NodeTLV 22 - Deep dive into Verdaccio, a lightweight Node.js registry

Transcript

1. Deep dive into Verdaccio A lightweight Node.js registry Bat Yam

   Beach 🇮🇱 NodeTLV - 2022

2. Juan Picado Front-End Engineer at mobile.de - Adevinta 
 (Berlin,

   Germany) Open Source Free Time Developer at Verdaccio
3. None

4. What’s Verdaccio?

5. • Publish Private Packages • Proxy from multiples registries •

   Zero Dependencies • Web User Interface Included • Pluggable web application • Lightweight (~3s to start up)

6. npm install npm publish npm pro fi le npm search

   npm token npm star npm stars npm audit npm login npm logout npm ping npm whoami npm dist-tag npm audit npm deprecate + org speci fi cs yarn install yarn npm publish yarn npm login yarn npm logout yarn npm whoami yarn npm publish yarn npm info yarn npm tag yarn npm audit yarn search pnpm install pnpm publish pnpm pro fi le pnpm search pnpm token pnpm star pnpm stars pnpm audit pnpm login pnpm logout pnpm ping pnpm whoami pnpm dist-tag pnpm audit pnpm deprecate

7. ~4 million/year download average 📦

8. ~83 million docker pull 🐳

9. Fork of Sinopia

10. None

11. Why Verdaccio?

12. 70-90% of our code is open source https://www.linuxfoundation.org/blog/a-summary-of-census-ii-open-source- software-application-libraries-the-world-depends-on/

13. 🔥 You don’t have a problem until you KNOW you

    have it npmjs registry
14. None

15. Using a proxy registry for caching should be mandatory on

    development work fl ows npmjs registry

16. Using a proxy registry for caching should be mandatory on

    development work fl ows npmjs registry 🐳

17. O ffl ine publishing as a feature

18. O ffl ine registry provides opportunities for learning Node.js https://github.com/Caspia/npm-populate

19. Exposing sensitive data in source control systems is a recipe

    for a disaster

20. Proxying Packages

21. Verdaccio Upstream registry 🔐Protected registry Bearer mySecretToken mySecretToken

22. None
23. None
24. None

25. Avoid dependency confusion attack

26. • Always scope your packages • Only proxy where is

    need it • Protect your packages from unauthorized access with the $authentication role

27. End to End Testing

28. @scope/cli @scope/pk2 @scope/pk3 @scope/pk4 npx @scope/cli @scope/pk5 ☠ 😓 I

    forgot update
 the “main” fi eld in package.json

29. Angular CLI create-react-app pnpm

30. https://github.com/babel/babel/issues/8443

31. https://github.com/babel/babel/pull/8445/ fi les

32. https://github.com/babel/babel/issues/1837

33. None

34. Publish to local registry Vue React Prettier Jest CRA npm

    install —registry http://localhost:4873 150 packages - 40,226,227 Weekly Downloads

35. Package Managers have workspaces features https://2021.stateofjs.com/en-US/libraries/monorepo-tools 56%

36. E2E pattern with Verdaccio Initialise local verdaccio Publish packages Run

    E2E - Install from local registry - Run tests
37. None

38. E2E with Verdaccio https://github.com/juanpicado/verdaccio-fork https://github.com/juanpicado/e2e-ci-example-gh-actions https://github.com/juanpicado/verdaccio-end-to-end-tests

39. Extending Verdaccio

40. Upstream express.js Middleware Storage Authentication Plugin-loader 📦 con fi g.yaml

41. Middleware

42. Middleware npm install —global verdaccio-awesome-middleware

43. Middleware npm install —global @scope/awesome-middleware

44. None
45. None

46. What else?

47. Features • Customize the User Interface • User rate limiting

    • Noti fi cations on publish (slack, etc) • Use JWT for token signature (expires tokens) • HTTPS built-in • npm audit support (online only) • search, deprecate, star, token (npm commands)

48. What’s next?

49. verdaccio@6-next • New features, rate limiting, custom hashing algorithms, UI

    improvements, also available on Verdaccio 5. • Modularize the project and reduce core size • Search on all packages at the storage • Migrating to Fastify (🤞WIP) • Improve plugin system and async the plugin API by default • Upgrade deprecated libraries, prepare for future

50. verdaccio@6-next

51. Wrapping up • Protect your builds caching external packages hosting

    a proxy registry • Using a local registry for E2E your packages • Extend Verdaccio by creating and share plugins with the community

52. 372

53. Thanks! @jotadeveloper https://verdaccio.org