Five ways of taking advantage of Verdaccio, your private and proxy Node.js registry

Transcript

1. Five ways of taking advantage of Verdaccio, your private and

   proxy Node.js registry Juan Picado 18th February 2022

2. Juan Picado Senior Front-End Engineer at mobile.de (Adevinta) Open Source

   Maintainer (Verdaccio) Berlin, Germany @jotadeveloper juanpicado

3. Verdaccio is a lightweight private proxy registry for Node.js built

   in JavaScript Private proxy registry npm install —registry http://localhost:4873 @acme/foo remote registry storage / cache File system based storage and authentication 1 or more …

4. Installing Verdaccio

5. Running Verdaccio in a terminal

6. 1 Personal Development Publishing private packages

7. Demo, let’s publish a private package with npm workspaces …

8. Constraints, cannot override remote published versions … [email protected] verdaccio npm

   publish —registry http://localhost:4873 npmjs 😞 409 Conflict Error 😉 201 Yes ! I do ! 🤔 Do you have this version?

9. Constraints, cannot override remote published versions … [email protected] verdaccio npm

   publish —registry http://localhost:4873 npmjs 🥳 200 Published ! 🤔 Do you have this version? 🤷404 Nop as far I know

10. https://twitter.com/jotadeveloper/status/1015333131002564608 Installing in offline mode …

11. Publishing with no network using publish_offline

12. 2 Project productivity Continuous Integration and private registries

13. Private registries increase reliability in your builds and development workflows

    private registry npmjs 🤔 Do you have this version? 👍 There it goes Internal network Cached packages

14. private registry npmjs Internal network Cached packages 🔥🔥 😌 Private

    registries increase reliability in your builds and development workflows

15. Private registries increase reliability in your builds and development workflows

16. 3 Improve Security Protecting your packages

17. https://blog.includesecurity.com/2021/02/dependency-confusion-when-are-your-npm-package s-vulnerable/

18. Remove the proxy property for private packages this is highly

    recommendable. Protect your projects in the client side https://snyk.io/blog/ten-npm-security-best-practices/

19. Enable rate limiting for critical endpoints

20. 4 End to End Testing Test the integrity of your

    packages

21. Publishing a package to thousands of users that download it

    every week requires high integrity, End to End your packages publishing in a registry ensure quality.

22. Test publishing your packages on every Pull Request

23. Demo, run a End to End with GitHub Actions and

    Docker … https://github.com/juanpicado/e2e-ci-example-gh-actions

24. Demo, run a End to End with GitHub Actions and

    Docker …

25. Use memory plugins to speed up test

26. Dive into open source project for more learnings, every project

    is different. With bash scripts

27. Dive into open source project for more learnings, every project

    is different. With spawn from child_process module

28. Dive into open source project for more learnings, every project

    is different. Programmatically with the verdaccio module

29. 5 Hosting a Registry Security and flexibility

30. A very easy deployment

31. pm2 + Nginx + Verdaccio https://verdaccio.org/blog/2018/11/19/setting-up-verdaccio-on-digitalocean/

32. • Use a different storage (S3, Minio) • Use different

    authentication ◦ Eg: GitLab, GitHub Oauth, etc … • Use your own User Interface • Apply your own express middleware ◦ Eg: npm audit (middleware plugin) Extend the default configuration

33. Juan Picado @jotadeveloper juanpicado https://verdaccio.org/ Thank you