this.secret;
+        }
+      } else if (secret.length === TOKEN_VALID_LENGTH) {
+        debug('detected valid secret key length %s', secret.length);
+        this.secret = secret;
+        return this.secret;
+      }
+      debug('reusing previous key with length %s', secret.length);
       this.secret = secret;
-      debug('reusing previous key');
-      return secret;
-    }
-    // generate a new a secret key
-    // FUTURE: this might be an external secret key, perhaps within config file?
-    debug('generating a new secret key');
-
-    if (this.getEnhancedLegacySignature()) {
-      debug('key generated with "enhanced" legacy signature user config');
-      this.secret = generateRandomSecretKey();
+      return this.secret;
     } else {
-      debug('key generated with legacy signature user config');
-      this.secret = generateRandomHexString(32);
-    }
-    // set this to false allow use old token signature and is not recommended
-    // only use for migration reasons, major release will remove this property and
-    // set it by default
-    if (this.security?.enhancedLegacySignature === false) {
-      warningUtils.emit(Codes.VERWAR005);
-    }
+      // generate a new a secret key
+      // FUTURE: this might be an external secret key, perhaps within config file?
+      debug('generating a new secret key');
+      this.secret = generateRandomSecretKey();
+      debug('generated a new secret key length %s', this.secret?.length);
 
-    debug('generated a new secret key length %s', this.secret?.length);
-    return this.secret;
+      return this.secret;
+    }
   }
 }
 

packages/config/src/security.ts

@@ -13,6 +13,7 @@ const defaultWebTokenOptions: JWTOptions = {
 
 const defaultApiTokenConf: APITokenOptions = {
   legacy: true,
+  migrateToSecureLegacySignature: true,
 };
 
 export const defaultSecurity: Security = {

packages/config/src/token.ts

@@ -1,9 +1,11 @@
 import { randomBytes } from 'crypto';
 
+// TODO: code duplicated at @verdaccio/signature
 export const TOKEN_VALID_LENGTH = 32;
 
 /**
  * Secret key must have 32 characters.
+ * // TODO: code duplicated at @verdaccio/signature
  */
 export function generateRandomSecretKey(): string {
   return randomBytes(TOKEN_VALID_LENGTH).toString('base64').substring(0, TOKEN_VALID_LENGTH);

packages/config/test/config.spec.ts

@@ -6,9 +6,12 @@ import {
   DEFAULT_REGISTRY,
   DEFAULT_UPLINK,
   ROLES,
+  TOKEN_VALID_LENGTH,
   WEB_TITLE,
   defaultSecurity,
+  generateRandomSecretKey,
   getDefaultConfig,
+  isNodeVersionGreaterThan21,
   parseConfigFile,
 } from '../src';
 import { parseConfigurationFile } from './utils';
@@ -19,6 +22,8 @@ const resolveConf = (conf) => {
   return path.join(__dirname, `../src/conf/${name}${ext.startsWith('.') ? ext : '.yaml'}`);
 };
 
+const itif = (condition) => (condition ? it : it.skip);
+
 const checkDefaultUplink = (config) => {
   expect(_.isObject(config.uplinks[DEFAULT_UPLINK])).toBeTruthy();
   expect(config.uplinks[DEFAULT_UPLINK].url).toMatch(DEFAULT_REGISTRY);
@@ -94,32 +99,85 @@ describe('check basic content parsed file', () => {
 describe('checkSecretKey', () => {
   test('with default.yaml and pre selected secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(config.checkSecretKey('12345')).toEqual('12345');
+    expect(config.checkSecretKey(generateRandomSecretKey())).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
   test('with default.yaml and void secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
+    const secret = config.checkSecretKey();
+    expect(typeof secret === 'string').toBeTruthy();
+    expect(secret).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
-  test('with default.yaml and emtpy string secret', () => {
+  test('with default.yaml and empty string secret', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    expect(typeof config.checkSecretKey('') === 'string').toBeTruthy();
+    const secret = config.checkSecretKey('');
+    expect(typeof secret === 'string').toBeTruthy();
+    expect(secret).toHaveLength(TOKEN_VALID_LENGTH);
   });
 
-  test('with enhanced legacy signature', () => {
+  test('with default.yaml and valid string secret length', () => {
     const config = new Config(parseConfigFile(resolveConf('default')));
-    config.security.enhancedLegacySignature = true;
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
-    expect(config.secret.length).toBe(32);
+    expect(typeof config.checkSecretKey(generateRandomSecretKey()) === 'string').toBeTruthy();
   });
 
-  test('without enhanced legacy signature', () => {
-    const config = new Config(parseConfigFile(resolveConf('default')));
-    config.security.enhancedLegacySignature = false;
-    expect(typeof config.checkSecretKey() === 'string').toBeTruthy();
-    expect(config.secret.length).toBe(64);
+  test('with default.yaml migrate a valid string secret length', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: true,
+    });
+    expect(
+      // 64 characters secret long
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
   });
+
+  // only runs on Node.js 22 or higher
+  itif(isNodeVersionGreaterThan21())('with enhanced legacy signature Node 22 or higher', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: false,
+    });
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(() =>
+      // 64 characters secret long
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toThrow();
+  });
+
+  itif(isNodeVersionGreaterThan21())('with enhanced legacy signature Node 22 or higher', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')), {
+      forceMigrateToSecureLegacySignature: false,
+    });
+    config.security.api.migrateToSecureLegacySignature = true;
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
+  });
+
+  itif(isNodeVersionGreaterThan21() === false)(
+    'with old unsecure legacy signature Node 21 or lower',
+    () => {
+      const config = new Config(parseConfigFile(resolveConf('default')));
+      config.security.api.migrateToSecureLegacySignature = false;
+      // 64 characters secret long
+      // eslint-disable-next-line jest/no-standalone-expect
+      expect(
+        config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+      ).toHaveLength(64);
+    }
+  );
+
+  test('with migration to new legacy signature Node 21 or lower', () => {
+    const config = new Config(parseConfigFile(resolveConf('default')));
+    config.security.api.migrateToSecureLegacySignature = true;
+    // 64 characters secret long
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(
+      config.checkSecretKey('b4982dbb0108531fafb552374d7e83724b6458a2b3ffa97ad0edb899bdaefc4a')
+    ).toHaveLength(TOKEN_VALID_LENGTH);
+  });
+
+  test.todo('test emit warning with secret key');
 });
 
 describe('getMatchedPackagesSpec', () => {

packages/core/core/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @verdaccio/core
 
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
 ## 7.0.0-next-7.14
 
 ## 7.0.0-next-7.13

packages/core/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/core",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "core utilities",
   "keywords": [
     "private",
@@ -44,7 +44,7 @@
     "lodash": "4.17.21",
     "typedoc": "0.23.25",
     "typedoc-plugin-missing-exports": "latest",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/core/src/warning-utils.ts

@@ -9,17 +9,13 @@ export enum Codes {
   VERWAR002 = 'VERWAR002',
   VERWAR003 = 'VERWAR003',
   VERWAR004 = 'VERWAR004',
-  VERWAR005 = 'VERWAR005',
   // deprecation warnings
   VERDEP003 = 'VERDEP003',
   VERWAR006 = 'VERWAR006',
+  VERWAR007 = 'VERWAR007',
 }
 
-warningInstance.create(
-  verdaccioWarning,
-  Codes.VERWAR002,
-  `The configuration property "logs" has been deprecated, please rename to "log" for future compatibility`
-);
+/* general warnings */
 
 warningInstance.create(
   verdaccioWarning,
@@ -27,6 +23,12 @@ warningInstance.create(
   `Verdaccio doesn't need superuser privileges. don't run it under root`
 );
 
+warningInstance.create(
+  verdaccioWarning,
+  Codes.VERWAR002,
+  `The configuration property "logs" has been deprecated, please rename to "log" for future compatibility`
+);
+
 warningInstance.create(
   verdaccioWarning,
   Codes.VERWAR003,
@@ -42,23 +44,26 @@ https://verdaccio.org/docs/en/configuration#listen-port`
 );
 
 warningInstance.create(
-  verdaccioWarning,
-  Codes.VERWAR005,
-  'disable enhanced legacy signature is considered a security risk, please reconsider enable it'
+  verdaccioDeprecation,
+  Codes.VERWAR006,
+  'the auth plugin method "add_user" in the auth plugin is deprecated and will be removed in next major release, rename to "adduser"'
 );
 
+warningInstance.create(
+  verdaccioDeprecation,
+  Codes.VERWAR007,
+  `the secret length is too long, it must be 32 characters long, please consider generate a new one 
+  Learn more at https://verdaccio.org/docs/configuration/#.verdaccio-db`
+);
+
+/* deprecation warnings */
+
 warningInstance.create(
   verdaccioDeprecation,
   Codes.VERDEP003,
   'multiple addresses will be deprecated in the next major, only use one'
 );
 
-warningInstance.create(
-  verdaccioDeprecation,
-  Codes.VERWAR006,
-  'the auth plugin method "add_user" in the auth plugin is deprecated and will be removed in next major release, rename to "adduser"'
-);
-
 export function emit(code: string, a?: string, b?: string, c?: string) {
   warningInstance.emit(code, a, b, c);
 }

packages/core/file-locking/package.json

@@ -39,7 +39,7 @@
     "lockfile": "1.0.4"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/core/tarball/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- 7400830: revert #4600
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/url@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/core/tarball/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/tarball",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.15",
   "description": "tarball utilities resolver",
   "keywords": [
     "private",
@@ -33,16 +33,14 @@
     "access": "public"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/url": "workspace:12.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/url": "workspace:12.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "debug": "4.3.4",
-    "gunzip-maybe": "^1.4.2",
-    "lodash": "4.17.21",
-    "tar-stream": "^3.1.7"
+    "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "node-mocks-http": "1.14.1"
   },
   "scripts": {

packages/core/tarball/src/getTarballDetails.ts

@@ -1,34 +0,0 @@
-import gunzipMaybe from 'gunzip-maybe';
-import { Readable } from 'stream';
-import * as tarStream from 'tar-stream';
-
-export type TarballDetails = {
-  fileCount: number;
-  unpackedSize: number; // in bytes
-};
-
-export async function getTarballDetails(readable: Readable): Promise<TarballDetails> {
-  let fileCount = 0;
-  let unpackedSize = 0;
-
-  const unpack = tarStream.extract();
-
-  return new Promise((resolve, reject) => {
-    readable
-      .pipe(gunzipMaybe())
-      .pipe(unpack)
-      .on('entry', (header, stream, next) => {
-        fileCount++;
-        unpackedSize += Number(header.size);
-        stream.resume(); // important to ensure that "entry" events keep firing
-        next();
-      })
-      .on('finish', () => {
-        resolve({
-          fileCount,
-          unpackedSize,
-        });
-      })
-      .on('error', reject);
-  });
-}

packages/core/tarball/src/index.ts

@@ -5,6 +5,5 @@ export {
   convertDistVersionToLocalTarballsUrl,
 } from './convertDistRemoteToLocalTarballUrls';
 export { extractTarballFromUrl, getLocalRegistryTarballUri } from './getLocalRegistryTarballUri';
-export { TarballDetails, getTarballDetails } from './getTarballDetails';
 
 export { RequestOptions };

packages/core/tarball/tests/getTarballDetails.spec.ts

@@ -1,37 +0,0 @@
-import fs from 'fs';
-import path from 'path';
-import { Readable } from 'stream';
-
-import { getTarballDetails } from '../src/getTarballDetails.ts';
-
-const getFilePath = (filename: string): string => {
-  return path.resolve(__dirname, `assets/${filename}`);
-};
-
-const getFileBuffer = async (filename: string): Promise<Buffer> => {
-  return fs.promises.readFile(getFilePath(filename));
-};
-
-describe('getTarballDetails', () => {
-  test('should return stats of tarball (gzipped)', async () => {
-    const buffer = await getFileBuffer('tarball.tgz');
-    const readable = Readable.from(buffer);
-    const details = await getTarballDetails(readable);
-    expect(details.fileCount).toBe(2);
-    expect(details.unpackedSize).toBe(1280);
-  });
-
-  test('should return stats of tarball (uncompressed)', async () => {
-    const buffer = await getFileBuffer('tarball.tar');
-    const readable = Readable.from(buffer);
-    const details = await getTarballDetails(readable);
-    expect(details.fileCount).toBe(2);
-    expect(details.unpackedSize).toBe(1280);
-  });
-
-  test('should throw an error if the buffer is corrupt', async () => {
-    const corruptBuffer = Buffer.from('this is not a tarball');
-    const readable = Readable.from(corruptBuffer);
-    await expect(getTarballDetails(readable)).rejects.toThrow();
-  });
-});

packages/core/types/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log
 
+## 12.0.0-next-7.3
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
 ## 12.0.0-next.2
 
 ### Minor Changes

packages/core/types/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/types",
-  "version": "12.0.0-next.2",
+  "version": "12.0.0-next-7.3",
   "description": "verdaccio types definitions",
   "keywords": [
     "private",

packages/core/types/src/configuration.ts

@@ -182,11 +182,14 @@ export interface JWTVerifyOptions {
 
 export interface APITokenOptions {
   legacy: boolean;
+  /**
+   * Temporary flag to allow migration to the new legacy signature
+   */
+  migrateToSecureLegacySignature: boolean;
   jwt?: JWTOptions;
 }
 
 export interface Security {
-  enhancedLegacySignature?: boolean;
   web: JWTOptions;
   api: APITokenOptions;
 }

packages/core/url/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/core/url/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/url",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.15",
   "description": "url utilities resolver",
   "keywords": [
     "private",
@@ -33,13 +33,13 @@
     "access": "public"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "debug": "4.3.4",
     "lodash": "4.17.21",
     "validator": "13.11.0"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "node-mocks-http": "1.14.1"
   },
   "scripts": {

packages/hooks/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @verdaccio/hooks
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/hooks/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/hooks",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -29,17 +29,17 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
     "core-js": "3.35.0",
     "debug": "4.3.4",
     "got-cjs": "12.5.4",
     "handlebars": "4.7.8"
   },
   "devDependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "nock": "13.5.1"
   },
   "scripts": {

packages/loaders/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @verdaccio/loaders
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- @verdaccio/logger@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/loaders/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/loaders",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -13,14 +13,14 @@
     "url": "https://github.com/verdaccio/verdaccio"
   },
   "dependencies": {
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
     "debug": "4.3.4",
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "@verdaccio-scope/verdaccio-auth-foo": "0.0.2",
     "verdaccio-auth-memory": "workspace:*",
     "customprefix-auth": "2.0.0-next.0"

packages/logger/logger-7/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @verdaccio/logger-7
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- @verdaccio/logger-commons@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/logger/logger-7/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger-7",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "logger for verdaccio 5.x version",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,11 +38,11 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/logger-commons": "workspace:7.0.0-next-7.14",
+    "@verdaccio/logger-commons": "workspace:7.0.0-next-7.15",
     "pino": "7.11.0"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/logger/logger-commons/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @verdaccio/logger-commons
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/logger/logger-commons/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger-commons",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,14 +38,14 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "@verdaccio/logger-prettify": "workspace:7.0.0-next-7.2",
     "debug": "4.3.4",
     "colorette": "2.0.20"
   },
   "devDependencies": {
     "pino": "7.11.0",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/logger/logger/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @verdaccio/logger
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- @verdaccio/logger-commons@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/logger/logger/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/logger",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "logger",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -38,11 +38,11 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/logger-commons": "workspace:7.0.0-next-7.14",
+    "@verdaccio/logger-commons": "workspace:7.0.0-next-7.15",
     "pino": "8.17.2"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/middleware/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @verdaccio/middleware
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/url@12.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/middleware/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/middleware",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "express middleware utils",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,10 +38,10 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/url": "workspace:12.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/url": "workspace:12.0.0-next-7.15",
     "debug": "4.3.4",
     "lru-cache": "7.18.3",
     "express": "4.18.3",
@@ -54,7 +54,7 @@
     "url": "https://opencollective.com/verdaccio"
   },
   "devDependencies": {
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
     "body-parser": "1.20.2",
     "supertest": "6.3.4"
   }

packages/node-api/CHANGELOG.md

@@ -1,5 +1,20 @@
 # @verdaccio/node-api
 
+## 7.0.0-next-7.15
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/server-fastify@7.0.0-next-7.15
+  - @verdaccio/server@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/node-api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/node-api",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "node API",
   "main": "build/index.js",
   "types": "build/index.d.ts",
@@ -38,17 +38,17 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/server": "workspace:7.0.0-next-7.14",
-    "@verdaccio/server-fastify": "workspace:7.0.0-next-7.14",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/server": "workspace:7.0.0-next-7.15",
+    "@verdaccio/server-fastify": "workspace:7.0.0-next-7.15",
     "core-js": "3.35.0",
     "debug": "4.3.4",
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "jest": "29.7.0",
     "selfsigned": "2.4.1",
     "supertest": "6.3.4"

packages/node-api/test/run-server.spec.ts

@@ -15,7 +15,6 @@ describe('startServer via API', () => {
   });
 
   test('should fail on start with null as entry', async () => {
-    // @ts-expect-error
     await expect(runServer(null)).rejects.toThrow();
   });
 });

packages/plugins/audit/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/plugins/audit/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-audit",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.15",
   "description": "Verdaccio Middleware plugin to bypass npmjs audit",
   "keywords": [
     "private",
@@ -30,16 +30,16 @@
     "node": ">=12"
   },
   "dependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "express": "4.18.3",
     "https-proxy-agent": "5.0.1",
     "node-fetch": "cjs"
   },
   "devDependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "nock": "13.5.1",
     "supertest": "6.3.4"
   },

packages/plugins/auth-memory/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/plugins/auth-memory/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-auth-memory",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.15",
   "description": "Auth plugin for Verdaccio that keeps users in memory",
   "keywords": [
     "private",
@@ -30,13 +30,13 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "debug": "4.3.4"
   },
   "devDependencies": {
     "@types/debug": "^4.1.12",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/plugins/htpasswd/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/file-locking@12.0.0-next.1
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/plugins/htpasswd/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-htpasswd",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.15",
   "description": "htpasswd auth plugin for Verdaccio",
   "keywords": [
     "private",
@@ -33,7 +33,7 @@
     "node": ">=12"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "@verdaccio/file-locking": "workspace:12.0.0-next.1",
     "apache-md5": "1.1.8",
     "bcryptjs": "2.4.3",
@@ -44,9 +44,9 @@
   },
   "devDependencies": {
     "@types/bcryptjs": "2.4.6",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
     "mockdate": "3.0.5"
   },
   "scripts": {

packages/plugins/local-storage/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/file-locking@12.0.0-next.1
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/plugins/local-storage/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/local-storage",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.15",
   "description": "Local storage implementation",
   "keywords": [
     "private",
@@ -36,9 +36,9 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "@verdaccio/file-locking": "workspace:12.0.0-next.1",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "core-js": "3.35.0",
     "debug": "4.3.4",
     "globby": "11.1.0",
@@ -50,10 +50,10 @@
   },
   "devDependencies": {
     "@types/minimatch": "5.1.2",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "minimatch": "9.0.3"
   },
   "scripts": {

packages/plugins/memory/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Change Log
 
+## 12.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
 ## 12.0.0-next-7.14
 
 ### Patch Changes

packages/plugins/memory/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio-memory",
-  "version": "12.0.0-next-7.14",
+  "version": "12.0.0-next-7.15",
   "description": "Storage implementation in memory",
   "keywords": [
     "private",
@@ -30,15 +30,15 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "memory-fs": "0.5.0",
     "debug": "4.3.4",
     "memfs": "3.5.3"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15"
   },
   "scripts": {
     "clean": "rimraf ./build",

packages/plugins/ui-theme/CHANGELOG.md

@@ -1,5 +1,7 @@
 # @verdaccio/ui-theme
 
+## 7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ## 7.0.0-next-7.13

packages/plugins/ui-theme/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/ui-theme",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "Verdaccio User Interface",
   "author": {
     "name": "Verdaccio Contributors",
@@ -27,7 +27,7 @@
     "@testing-library/dom": "9.3.4",
     "@testing-library/jest-dom": "6.3.0",
     "@testing-library/react": "14.1.2",
-    "@verdaccio/node-api": "workspace:7.0.0-next-7.14",
+    "@verdaccio/node-api": "workspace:7.0.0-next-7.15",
     "@verdaccio/types": "workspace:*",
     "@verdaccio/ui-components": "workspace:3.0.0-next-7.6",
     "babel-loader": "8.3.0",

packages/proxy/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @verdaccio/proxy
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/proxy/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/proxy",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "verdaccio proxy fetcher",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,9 +38,9 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "JSONStream": "1.3.5",
     "debug": "4.3.4",
     "got-cjs": "12.5.4",
@@ -48,8 +48,8 @@
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "get-stream": "^6.0.1",
     "nock": "13.5.1",
     "node-mocks-http": "1.14.1",

packages/search-indexer/package.json

@@ -37,7 +37,7 @@
     "build": "esbuild src/index.ts --bundle --outfile=build/dist.js --platform=node --target=node12  && pnpm run build:types"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "@orama/orama": "1.2.4",
     "debug": "4.3.4",
     "esbuild": "0.14.10"

packages/search/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @verdaccio/search
 
+## 7.0.0-next-7.4
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/proxy@7.0.0-next-7.15
+
 ## 7.0.0-next-7.3
 
 ### Patch Changes

packages/search/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/search",
-  "version": "7.0.0-next-7.3",
+  "version": "7.0.0-next-7.4",
   "description": "verdaccio search proxy",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -40,13 +40,13 @@
   "dependencies": {
     "debug": "4.3.4",
     "lodash": "4.17.21",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/proxy": "workspace:7.0.0-next-7.14"
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/proxy": "workspace:7.0.0-next-7.15"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "mockdate": "3.0.5",
     "nock": "13.5.1",
     "node-mocks-http": "1.14.1"

packages/server/express/CHANGELOG.md

@@ -1,5 +1,23 @@
 # @verdaccio/server
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [7400830]
+- Updated dependencies [bd8703e]
+  - @verdaccio/store@7.0.0-next-7.15
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/auth@7.0.0-next-7.15
+  - @verdaccio/web@7.0.0-next-7.15
+  - @verdaccio/api@7.0.0-next-7.15
+  - @verdaccio/loaders@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - verdaccio-audit@12.0.0-next-7.15
+  - @verdaccio/middleware@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/server/express/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/server",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "server logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -29,17 +29,17 @@
     "node": ">=18"
   },
   "dependencies": {
-    "@verdaccio/api": "workspace:7.0.0-next-7.14",
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/loaders": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.14",
-    "@verdaccio/store": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
-    "@verdaccio/web": "workspace:7.0.0-next-7.14",
-    "verdaccio-audit": "workspace:12.0.0-next-7.14",
+    "@verdaccio/api": "workspace:7.0.0-next-7.15",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/loaders": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.15",
+    "@verdaccio/store": "workspace:7.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
+    "@verdaccio/web": "workspace:7.0.0-next-7.15",
+    "verdaccio-audit": "workspace:12.0.0-next-7.15",
     "compression": "1.7.4",
     "cors": "2.8.5",
     "debug": "4.3.4",
@@ -47,7 +47,7 @@
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/proxy": "workspace:7.0.0-next-7.14",
+    "@verdaccio/proxy": "workspace:7.0.0-next-7.15",
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
     "http-errors": "2.0.0"
   },

packages/server/fastify/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @verdaccio/server-fastify
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [7400830]
+- Updated dependencies [bd8703e]
+  - @verdaccio/tarball@12.0.0-next-7.15
+  - @verdaccio/store@7.0.0-next-7.15
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/auth@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/server/fastify/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/server-fastify",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "fastify server api implementation",
   "keywords": [
     "private",
@@ -33,13 +33,13 @@
     "access": "public"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/store": "workspace:7.0.0-next-7.14",
-    "@verdaccio/tarball": "workspace:12.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/store": "workspace:7.0.0-next-7.15",
+    "@verdaccio/tarball": "workspace:12.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "core-js": "3.35.0",
     "debug": "4.3.4",
     "fastify": "4.25.2",
@@ -47,7 +47,7 @@
     "lodash": "4.17.21"
   },
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "ts-node": "10.9.2"
   },
   "scripts": {

packages/signature/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @verdaccio/signature
 
+## 7.0.0-next-7.5
+
+### Minor Changes
+
+- bd8703e: feat: add migrateToSecureLegacySignature and remove enhancedLegacySignature property
+
 ## 7.0.0-next-7.4
 
 ### Minor Changes

packages/signature/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/signature",
-  "version": "7.0.0-next-7.4",
+  "version": "7.0.0-next-7.5",
   "description": "verdaccio signature utils",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -39,12 +39,11 @@
   },
   "dependencies": {
     "jsonwebtoken": "9.0.2",
-    "evp_bytestokey": "1.0.3",
     "debug": "4.3.4"
   },
   "devDependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2"
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3"
   },
   "funding": {
     "type": "opencollective",

packages/signature/src/index.ts

@@ -2,8 +2,6 @@ export {
   aesDecryptDeprecated,
   aesEncryptDeprecated,
   generateRandomSecretKeyDeprecated,
-  aesDecryptDeprecatedBackwardCompatible,
-  aesEncryptDeprecatedBackwardCompatible,
 } from './legacy-signature';
 
 export { aesDecrypt, aesEncrypt } from './signature';

packages/signature/src/legacy-signature/index.ts

@@ -1,13 +1,58 @@
-export {
-  aesDecryptDeprecated,
-  aesEncryptDeprecated,
-  generateRandomSecretKeyDeprecated,
-  TOKEN_VALID_LENGTH_DEPRECATED,
-  defaultAlgorithm,
-  defaultTarballHashAlgorithm,
-} from './legacy-crypto';
-// Temporary export to keep backward compatibility with Node.js >= 22
-export {
-  aesDecryptDeprecatedBackwardCompatible,
-  aesEncryptDeprecatedBackwardCompatible,
-} from './legacy-backward-compatible';
+import { createCipher, createDecipher } from 'crypto';
+import buildDebug from 'debug';
+
+import { generateRandomHexString } from '../utils';
+
+export const defaultAlgorithm = 'aes192';
+export const defaultTarballHashAlgorithm = 'sha1';
+
+const debug = buildDebug('verdaccio:auth:token:legacy:deprecated');
+
+/**
+ *
+ * @param buf
+ * @param secret
+ * @returns
+ */
+export function aesEncryptDeprecated(buf: Buffer, secret: string): Buffer {
+  debug('aesEncryptDeprecated init');
+  debug('algorithm %o', defaultAlgorithm);
+  // deprecated (it will be removed in Verdaccio 6), it is a breaking change
+  // https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options
+  // https://www.grainger.xyz/changing-from-cipher-to-cipheriv/
+  const c = createCipher(defaultAlgorithm, secret);
+  const b1 = c.update(buf);
+  const b2 = c.final();
+  debug('deprecated legacy token generated successfully');
+  return Buffer.concat([b1, b2]);
+}
+
+/**
+ *
+ * @param buf
+ * @param secret
+ * @returns
+ */
+export function aesDecryptDeprecated(buf: Buffer, secret: string): Buffer {
+  try {
+    debug('aesDecryptDeprecated init');
+    // https://nodejs.org/api/crypto.html#crypto_crypto_createdecipher_algorithm_password_options
+    // https://www.grainger.xyz/changing-from-cipher-to-cipheriv/
+    const c = createDecipher(defaultAlgorithm, secret);
+    const b1 = c.update(buf);
+    const b2 = c.final();
+    debug('deprecated legacy token payload decrypted successfully');
+    return Buffer.concat([b1, b2]);
+  } catch (_) {
+    return Buffer.alloc(0);
+  }
+}
+
+export const TOKEN_VALID_LENGTH_DEPRECATED = 64;
+
+/**
+ * Generate a secret key of 64 characters.
+ */
+export function generateRandomSecretKeyDeprecated(): string {
+  return generateRandomHexString(6);
+}

packages/signature/src/legacy-signature/legacy-backward-compatible.ts

@@ -1,32 +0,0 @@
-/* eslint-disable new-cap */
-import { createCipheriv, createDecipheriv } from 'crypto';
-import EVP_BytesToKey from 'evp_bytestokey';
-
-export const defaultAlgorithm = 'aes192';
-const KEY_SIZE = 24;
-
-export function aesDecryptDeprecatedBackwardCompatible(text, secret: string) {
-  const result = EVP_BytesToKey(
-    secret,
-    null,
-    KEY_SIZE * 8, // byte to bit size
-    16
-  );
-
-  let decipher = createDecipheriv(defaultAlgorithm, result.key, result.iv);
-  let decrypted = decipher.update(text, 'hex', 'utf8') + decipher.final('utf8');
-  return decrypted.toString();
-}
-
-export function aesEncryptDeprecatedBackwardCompatible(text, secret: string) {
-  const result = EVP_BytesToKey(
-    secret,
-    null,
-    KEY_SIZE * 8, // byte to bit size
-    16
-  );
-
-  const cipher = createCipheriv(defaultAlgorithm, result.key, result.iv);
-  const encrypted = cipher.update(text, 'utf8', 'hex') + cipher.final('hex');
-  return encrypted.toString();
-}

packages/signature/src/legacy-signature/legacy-crypto.ts

@@ -1,50 +0,0 @@
-import { createCipher, createDecipher } from 'crypto';
-
-import { generateRandomHexString } from '../utils';
-
-export const defaultAlgorithm = 'aes192';
-export const defaultTarballHashAlgorithm = 'sha1';
-
-/**
- * Deprecated version usage of crypto.createCipher, only useful for node.js versions < 22.
- * @param buf
- * @param secret
- * @returns
- */
-export function aesEncryptDeprecated(buf: Buffer, secret: string): Buffer {
-  // deprecated (it will be removed in Verdaccio 6), it is a breaking change
-  // https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options
-  // https://www.grainger.xyz/changing-from-cipher-to-cipheriv/
-  const c = createCipher(defaultAlgorithm, secret);
-  const b1 = c.update(buf);
-  const b2 = c.final();
-  return Buffer.concat([b1, b2]);
-}
-
-/**
- * Deprecated version usage of crypto.createCipher, only useful for node.js versions < 22.
- * @param buf
- * @param secret
- * @returns
- */
-export function aesDecryptDeprecated(buf: Buffer, secret: string): Buffer {
-  try {
-    // https://nodejs.org/api/crypto.html#crypto_crypto_createdecipher_algorithm_password_options
-    // https://www.grainger.xyz/changing-from-cipher-to-cipheriv/
-    const c = createDecipher(defaultAlgorithm, secret);
-    const b1 = c.update(buf);
-    const b2 = c.final();
-    return Buffer.concat([b1, b2]);
-  } catch (_) {
-    return Buffer.alloc(0);
-  }
-}
-
-export const TOKEN_VALID_LENGTH_DEPRECATED = 64;
-
-/**
- * Generate a secret key of 64 characters.
- */
-export function generateRandomSecretKeyDeprecated(): string {
-  return generateRandomHexString(6);
-}

packages/signature/src/signature.ts

@@ -19,9 +19,9 @@ const outputEncoding: BinaryToTextEncoding = 'hex';
 const VERDACCIO_LEGACY_ENCRYPTION_KEY = process.env.VERDACCIO_LEGACY_ENCRYPTION_KEY;
 
 export function aesEncrypt(value: string, key: string): string | void {
+  debug('aesEncrypt init');
   // https://nodejs.org/api/crypto.html#crypto_crypto_createcipher_algorithm_password_options
   // https://www.grainger.xyz/posts/changing-from-cipher-to-cipheriv
-  debug('encrypt %o', value);
   debug('algorithm %o', defaultAlgorithm);
   // IV must be a buffer of length 16
   const iv = randomBytes(16);
@@ -42,12 +42,13 @@ export function aesEncrypt(value: string, key: string): string | void {
   // @ts-ignore
   encrypted += cipher.final(outputEncoding);
   const token = `${iv.toString('hex')}:${encrypted.toString()}`;
-  debug('token generated successfully');
+  debug('legacy token generated successfully');
   return Buffer.from(token).toString('base64');
 }
 
 export function aesDecrypt(value: string, key: string): string | void {
   try {
+    debug('aesDecrypt init');
     const buff = Buffer.from(value, 'base64');
     const textParts = buff.toString().split(':');
 
@@ -62,7 +63,7 @@ export function aesDecrypt(value: string, key: string): string | void {
     // FIXME: fix type here should allow Buffer
     let decrypted = decipher.update(encryptedText as any, outputEncoding, inputEncoding);
     decrypted += decipher.final(inputEncoding);
-    debug('token decrypted successfully');
+    debug('legacy token payload decrypted successfully');
     return decrypted.toString();
   } catch (_: any) {
     return;

packages/signature/test/legacy-token-deprecated-backward-compatible.spec.ts

@@ -1,23 +0,0 @@
-import {
-  aesDecryptDeprecatedBackwardCompatible,
-  aesEncryptDeprecatedBackwardCompatible,
-  generateRandomSecretKeyDeprecated,
-} from '../src';
-
-describe('test deprecated crypto utils', () => {
-  test('decrypt payload flow', () => {
-    const secret = generateRandomSecretKeyDeprecated();
-    const payload = 'juan:password';
-    const token = aesEncryptDeprecatedBackwardCompatible(Buffer.from(payload), secret);
-    const data = aesDecryptDeprecatedBackwardCompatible(token, secret);
-
-    expect(data.toString()).toEqual(payload.toString());
-  });
-
-  test('crypt fails if secret is incorrect', () => {
-    const payload = 'juan:password';
-    expect(
-      aesEncryptDeprecatedBackwardCompatible(Buffer.from(payload), 'fake_token').toString()
-    ).not.toEqual(Buffer.from(payload));
-  });
-});

packages/signature/test/legacy-token-deprecated.spec.ts

@@ -1,14 +1,24 @@
+import { isNodeVersionGreaterThan21 } from '@verdaccio/config';
+
 import {
   aesDecryptDeprecated,
   aesEncryptDeprecated,
   generateRandomSecretKeyDeprecated,
 } from '../src';
 
-describe('test deprecated crypto utils', () => {
+const itdescribe = (condition) => (condition ? describe : describe.skip);
+
+itdescribe(isNodeVersionGreaterThan21() === false)('test deprecated crypto utils', () => {
+  test('generateRandomSecretKeyDeprecated', () => {
+    expect(generateRandomSecretKeyDeprecated()).toHaveLength(12);
+  });
+
   test('decrypt payload flow', () => {
-    const secret = generateRandomSecretKeyDeprecated();
+    const secret = '4b4512c6ce20';
     const payload = 'juan:password';
     const token = aesEncryptDeprecated(Buffer.from(payload), secret);
+
+    expect(token.toString('base64')).toEqual('auizc1j3lSEd2wEB5CyGbQ==');
     const data = aesDecryptDeprecated(token, secret);
 
     expect(data.toString()).toEqual(payload.toString());

packages/standalone/package.json

@@ -32,8 +32,8 @@
   "homepage": "https://verdaccio.org",
   "license": "MIT",
   "devDependencies": {
-    "@verdaccio/cli": "workspace:7.0.0-next-7.14",
-    "@verdaccio/ui-theme": "workspace:7.0.0-next-7.14",
+    "@verdaccio/cli": "workspace:7.0.0-next-7.15",
+    "@verdaccio/ui-theme": "workspace:7.0.0-next-7.15",
     "fs-extra": "11.2.0",
     "webpack": "5.90.0",
     "webpack-bundle-analyzer": "4.10.1",

packages/store/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @verdaccio/store
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- 7400830: revert #4600
+- Updated dependencies [7400830]
+- Updated dependencies [bd8703e]
+  - @verdaccio/tarball@12.0.0-next-7.15
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/url@12.0.0-next-7.15
+  - @verdaccio/hooks@7.0.0-next-7.15
+  - @verdaccio/loaders@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/local-storage@12.0.0-next-7.15
+  - @verdaccio/proxy@7.0.0-next-7.15
+  - @verdaccio/search@7.0.0-next-7.4
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/store/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/store",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "loaders logic",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -38,17 +38,17 @@
     "build": "pnpm run build:js && pnpm run build:types"
   },
   "dependencies": {
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/hooks": "workspace:7.0.0-next-7.14",
-    "@verdaccio/loaders": "workspace:7.0.0-next-7.14",
-    "@verdaccio/local-storage": "workspace:12.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/search": "workspace:7.0.0-next-7.3",
-    "@verdaccio/proxy": "workspace:7.0.0-next-7.14",
-    "@verdaccio/tarball": "workspace:12.0.0-next-7.14",
-    "@verdaccio/url": "workspace:12.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/hooks": "workspace:7.0.0-next-7.15",
+    "@verdaccio/loaders": "workspace:7.0.0-next-7.15",
+    "@verdaccio/local-storage": "workspace:12.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/search": "workspace:7.0.0-next-7.4",
+    "@verdaccio/proxy": "workspace:7.0.0-next-7.15",
+    "@verdaccio/tarball": "workspace:12.0.0-next-7.15",
+    "@verdaccio/url": "workspace:12.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "JSONStream": "1.3.5",
     "debug": "4.3.4",
     "lodash": "4.17.21",
@@ -57,7 +57,7 @@
   },
   "devDependencies": {
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "mockdate": "3.0.5",
     "nock": "13.5.1",
     "node-mocks-http": "1.14.1"

packages/store/src/storage.ts

@@ -34,11 +34,9 @@ import {
 } from '@verdaccio/proxy';
 import Search from '@verdaccio/search';
 import {
-  TarballDetails,
   convertDistRemoteToLocalTarballUrls,
   convertDistVersionToLocalTarballsUrl,
   extractTarballFromUrl,
-  getTarballDetails,
 } from '@verdaccio/tarball';
 import {
   AbbreviatedManifest,
@@ -1046,8 +1044,6 @@ class Storage {
     // at this point document is either created or existed before
     const [firstAttachmentKey] = Object.keys(_attachments);
     const buffer = this.getBufferManifest(body._attachments[firstAttachmentKey].data as string);
-    const readable = Readable.from(buffer);
-    const tarballStats = await this.getTarballStats(versions[versionToPublish], readable);
 
     try {
       // we check if package exist already locally
@@ -1086,7 +1082,7 @@ class Storage {
           _.isNil(manifest.readme) === false ? String(manifest.readme) : '';
       }
       // addVersion will move the readme from the the published version to the root level
-      await this.addVersion(name, versionToPublish, versions[versionToPublish], null, tarballStats);
+      await this.addVersion(name, versionToPublish, versions[versionToPublish], null);
     } catch (err: any) {
       logger.error({ err: err.message }, 'updated version has failed: @{err}');
       debug('error on create a version for %o with error %o', name, err.message);
@@ -1114,6 +1110,7 @@ class Storage {
 
     // 3. upload the tarball to the storage
     try {
+      const readable = Readable.from(buffer);
       await this.uploadTarball(name, basename(firstAttachmentKey), readable, {
         signal: options.signal,
       });
@@ -1286,8 +1283,7 @@ class Storage {
     name: string,
     version: string,
     metadata: Version,
-    tag: StringValue,
-    tarballStats: TarballDetails
+    tag: StringValue
   ): Promise<void> {
     debug(`add version %s package for %s`, version, name);
     await this.updatePackage(name, async (data: Manifest): Promise<Manifest> => {
@@ -1299,12 +1295,6 @@ class Storage {
       metadata.contributors = normalizeContributors(metadata.contributors as Author[]);
       debug('%s` contributors normalized', name);
 
-      // Update tarball stats
-      if (metadata.dist) {
-        metadata.dist.fileCount = tarballStats.fileCount;
-        metadata.dist.unpackedSize = tarballStats.unpackedSize;
-      }
-
       // if uploaded tarball has a different shasum, it's very likely that we
       // have some kind of error
       if (validatioUtils.isObject(metadata.dist) && _.isString(metadata.dist.tarball)) {
@@ -1915,25 +1905,6 @@ class Storage {
       return cacheManifest;
     }
   }
-
-  private async getTarballStats(version: Version, readable: Readable): Promise<TarballDetails> {
-    if (
-      version.dist == undefined ||
-      version.dist?.fileCount == undefined ||
-      version.dist?.unpackedSize == undefined
-    ) {
-      debug('tarball stats not found, calculating');
-      try {
-        return await getTarballDetails(readable);
-      } catch (err: any) {
-        logger.error({ err: err.message }, 'getting tarball details has failed: @{err}');
-        throw err;
-      }
-    } else {
-      debug('tarball stats found');
-      return { fileCount: version.dist.fileCount, unpackedSize: version.dist.unpackedSize };
-    }
-  }
 }
 
 export { Storage };

packages/store/test/storage.spec.ts

@@ -262,12 +262,10 @@ describe('storage', () => {
         expect(manifestVersion._id).toEqual(`${pkgName}@1.0.1`);
         expect(manifestVersion.description).toEqual('package generated');
         expect(manifestVersion.dist).toEqual({
-          fileCount: 4,
           integrity:
             'sha512-6gHiERpiDgtb3hjqpQH5/i7zRmvYi9pmCjQf2ZMy3QEa9wVk9RgdZaPWUt7ZOnWUPFjcr9cmE6dUBf+XoPoH4g==',
           shasum: '2c03764f651a9f016ca0b7620421457b619151b9',
           tarball: 'http://localhost:5555/upstream/-/upstream-1.0.1.tgz',
-          unpackedSize: 543,
         });
 
         expect(manifestVersion.contributors).toEqual([]);

packages/tools/helpers/package.json

@@ -9,13 +9,13 @@
   "main": "build/index.js",
   "types": "build/index.d.ts",
   "devDependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/middleware": "workspace:7.0.0-next-7.14",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/middleware": "workspace:7.0.0-next-7.15",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
     "body-parser": "1.20.2",
     "debug": "4.3.4",
     "express": "4.18.3",

packages/tools/helpers/src/initializeServer.ts

@@ -18,9 +18,7 @@ export async function initializeServer(
   Storage
 ): Promise<Application> {
   const app = express();
-  // verdaccio next always uses forceEnhancedLegacySignature while legacy (5.x, 6.x)
-  // have this property false by default
-  const config = new Config(configName, { forceEnhancedLegacySignature: true });
+  const config = new Config(configName);
   config.storage = path.join(os.tmpdir(), '/storage', generateRandomHexString());
   // httpass would get path.basename() for configPath thus we need to create a dummy folder
   // to avoid conflics

packages/tools/local-publish/package.json

@@ -9,10 +9,10 @@
   "main": "build/index.js",
   "types": "build/index.d.ts",
   "devDependencies": {
-    "@verdaccio/types": "workspace:12.0.0-next.2",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "verdaccio": "7.0.0-next-7.14"
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "verdaccio": "7.0.0-next-7.15"
   },
   "scripts": {
     "start": "ts-node src/index.ts",

packages/ui-components/package.json

@@ -76,7 +76,7 @@
     "@types/hast": "^2.0.0",
     "@types/react-router": "^5.1.20",
     "@types/unist": "^2.0.0",
-    "@verdaccio/types": "workspace:12.0.0-next.2",
+    "@verdaccio/types": "workspace:12.0.0-next-7.3",
     "babel-loader": "^8.3.0",
     "mockdate": "3.0.5",
     "msw": "0.49.3",

packages/utils/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @verdaccio/utils
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/core@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/utils/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@verdaccio/utils",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "verdaccio utilities",
   "main": "./build/index.js",
   "types": "build/index.d.ts",
@@ -29,7 +29,7 @@
     "node": ">=12"
   },
   "dependencies": {
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
     "minimatch": "7.4.6",
     "semver": "7.6.0",
     "lodash": "4.17.21"

packages/verdaccio/CHANGELOG.md

@@ -1,5 +1,19 @@
 # verdaccio
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [bd8703e]
+  - @verdaccio/node-api@7.0.0-next-7.15
+  - @verdaccio/hooks@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - verdaccio-audit@12.0.0-next-7.15
+  - verdaccio-htpasswd@12.0.0-next-7.15
+  - @verdaccio/ui-theme@7.0.0-next-7.15
+  - @verdaccio/cli@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes

packages/verdaccio/package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio",
-  "version": "7.0.0-next-7.14",
+  "version": "7.0.0-next-7.15",
   "description": "A lightweight private npm proxy registry",
   "main": "build/index.js",
   "types": "build/index.d.ts",
@@ -38,20 +38,20 @@
   },
   "homepage": "https://verdaccio.org",
   "dependencies": {
-    "@verdaccio/cli": "workspace:7.0.0-next-7.14",
-    "@verdaccio/hooks": "workspace:7.0.0-next-7.14",
-    "@verdaccio/logger": "workspace:7.0.0-next-7.14",
-    "@verdaccio/node-api": "workspace:7.0.0-next-7.14",
-    "@verdaccio/ui-theme": "workspace:7.0.0-next-7.14",
-    "@verdaccio/utils": "workspace:7.0.0-next-7.14",
-    "verdaccio-audit": "workspace:12.0.0-next-7.14",
-    "verdaccio-htpasswd": "workspace:12.0.0-next-7.14"
+    "@verdaccio/cli": "workspace:7.0.0-next-7.15",
+    "@verdaccio/hooks": "workspace:7.0.0-next-7.15",
+    "@verdaccio/logger": "workspace:7.0.0-next-7.15",
+    "@verdaccio/node-api": "workspace:7.0.0-next-7.15",
+    "@verdaccio/ui-theme": "workspace:7.0.0-next-7.15",
+    "@verdaccio/utils": "workspace:7.0.0-next-7.15",
+    "verdaccio-audit": "workspace:12.0.0-next-7.15",
+    "verdaccio-htpasswd": "workspace:12.0.0-next-7.15"
   },
   "devDependencies": {
-    "@verdaccio/auth": "workspace:7.0.0-next-7.14",
-    "@verdaccio/config": "workspace:7.0.0-next-7.14",
-    "@verdaccio/core": "workspace:7.0.0-next-7.14",
-    "@verdaccio/store": "workspace:7.0.0-next-7.14",
+    "@verdaccio/auth": "workspace:7.0.0-next-7.15",
+    "@verdaccio/config": "workspace:7.0.0-next-7.15",
+    "@verdaccio/core": "workspace:7.0.0-next-7.15",
+    "@verdaccio/store": "workspace:7.0.0-next-7.15",
     "@verdaccio/test-helper": "workspace:3.0.0-next-7.2",
     "fastify": "4.25.2",
     "get-port": "5.1.1",

packages/web/CHANGELOG.md

@@ -1,5 +1,22 @@
 # @verdaccio/web
 
+## 7.0.0-next-7.15
+
+### Patch Changes
+
+- Updated dependencies [7400830]
+- Updated dependencies [bd8703e]
+  - @verdaccio/tarball@12.0.0-next-7.15
+  - @verdaccio/store@7.0.0-next-7.15
+  - @verdaccio/core@7.0.0-next-7.15
+  - @verdaccio/config@7.0.0-next-7.15
+  - @verdaccio/auth@7.0.0-next-7.15
+  - @verdaccio/url@12.0.0-next-7.15
+  - @verdaccio/loaders@7.0.0-next-7.15
+  - @verdaccio/logger@7.0.0-next-7.15
+  - @verdaccio/middleware@7.0.0-next-7.15
+  - @verdaccio/utils@7.0.0-next-7.15
+
 ## 7.0.0-next-7.14
 
 ### Patch Changes