chore(release): 4.13.0

* Update node to 14.18.3

v14.18.3 of node fixes a bunch of security vulnerabilities. Specifically:

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22931
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672

* Use node:14-alpine for image

* Fix docker build by installing `python2` instead of `python`

I simply followed what was done in https://github.com/verdaccio/verdaccio/pull/2644

.github/workflows/ci-e2e.yml

@@ -1,27 +0,0 @@
-name: E2E CLI
-
-on: [pull_request]
-
-jobs:
-  ci:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest]
-        node_version: [14]
-
-    name: ${{ matrix.os }} / Node ${{ matrix.node_version }}
-    runs-on: ${{ matrix.os }}
-
-    steps:
-      - uses: actions/checkout@v2.3.1
-      - name: Use Node ${{ matrix.node_version }}
-        uses: actions/setup-node@v2.1.5
-        with:
-          node-version: ${{ matrix.node_version }}
-      - name: Install
-        run: yarn install --immutable
-      - name: Build
-        run: yarn code:build
-      - name: Test CLI
-        run: yarn run test:e2e:cli

.github/workflows/ci.yml

@@ -9,7 +9,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node_version: [10, 12, 14, 15]
+        node_version: [10]
 
     runs-on: ubuntu-latest
 

.github/workflows/codeql-analysis.yml

@@ -1,52 +0,0 @@
-name: "Code scanning - action"
-
-on:
-  push:
-  pull_request:
-  schedule:
-    - cron: '0 2 * * 4'
-
-jobs:
-  CodeQL-Build:
-
-    # CodeQL runs on ubuntu-latest and windows-latest
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2.3.3
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
-
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
-      
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      # Override language selection by uncommenting this and choosing your languages
-      # with:
-      #   languages: go, javascript, csharp, python, cpp, java
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1

.github/workflows/docker-publish.yml

@@ -36,7 +36,8 @@ jobs:
         with:
           images: ${{ github.repository }}
           tag-custom: 4.x-next
-          tag-custom-only: ${{ github.ref == 'refs/heads/master' }}
+          tag-custom-only: ${{ github.ref == 'refs/heads/4.x' }}
+          tag-latest: false
           tag-semver: |
             {{version}}
             {{major}}

.github/workflows/e2e-angular-cli-workflow.yml

@@ -1,153 +0,0 @@
-on:
-  schedule:
-  - cron: '0 3 * * 5'
-  pull_request:
-    branches:
-    - '**'
-
-name: 'E2E Angular CLI with verdaccio'
-jobs:
-# todo: fix yarn global issue, cannot find ng
-#  yarn:
-#    name: 'yarn:angular example'
-#    runs-on: ubuntu-latest
-#
-#    steps:
-#      - uses: actions/checkout@v2.3.3
-#
-#      - name: 'Use Node.js 10.x'
-#        uses: actions/setup-node@v2.1.5
-#        with:
-#          node-version: 10.x
-#      - name: Install Dependencies
-#        run: yarn install --pure-lockfile
-#      - name: 'Run verdaccio in the background'
-#        run: |
-#          nohup node ./scripts/run-verdaccio.js &
-#      - name: 'Ping to verdaccio'
-#        run: |
-#          npm ping --registry http://localhost:4873
-#      - name: 'Running the integration test'
-#        run: |
-#          source scripts/e2e-setup-ci.sh
-#          yarn init --yes
-#
-#          yarn global add @angular/cli
-#          which nodemon
-#          ng new verdaccio-angular --interactive=false
-#
-#          cd verdaccio-angular
-#          echo "registry=http://localhost:4873" > ~/.npmrc
-#          yarn add @angular-devkit/core@next @babel/preset-env @babel/core -D
-#
-#          ng build --aot
-  npm:
-    name: 'npm:angular example'
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2.3.3
-
-      - name: 'Use Node.js 14.x'
-        uses: actions/setup-node@v2.1.5
-        with:
-          node-version: 14.x
-      - name: 'install latest npm'
-        run: npm i -g npm@latest-6
-      - name: Install Dependencies
-        run: yarn install
-      - name: 'Run verdaccio in the background'
-        run: |
-          nohup node ./scripts/run-verdaccio.js --config ./scripts/e2e-config.yaml &
-      - name: 'Ping to verdaccio'
-        run: |
-          npm ping --registry http://localhost:4873
-      - name: 'Running the integration test'
-        run: |
-          source scripts/e2e-setup-ci.sh
-          echo "registry=http://localhost:4873" > ~/.npmrc
-          npm config set loglevel="http"
-          npm config set fetch-retries="5"
-          npm config set fetch-retry-factor="50"
-          npm config set fetch-retry-mintimeout="20000"
-          npm config set fetch-retry-maxtimeout="80000"
-          npm install -g @angular/cli
-          ng new verdaccio-angular --interactive=false
-
-          cd verdaccio-angular
-          npm install @angular-devkit/core@next @babel/preset-env @babel/core -D
-
-          npm run ng build --aot
-  npm7:
-    name: 'npm7:angular example'
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2.3.3
-
-      - name: 'Use Node.js 14.x'
-        uses: actions/setup-node@v2.1.5
-        with:
-          node-version: 14.x
-      - name: 'install latest npm'
-        run: npm i -g npm@next-7
-      - name: Install Dependencies
-        run: yarn install
-      - name: 'Run verdaccio in the background'
-        run: |
-          nohup node ./scripts/run-verdaccio.js --config ./scripts/e2e-config.yaml &
-      - name: 'Ping to verdaccio'
-        run: |
-          npm ping --registry http://localhost:4873
-      - name: 'Running the integration test'
-        run: |
-          source scripts/e2e-setup-ci.sh
-          echo "registry=http://localhost:4873" > ~/.npmrc
-          npm config set loglevel="silent"
-          npm config set fetch-retries="5"
-          npm config set fetch-retry-factor="50"
-          npm config set fetch-retry-mintimeout="20000"
-          npm config set fetch-retry-maxtimeout="80000"
-          npm install -g @angular/cli
-          ng new verdaccio-angular --interactive=false
-
-          cd verdaccio-angular
-          npm install @angular-devkit/core@next @babel/preset-env @babel/core -D
-
-          npm run ng build --aot
-
-#  pnpm throws errors worth to check why
-#  pnpm:
-#    name: 'pnpm:angular example'
-#    runs-on: ubuntu-latest
-#
-#    steps:
-#      - uses: actions/checkout@v2.3.3
-#
-#      - name: 'Use Node.js 10.x'
-#        uses: actions/setup-node@v2.1.1
-#        with:
-#          node-version: 10.x
-#      - name: 'install latest pnpm'
-#        run: npm i -g pnpm
-#      - name: Install Dependencies
-#        run: yarn install --pure-lockfile
-#      - name: 'Run verdaccio in the background'
-#        run: |
-#          nohup node ./scripts/run-verdaccio.js &
-#      - name: 'Ping to verdaccio'
-#        run: |
-#          pnpm ping --registry http://localhost:4873
-#      - name: 'Running the integration test'
-#        run: |
-#          source scripts/e2e-setup-ci.sh
-#          pnpm init --force
-#
-#          pnpm install -g @angular/cli
-#          ng new verdaccio-angular --interactive=false
-#
-#          cd verdaccio-angular
-#          echo "registry=http://localhost:4873" > ~/.npmrc
-#          pnpm install @angular-devkit/core@next @babel/preset-env @babel/core -D
-#
-#          pnpm run ng build --aot

.github/workflows/e2e-gatsbyjs-cli-workflow.yml

@@ -1,44 +0,0 @@
-on:
-  schedule:
-    - cron: '0 3 * * 5'
-  pull_request:
-    branches:
-      - '**'
-
-name: 'E2E Gatsby.js CLI with verdaccio'
-jobs:
-  npm:
-    name: 'npm:gatsby example'
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2.3.3
-
-      - name: 'Use Node.js 14.x'
-        uses: actions/setup-node@v2.1.5
-        with:
-          node-version: 14.x
-      - name: 'install latest npm'
-        run: npm i -g npm@latest-6
-      - name: Install Dependencies
-        run: yarn install
-      - name: 'Run verdaccio in the background'
-        run: |
-          nohup node ./scripts/run-verdaccio.js --config ./scripts/e2e-config.yaml &
-      - name: 'Ping to verdaccio'
-        run: |
-          npm ping --registry http://localhost:4873
-      - name: 'Running the integration test'
-        run: |
-          source scripts/e2e-setup-ci.sh
-          echo "registry=http://localhost:4873
-          loglevel="silent"
-          fetch-retries=10
-          fetch-retry-factor=2
-          fetch-retry-mintimeout=10000
-          fetch-retry-maxtimeout=80000" > ~/.npmrc
-          npm config list
-          npm i -g gatsby
-          gatsby new my-gatsby
-          cd my-gatsby
-          npm run build

.github/workflows/e2e-jest-workflow.yml

@@ -1,209 +0,0 @@
-on:
-  schedule:
-    - cron: '0 3 * * 5'
-  pull_request:
-    branches:
-      - '**'
-
-name: 'E2E Jest with verdaccio'
-jobs:
-  yarn:
-    name: 'yarn:jest example'
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2.3.3
-
-      - name: 'Use Node.js 10.x'
-        uses: actions/setup-node@v2.1.5
-        with:
-          node-version: 10.x
-      - name: Install Dependencies
-        run: yarn install
-      - name: 'Run verdaccio in the background'
-        run: |
-          nohup node ./scripts/run-verdaccio.js --config ./scripts/e2e-config.yaml &
-      - name: 'Ping to verdaccio'
-        run: |
-          npm ping --registry http://localhost:4873
-      - name: 'Running the integration test'
-        run: |
-          source scripts/e2e-setup-ci.sh
-          yarn init --yes
-          yarn add jest --registry http://localhost:4873
-
-          echo "it('should pass', () => { expect(true).toBeTruthy(); });" | tee pass.test.js
-          yarn jest pass.test.js
-
-          yarn add left-pad --registry http://localhost:4873 --verbose
-          echo "const leftPad = require('left-pad'); it('should resolve a module', () => { expect(typeof leftPad).toBe('function');});" | tee module.test.js
-          yarn jest module.test.js
-  yarn2:
-    name: 'yarn2:jest example'
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2.3.3
-
-      - name: 'Use Node.js 10.x'
-        uses: actions/setup-node@v2.1.5
-        with:
-          node-version: 10.x
-      - name: Install Dependencies
-        run: yarn install
-      - name: 'Run verdaccio in the background'
-        run: |
-          nohup node ./scripts/run-verdaccio.js --config ./scripts/e2e-config.yaml &
-      - name: 'Ping to verdaccio'
-        run: |
-          npm ping --registry http://localhost:4873
-      - name: 'Running the integration test'
-        run: |
-          source scripts/e2e-setup-ci.sh
-          yarn init --yes
-          yarn set version berry
-          yarn config set npmRegistryServer "http://localhost:4873"
-          yarn config set unsafeHttpWhitelist --json '["localhost"]'
-          yarn add jest@26.0.0
-
-          echo "it('should pass', () => { expect(true).toBeTruthy(); });" | tee pass.test.js
-          yarn jest pass.test.js
-
-          yarn add left-pad
-          echo "const leftPad = require('left-pad'); it('should resolve a module', () => { expect(typeof leftPad).toBe('function');});" | tee module.test.js
-          yarn jest module.test.js
-  npm:
-    name: 'npm:jest example'
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2.3.3
-
-      - name: 'Use Node.js 10.x'
-        uses: actions/setup-node@v2.1.5
-        with:
-          node-version: 10.x
-      - name: 'install latest npm'
-        run: npm i -g npm@latest-6
-      - name: Install Dependencies
-        run: yarn install
-      - name: 'Run verdaccio in the background'
-        run: |
-          nohup node ./scripts/run-verdaccio.js  --config ./scripts/e2e-config.yaml  &
-      - name: 'Ping to verdaccio'
-        run: |
-          npm ping --registry http://localhost:4873
-      - name: 'Running the integration test'
-        run: |
-          source scripts/e2e-setup-ci.sh
-          npm init --force
-          npm install jest --registry http://localhost:4873
-
-          echo "it('should pass', () => { expect(true).toBeTruthy(); });" | tee pass.test.js
-          yarn jest pass.test.js
-
-          yarn add left-pad --registry http://localhost:4873 --verbose
-          echo "const leftPad = require('left-pad'); it('should resolve a module', () => { expect(typeof leftPad).toBe('function');});" | tee module.test.js
-          yarn jest module.test.js
-  npm7:
-    name: 'npm7:jest example'
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2.3.3
-
-      - name: 'Use Node.js 10.x'
-        uses: actions/setup-node@v2.1.5
-        with:
-          node-version: 10.x
-      - name: 'install latest npm'
-        run: npm i -g npm
-      - name: Install Dependencies
-        run: yarn install
-      - name: 'Run verdaccio in the background'
-        run: |
-          nohup node ./scripts/run-verdaccio.js  --config ./scripts/e2e-config.yaml  &
-      - name: 'Ping to verdaccio'
-        run: |
-          npm ping --registry http://localhost:4873
-      - name: 'Running the integration test'
-        run: |
-          source scripts/e2e-setup-ci.sh
-          npm init --force
-          npm install jest --registry http://localhost:4873
-
-          echo "it('should pass', () => { expect(true).toBeTruthy(); });" | tee pass.test.js
-          yarn jest pass.test.js
-
-          yarn add left-pad --registry http://localhost:4873 --verbose
-          echo "const leftPad = require('left-pad'); it('should resolve a module', () => { expect(typeof leftPad).toBe('function');});" | tee module.test.js
-          yarn jest module.test.js
-
-  pnpm:
-    name: 'pnpm:jest example'
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2.3.3
-
-      - name: 'Use Node.js 10.x'
-        uses: actions/setup-node@v2.1.5
-        with:
-          node-version: 10.x
-      - name: 'install latest pnpm'
-        run: npm i -g pnpm
-      - name: Install Dependencies
-        run: yarn install
-      - name: 'Run verdaccio in the background'
-        run: |
-          nohup node ./scripts/run-verdaccio.js &
-      - name: 'Ping to verdaccio'
-        run: |
-          pnpm ping --registry http://localhost:4873
-      - name: 'Running the integration test'
-        run: |
-          source scripts/e2e-setup-ci.sh
-          pnpm init --force
-          pnpm install jest --registry http://localhost:4873
-
-          echo "it('should pass', () => { expect(true).toBeTruthy(); });" | tee pass.test.js
-          yarn jest pass.test.js
-
-          yarn add left-pad --registry http://localhost:4873 --verbose
-          echo "const leftPad = require('left-pad'); it('should resolve a module', () => { expect(typeof leftPad).toBe('function');});" | tee module.test.js
-          yarn jest module.test.js
-  pnpm6:
-    name: 'pnpm6:jest example'
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2.3.3
-
-      - name: 'Use Node.js 12.x'
-        uses: actions/setup-node@v2.1.5
-        with:
-          node-version: 12.x
-      - name: 'install latest pnpm'
-        run: sudo npm i pnpm@dev -g
-      - name: Install Dependencies
-        run: yarn install
-      - name: 'Run verdaccio in the background'
-        run: |
-          nohup node ./scripts/run-verdaccio.js &
-      - name: 'Ping to verdaccio'
-        run: |
-          pnpm ping --registry http://localhost:4873
-      - name: 'Running the integration test'
-        run: |
-          source scripts/e2e-setup-ci.sh
-          pnpm init --force
-          pnpm install jest --registry http://localhost:4873
-
-          echo "it('should pass', () => { expect(true).toBeTruthy(); });" | tee pass.test.js
-          yarn jest pass.test.js
-
-          yarn add left-pad --registry http://localhost:4873 --verbose
-          echo "const leftPad = require('left-pad'); it('should resolve a module', () => { expect(typeof leftPad).toBe('function');});" | tee module.test.js
-          yarn jest module.test.js
-
-

.github/workflows/registry.yml

@@ -1,8 +1,6 @@
 name: Test local registry for js vulnerabilities
 
-on:
-  schedule:
-  - cron: '0 0 * * 7'
+on: [push]
 jobs:
   security:
     runs-on: ubuntu-latest

.prettierignore

@@ -27,3 +27,5 @@ test/functional/store/*
 storage_default_storage/*
 docker-examples/
 .prettierignore
+*.sh
+.secrets-baseline

CHANGELOG.md

@@ -2,6 +2,28 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [4.13.0](https://github.com/verdaccio/verdaccio/compare/v4.12.2...v4.13.0) (2022-03-10)
+
+
+### Features
+
+* update docker base node to 14.x in 4.x branch ([#3046](https://github.com/verdaccio/verdaccio/issues/3046)) ([f40ea10](https://github.com/verdaccio/verdaccio/commit/f40ea10d1f5cc1e5c29a51c7750c27c4ceccd76f))
+
+### [4.12.2](https://github.com/verdaccio/verdaccio/compare/v4.12.1...v4.12.2) (2021-06-23)
+
+
+### Bug Fixes
+
+* update readme and deprecation notice ([d3cd935](https://github.com/verdaccio/verdaccio/commit/d3cd935a4876a665d27545962dcc530762f468b6))
+
+### [4.12.1](https://github.com/verdaccio/verdaccio/compare/v4.12.0...v4.12.1) (2021-05-22)
+
+
+### Bug Fixes
+
+* emit warning for upgrade 5.x and publish on previous ([a760e68](https://github.com/verdaccio/verdaccio/commit/a760e6814d2f1e8e2385f11381ddc7212f6ed380))
+* update docker base 14.17.0 ([6870f99](https://github.com/verdaccio/verdaccio/commit/6870f990c464c9fc219c5550dd77e92651e4a600))
+
 ## [4.12.0](https://github.com/verdaccio/verdaccio/compare/v4.11.3...v4.12.0) (2021-03-17)
 
 

Dockerfile

@@ -1,10 +1,10 @@
-FROM --platform=${BUILDPLATFORM:-linux/amd64} node:14.16.0-alpine as builder
+FROM --platform=${BUILDPLATFORM:-linux/amd64} node:14-alpine as builder
 
 ENV NODE_ENV=production \
     VERDACCIO_BUILD_REGISTRY=https://registry.verdaccio.org
 
 RUN apk --no-cache add openssl ca-certificates wget && \
-    apk --no-cache add g++ gcc libgcc libstdc++ linux-headers make python && \
+    apk --no-cache add g++ gcc libgcc libstdc++ linux-headers make python2 && \
     wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub && \
     wget -q https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.25-r0/glibc-2.25-r0.apk && \
     apk add glibc-2.25-r0.apk
@@ -23,7 +23,7 @@ RUN yarn config set npmRegistryServer $VERDACCIO_BUILD_REGISTRY && \
 
 
 
-FROM node:14.16.0-alpine
+FROM node:14-alpine
 LABEL maintainer="https://github.com/verdaccio/verdaccio"
 
 ENV VERDACCIO_APPDIR=/opt/verdaccio \

README.md

@@ -1,232 +1,10 @@
 ![verdaccio logo](https://cdn.verdaccio.dev/readme/verdaccio@2x.png)
 
-![verdaccio gif](https://cdn.verdaccio.dev/readme/readme-website.png)
-
 # Version 4
 
-[Verdaccio](https://verdaccio.org/) is a simple, **zero-config-required local private npm registry**.
-No need for an entire database just to get started! Verdaccio comes out of the box with
-**its own tiny database**, and the ability to proxy other registries (eg. npmjs.org),
-caching the downloaded modules along the way.
-For those looking to extend their storage capabilities, Verdaccio
-**supports various community-made plugins to hook into services such as Amazon's s3,
-Google Cloud Storage** or create your own plugin.
+**⚠️⚠️ Verdaccio 4.x is deprecated and won't longer receive security support, please upgrade to 5.x or higher ⚠️⚠**
 
-
-[![verdaccio (latest)](https://img.shields.io/npm/v/verdaccio/latest.svg)](https://www.npmjs.com/package/verdaccio)
-[![verdaccio (downloads)](https://img.shields.io/npm/dy/verdaccio.svg)](https://www.npmjs.com/package/verdaccio)
-[![docker pulls](https://img.shields.io/docker/pulls/verdaccio/verdaccio.svg?maxAge=43200)](https://verdaccio.org/docs/en/docker.html)
-[![backers](https://opencollective.com/verdaccio/tiers/backer/badge.svg?label=Backer&color=brightgreen)](https://opencollective.com/verdaccio)
-[![stackshare](https://img.shields.io/badge/Follow%20on-StackShare-blue.svg?logo=stackshare&style=flat)](https://stackshare.io/verdaccio)
-
-[![discord](https://img.shields.io/discord/388674437219745793.svg)](http://chat.verdaccio.org/)
-[![node](https://img.shields.io/node/v/verdaccio/latest.svg)](https://www.npmjs.com/package/verdaccio)
-[![MIT](https://img.shields.io/github/license/mashape/apistatus.svg)](https://github.com/verdaccio/verdaccio/blob/master/LICENSE)
-[![Crowdin](https://d322cqt584bo4o.cloudfront.net/verdaccio/localized.svg)](https://crowdin.com/project/verdaccio)
-[![TODOs](https://badgen.net/https/api.tickgit.com/badgen/github.com/verdaccio/verdaccio)](https://www.tickgit.com/browse?repo=github.com/verdaccio/verdaccio)
-
-[![Twitter followers](https://img.shields.io/twitter/follow/verdaccio_npm.svg?style=social&label=Follow)](https://twitter.com/verdaccio_npm)
-[![Github](https://img.shields.io/github/stars/verdaccio/verdaccio.svg?style=social&label=Stars)](https://github.com/verdaccio/verdaccio/stargazers)
-
-
-## Install
-
-Install with npm:
-
-```bash
-npm install --global verdaccio
-```
-
-## Donations
-
-Verdaccio is run by **volunteers**; nobody is working full-time on it. If you find this project to be useful and would like to support its development, consider making a donation - **your logo might end up in this readme.** 😉
-
-**[Donate](https://opencollective.com/verdaccio)** 💵👍🏻 starting from *$1/month* or just one single contribution.
-
-## What does Verdaccio do for me?
-
-### Use private packages
-
-If you want to use all benefits of npm package system in your company without sending all code to the public, and use your private packages just as easy as public ones.
-
-### Cache npmjs.org registry
-
-   If you have more than one server you want to install packages on, you might want to use this to decrease latency
-   (presumably "slow" npmjs.org will be connected to only once per package/version) and provide limited failover (if npmjs.org is down, we might still find something useful in the cache) or avoid issues like *[How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript](https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/)*, *[Many packages suddenly disappeared](https://github.com/npm/registry-issue-archive/issues/255)* or *[Registry returns 404 for a package I have installed before](https://github.com/npm/registry-issue-archive/issues/329)*.
-
-### Link multiple registries
-
-If you use multiples registries in your organization and need to fetch packages from multiple sources in one single project you might take advance of the uplinks feature with Verdaccio, chaining multiple registries and fetching from one single endpoint.
-
-
-### Override public packages
-
-If you want to use a modified version of some 3rd-party package (for example, you found a bug, but maintainer didn't accept pull request yet), you can publish your version locally under the same name. See in detail [here](https://verdaccio.org/docs/en/best#override-public-packages).
-
-### E2E Testing
-
-Verdaccio has proved to be a lightweight registry that can be
-booted in a couple of seconds, fast enough for any CI. Many open source projects use verdaccio for end to end testing, to mention some examples, **create-react-app**, **mozilla neutrino**, **pnpm**, **storybook**, **alfresco** or **eclipse theia**. You can read more in dedicated article to E2E in our blog.
-
-## Talks
-
-**Next talk**: [Verdaccio - A lightweight Private Proxy Registry built in Node.js | Juan Picado at The Destro Dev Show](https://www.youtube.com/watch?reload=9&v=P_hxy7W-IL4&ab_channel=TheDestroDevShow)
-
-##### **OpenJS World 2020** about *Cover your Projects with a Multi purpose Lightweight Node.js Registry*. 
-
-[![verdaccio openjsworld](https://cdn.verdaccio.dev/readme/youtube_openjsword_2020.png)](https://www.youtube.com/watch?v=oVCjDWeehAQ)
-
-
-You might want to check out as well our previous talks: 
-
-* [ViennaJS Meetup - Introduction to Verdaccio by **Priscila Olivera** and **Juan Picado**](https://www.youtube.com/watch?v=hDIFKzmoCa)
-* [Open Source? trivago - Verdaccio (**Ayush** and **Juan Picado**) January 2020](https://www.youtube.com/watch?v=A5CWxJC9xzc)
-* [GitNation Open Source Stage - How we have built a Node.js Registry with React - **Juan Picado** December 2019](https://www.youtube.com/watch?v=gpjC8Qp9B9A)
-
-## Get Started
-
-Run in your terminal
-
-```bash
-verdaccio
-```
-
-You would need set some npm configuration, this is optional.
-
-```bash
-$ npm set registry http://localhost:4873/
-```
-
-For one-off commands or to avoid setting the registry globally:
-```bash
-NPM_CONFIG_REGISTRY=http://localhost:4873 npm i
-```
-
-Now you can navigate to [http://localhost:4873/](http://localhost:4873/) where your local packages will be listed and can be searched.
-
-> Warning: Verdaccio [does not currently support PM2's cluster mode](https://github.com/verdaccio/verdaccio/issues/1301#issuecomment-489302298), running it with cluster mode may cause unknown behavior.
-
-## Publishing
-
-#### 1. create a user and log in
-
-```bash
-npm adduser --registry http://localhost:4873
-```
-
-> if you use HTTPS, add an appropriate CA information ("null" means get CA list from OS)
-
-```bash
-$ npm set ca null
-```
-
-#### 2. publish your package
-
-```bash
-npm publish --registry http://localhost:4873
-```
-
-This will prompt you for user credentials which will be saved on the `verdaccio` server.
-
-
-## Docker
-
-Below are the most commonly needed information,
-every aspect of Docker and verdaccio is [documented separately](https://www.verdaccio.org/docs/en/docker.html)
-
-
-```
-docker pull verdaccio/verdaccio
-```
-
-Available as [tags](https://hub.docker.com/r/verdaccio/verdaccio/tags/).
-
-```
-docker pull verdaccio/verdaccio:4
-```
-
-### Running verdaccio using Docker
-
-To run the docker container:
-
-```bash
-docker run -it --rm --name verdaccio -p 4873:4873 verdaccio/verdaccio
-```
-
-Docker examples are available [in this repository](https://github.com/verdaccio/docker-examples).
-
-## Compatibility
-
-Verdaccio aims to support all features of a standard npm client that make sense to support in private repository. Unfortunately, it isn't always possible.
-
-### Basic features
-
-- Installing packages (npm install, npm upgrade, etc.) - **supported**
-- Publishing packages (npm publish) - **supported**
-
-### Advanced package control
-
-- Unpublishing packages (npm unpublish) - **supported**
-- Tagging (npm tag) - **supported**
-- Deprecation (npm deprecate) - **supported**
-
-### User management
-
-- Registering new users (npm adduser {newuser}) - **supported**
-- Change password (npm profile set password)  - **supported**
-- Transferring ownership (npm owner add {user} {pkg}) - not supported, *PR-welcome*
-- Token (npm token) - (more info [#1427](https://github.com/verdaccio/verdaccio/pull/1427)) - **supported**
-
-### Miscellany
-
-- Searching (npm search) - **supported** (cli / browser)
-- Ping (npm ping) - **supported**
-- Starring (npm star, npm unstar, npm stars) - **supported**
-
-### Security
-
-- npm/yarn audit - **supported**
-
-## Report a vulnerability
-
-If you want to report a security vulnerability, please follow the steps which we have defined for you in our [security policy](https://github.com/verdaccio/verdaccio/security/policy).
-
-## Core Team
-
-The core team is responsible for driving this project ahead, team is ordered by antiquity and areas of responsibility.
-
-|  [Juan Picado](https://github.com/juanpicado) |  [Ayush Sharma](https://github.com/ayusharma)  | [Sergio Hg](https://github.com/sergiohgz)  |
-|---|---|---|
-| ![jotadeveloper](https://avatars3.githubusercontent.com/u/558752?s=120&v=4)  | ![ayusharma](https://avatars2.githubusercontent.com/u/6918450?s=120&v=4)     | ![sergiohgz](https://avatars2.githubusercontent.com/u/14012309?s=120&v=4) |
-| [@jotadeveloper](https://twitter.com/jotadeveloper)  | [@ayusharma_](https://twitter.com/ayusharma_) | [@sergiohgz](https://twitter.com/sergiohgz)  |
-| All areas  |  All areas | Docker,Builds,Stack, Monorepo |
-| [Priscila Oliveria](https://github.com/priscilawebdev) | [Daniel Ruf](https://github.com/DanielRuf) |
-| ![priscilawebdev](https://avatars2.githubusercontent.com/u/29228205?s=120&v=4) | ![DanielRuf](https://avatars3.githubusercontent.com/u/827205?s=120&v=4) |
-| [@priscilawebdev](https://twitter.com/priscilawebdev) | [@DanielRufde](https://twitter.com/DanielRufde) |
-| UI, Stack  | All areas  |
-
-You can find and chat with then over Discord, click [here](http://chat.verdaccio.org) or follow them at *Twitter*.
-
-## Who is using Verdaccio?
-
-* [create-react-app](https://github.com/facebook/create-react-app/blob/master/CONTRIBUTING.md#customizing-e2e-registry-configuration) *(+86.2k ⭐️)*
-* [Gatsby](https://github.com/gatsbyjs/gatsby) *(+49.2k ⭐️)*
-* [Babel.js](https://github.com/babel/babel) *(+38.5k ⭐️)*
-* [Vue CLI](https://github.com/vuejs/vue-cli) *(+27.4k ⭐️)*
-* [Angular CLI](https://github.com/angular/angular-cli) *(+24.3k ⭐️)*
-* [Uppy](https://github.com/transloadit/uppy) *(+23.8k ⭐️)*
-* [bit](https://github.com/teambit/bit) *(+13k ⭐️)*
-* [Aurelia Framework](https://github.com/aurelia/framework) *(+11.6k ⭐️)*
-* [pnpm](https://github.com/pnpm/pnpm) *(+10.1k ⭐️)*
-* [ethereum/web3.js](https://github.com/ethereum/web3.js) *(+9.8k ⭐️)*
-* [NX](https://github.com/nrwl/nx) *(+6.1k ⭐️)*
-* [webiny-js](https://github.com/webiny/webiny-js) *(+4.3k ⭐️)*
-* [Mozilla Neutrino](https://github.com/neutrinojs/neutrino) *(+3.7k ⭐️)*
-* [workshopper how to npm](https://github.com/workshopper/how-to-npm) *(+1k ⭐️)*
-* [Amazon SDK v3](https://github.com/aws/aws-sdk-js-v3)
-* [Amazon Encryption SDK for Javascript](https://github.com/aws/aws-encryption-sdk-javascript)
-
-🤓 Don't be shy, you also can be in [the list](https://github.com/verdaccio/website/blob/master/docs/who-is-using.md).
+[Please read the migration guidelines](https://verdaccio.org/blog/2021/04/14/verdaccio-5-migration-guide).
 
 ## Open Collective Sponsors
 
@@ -258,29 +36,9 @@ Thanks to the following companies to help us to achieve our goals providing free
 [![browserstack](https://cdn.verdaccio.dev/readme/browserstack_logo.png)](https://www.browserstack.com/)
 [![balsamiq](assets/thanks/balsamiq/logo.jpg)](https://balsamiq.com/)
 
-## Contributors
-
-This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
-
-[![contributors](https://opencollective.com/verdaccio/contributors.svg?width=890&button=true)](../../graphs/contributors)
-
-### FAQ / Contact / Troubleshoot
-
-If you have any issue you can try the following options, do no desist to ask or check our issues database, perhaps someone has asked already what you are looking for.
-
-* [Blog](https://verdaccio.org/blog/)
-* [Donations](https://opencollective.com/verdaccio)
-* [Reporting an issue](https://github.com/verdaccio/verdaccio/blob/master/CONTRIBUTING.md#reporting-a-bug)
-* [Running discussions](https://github.com/verdaccio/verdaccio/issues?q=is%3Aissue+is%3Aopen+label%3Adiscuss)
-* [Chat](http://chat.verdaccio.org/)
-* [Logos](https://verdaccio.org/docs/en/logo)
-* [Docker Examples](https://github.com/verdaccio/docker-examples)
-* [FAQ](https://github.com/verdaccio/verdaccio/issues?utf8=%E2%9C%93&q=is%3Aissue%20label%3Aquestion%20)
-
-
 ### License
 
 Verdaccio is [MIT licensed](https://github.com/verdaccio/verdaccio/blob/master/LICENSE)
 
-The Verdaccio documentation and logos (excluding /thanks, e.g., .md, .png, .sketch)  files within the /assets folder) is
- [Creative Commons licensed](https://creativecommons.org/licenses/by/4.0/).
+The Verdaccio documentation and logos (excluding /thanks, e.g., .md, .png, .sketch) files within the /assets folder) is
+[Creative Commons licensed](https://creativecommons.org/licenses/by/4.0/).

SECURITY.md

@@ -4,11 +4,11 @@
 
 The following table describes the versions of this project that are currently supported with security updates:
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 2.x   | :x:                  |
-| 3.x   | :x:   |
-| 4.x   | :white_check_mark:   |
+| Version | Supported |
+| ------- | --------- |
+| 2.x     | :x:       |
+| 3.x     | :x:       |
+| 4.x     | :x:       |
 
 ## Responsible disclosure security policy
 
@@ -26,11 +26,11 @@ At Verdaccio, we consider the security of our systems a top priority. But no mat
 
 If you discover a security vulnerability, please use one of the following means of communications to report it to us:
 
-* Report the security issue to the Node.js Security WG through the [HackerOne program](https://hackerone.com/nodejs-ecosystem) for ecosystem modules on npm, or to [Snyk Security Team](https://snyk.io/vulnerability-disclosure). They will help triage the security issue and work with all involved parties to remediate and release a fix.
+- Report the security issue to the Node.js Security WG through the [HackerOne program](https://hackerone.com/nodejs-ecosystem) for ecosystem modules on npm, or to [Snyk Security Team](https://snyk.io/vulnerability-disclosure). They will help triage the security issue and work with all involved parties to remediate and release a fix.
 
 Note that time-frame and processes are subject to each program’s own policy.
 
-* Report the security issue to the project maintainers directly at verdaccio@pm.me. If the report contains highly sensitive information, please be advised to encrypt your findings using our [PGP key](https://verdaccio.nyc3.digitaloceanspaces.com/gpg/publickey.verdaccio@pm.me.asc) which is also available in this document.
+- Report the security issue to the project maintainers directly at verdaccio@pm.me. If the report contains highly sensitive information, please be advised to encrypt your findings using our [PGP key](https://verdaccio.nyc3.digitaloceanspaces.com/gpg/publickey.verdaccio@pm.me.asc) which is also available in this document.
 
 Your efforts to responsibly disclose your findings are sincerely appreciated and will be taken into account to acknowledge your contributions.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "verdaccio",
-  "version": "4.12.0",
+  "version": "4.13.0",
   "description": "A lightweight private npm proxy registry",
   "author": {
     "name": "Verdaccio Maintainers",

scripts/publish.sh

@@ -10,4 +10,4 @@ echo "Bumping version to new tag: ${lastTag}"
 echo "//$REGISTRY_URL/:_authToken=$REGISTRY_AUTH_TOKEN" > .npmrc
 
 # Publish to NPM
-npm publish --registry https://$REGISTRY_URL/
+npm publish --registry https://$REGISTRY_URL/ --tag 4-next

src/lib/cli.ts

@@ -13,21 +13,13 @@ import { parseConfigFile } from './utils';
 require('pkginfo')(module);
 
 if (process.getuid && process.getuid() === 0) {
-  global.console.warn(
-    bgYellow().red(
-      "*** WARNING: Verdaccio doesn't need superuser privileges. Don't run it under root! ***"
-    )
-  );
+  global.console.warn(bgYellow().red("*** WARNING: Verdaccio doesn't need superuser privileges. Don't run it under root! ***"));
 }
 
 const MIN_NODE_VERSION = '6.9.0';
 
 if (semver.satisfies(process.version, `>=${MIN_NODE_VERSION}`) === false) {
-  global.console.error(
-    bgRed(
-      `Verdaccio requires at least Node.js ${MIN_NODE_VERSION} or higher, please upgrade your Node.js distribution`
-    )
-  );
+  global.console.error(bgRed(`Verdaccio requires at least Node.js ${MIN_NODE_VERSION} or higher, please upgrade your Node.js distribution`));
   process.exit(1);
 }
 
@@ -67,20 +59,11 @@ function init() {
     }
 
     logger.logger.warn({ file: configPathLocation }, 'config file  - @{file}');
-
-    startVerdaccio(
-      verdaccioConfiguration,
-      cliListener,
-      configPathLocation,
-      pkgVersion,
-      pkgName,
-      listenDefaultCallback
-    );
+    process.emitWarning(`verdaccio 4.x is deprecated and won't longer receive security support, please
+    upgrade to 5.x or higher`);
+    startVerdaccio(verdaccioConfiguration, cliListener, configPathLocation, pkgVersion, pkgName, listenDefaultCallback);
   } catch (err) {
-    logger.logger.fatal(
-      { file: configPathLocation, err: err },
-      'cannot open config file @{file}: @{!err.message}'
-    );
+    logger.logger.fatal({ file: configPathLocation, err: err }, 'cannot open config file @{file}: @{!err.message}');
     process.exit(1);
   }
 }
@@ -94,7 +77,7 @@ if (commander.info) {
       Binaries: ['Node', 'Yarn', 'npm'],
       Virtualization: ['Docker'],
       Browsers: ['Chrome', 'Edge', 'Firefox', 'Safari'],
-      npmGlobalPackages: ['verdaccio']
+      npmGlobalPackages: ['verdaccio'],
     });
     // eslint-disable-next-line no-console
     console.log(data);
@@ -113,7 +96,7 @@ if (commander.info) {
 process.on('uncaughtException', function (err) {
   logger.logger.fatal(
     {
-      err: err
+      err: err,
     },
     'uncaught exception, please report this\n@{err.stack}'
   );