Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency verdaccio to v5 #764

Merged
merged 1 commit into from
May 21, 2024
Merged

fix(deps): update dependency verdaccio to v5 #764

merged 1 commit into from
May 21, 2024

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented May 11, 2024
edited

This PR contains the following updates:

Package Type Update Change
verdaccio (source) dependencies major ^5.30.3 -> ^5.31.0

Release Notes

verdaccio/verdaccio (verdaccio)

v5.31.0

Compare Source

(🗞️ hey renovate users, read this)

ℹ️ Important changes added to the .verdaccio-db.json and token signature for users that run on Node.js 22 or higher (in the future 🙃 ) please read
https://verdaccio.org/docs/configuration/#.verdaccio-db

TLDR:

  • Enforced for users that runs verdaccio via npmjs, for all Docker image isuers, verdaccio uses Node.js LTS 21 and the secret migration is voluntary until next major release.
  • For Node.js 21 or lower a new deprecation will appear [VERWAR007] VerdaccioDeprecation: the secret length is too lon... to remove it please read the link above
  • For Node.js 22 if you have already a storage with .verdaccio-db.json and the token inside does not complies with the length (read link above) the application startup will fail with fatal error (Error: Invalid storage secret key length, must be 32 characters long but is....)

In both cases by updating the secret all previously tokens will get invalid, in your benefit a new legacy signature will be applied and is more secure than the old one (generating tokens with salt).

For existing installations that have no issues by invalidating tokens is recommended to add to the config.yaml the following setup, this will automatically generate a new the secret once is started, could be removed aftewards, if all went succesfull the [VERWAR007] deprecation will not be displayed anymore.

security:
  api:
    migrateToSecureLegacySignature: true

Any new installation should not worry about this, new token signature and secret (32 characters) is applied by default.

Features
Bug Fixes

v5.30.3

Compare Source

5.30.3 (2024-04-06)

ℹ️ Verdaccio v6.0.0-beta.2 has been released, ready for user test to ensure the best backward compatibility, help us by trying it out.

Bug Fixes

v5.30.2

Compare Source

5.30.2 (2024-03-24)

Same as https://github.com/verdaccio/verdaccio/releases/tag/v5.30.0

ℹ️ Verdaccio v6.0.0-beta.2 has been released, ready for user test to ensure the best backward compatibility, help us by trying it out.

Bug Fixes

v5.30.1

Compare Source

5.30.1 (2024-03-24)

Same as https://github.com/verdaccio/verdaccio/releases/tag/v5.30.0

Bug Fixes
  • remove search dependency (dependency requires Node.js 18 and is not used) (#​4560) (a9cfae5)

v5.30.0

Compare Source

🎉 3 new contributors

Be warned, if you are using (or cannot upgrade to major) Node.js 12 (only if you install from npmjs) please do not upgrade to this version, the minimum is now Node.js 14 (due dependency reasons are out my hand), the recommendation is always go for LTS releases anyway which at this moment is Node.js 20. For context if you are using the Docker image ignore this warning, the Dockerfile uses Node.js 20 as base image.

ℹ️ Verdaccio v6.0.0-beta.2 has been released, ready for user test to ensure the best backward compatibility, help us by trying it out.

Features

On the versions view there is a new filter that allows semantic versioning filtering (feedback is welcome)

Versions filter by semver range

Kapture 2024-03-23 at 20 04 02

Bug Fixes

v5.29.2

Compare Source

5.29.2 (2024-02-21)
Bug Fixes

v5.29.1

Compare Source

5.29.1 (2024-02-17)
Bug Fixes

Powered by @​mbtools 💯

v5.29.0

Compare Source

Features

v5.28.0

Compare Source

Features
Bug Fixes

v5.27.1

Compare Source

5.27.1 (2023-12-02)
Bug Fixes
  • reuse middleware reporting layer (#​4114) (6a317f8)
  • update several dependencies

v5.27.0

Compare Source

Features
User Interface updates in detail
download progress indicator:

A new indicator was added on the detail page action button and the packages view (small icon to download)

Kapture 2023-10-14 at 11 03 07

fix dark mode and readme css support

The README was not on sync with the darkMode settings displaying a white box when the dark mode was enabled.

fix global for yarn packages and add version to the packages on copy

Screenshot 2023-10-14 at 15 11 43

  • yarn -g xxx@xxx is not a valid syntax, has been replaced by yarn global
  • Added yarn modern syntax, since global is not valid on yarn >2.x the global is ignored
feat: hide deprecated versions option

npm deprecate is a valuable command, but is not enough visible on the UI whenever a package has been deprecated, also could be many packages are deprecated and should not be longer visible (later in the future a filter will be added to display then), the new option hide all those version from the UI.

web:
  hideDeprecatedVersions: true
Screenshot 2023-10-14 at 16 54 23
fix: improve deprecated package style

The deprecated banner was not on sync with the material-ui components.

Screenshot 2023-10-14 at 16 54 03
feat: display deprecated versions

Deprecated versions display a badge, thus is clearly visible which packages are already deprecated.

Screenshot 2023-10-14 at 17 57 16

v5.26.3

Compare Source

5.26.3 (2023-09-24)
Bug Fixes

v5.26.2

Compare Source

5.26.2 (2023-08-26)
Bug Fixes

v5.26.1

Compare Source

Bug Fixes

v5.26.0

Compare Source

Features
Bug Fixes

v5.25.0

Compare Source

Features
Bug Fixes
UI set global package on sidebar setting

Set a package as global on the side bar installation view.

2023-05-14_22-46

v5.24.1

Compare Source

5.24.1 (2023-04-24)
Bug Fixes

v5.24.0

Compare Source

Features
Bug Fixes

v5.23.2

Compare Source

5.23.2 (2023-04-04)
Bug Fixes

v5.23.1

Compare Source

5.23.1 (2023-03-23)
Bug Fixes

v5.23.0

Compare Source

Features
  • update docker image base to v18.15.0 (fd78ca9) Thank u anonymous reporter for the heads up 🥇
Bug Fixes

v5.22.1

Compare Source

5.22.1 (2023-03-07)

⚠️ Using at the config.yaml he property logs will show a deprecation warning and the property should be renamed to log to get rid of the warning, the property logs still backward compatible. Please start renaming to log, this is one less migration step to do for future v6 release.
ℹ️ The new installations won't see this warning because the default yaml file already uses log.

Docs

(node:56648) [VERWAR002] VerdaccioWarning: The configuration property "logs" has been deprecated, please rename to "log" for future compatibility
(Use `node --trace-warnings ...` to show where the warning was created)
Bug Fixes
Docs

v5.22.0

Compare Source

⚠️ Known issues:

Refactor

⚠️ Refactors can causes issues, please report and if give you problems stay on the version you were

This release only refactor internal code, reuse configuration parsing and token signature from v6.

the next major will include an enhancedLegacySignature property to be able get rid of [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated. and improve legacy token signature.

Bugs
  • Logger level configuration was being ignored (#​3658) (e50d4d9) regresion at v5.20.0

v5.21.2

Compare Source

5.21.2 (2023-02-25)
Bug Fixes

v5.21.1

Compare Source

5.21.1 (2023-02-14)

⚠️ This PR introduce issue on custom Icon, read if you are using custom icons wait for a patch.

Bug Fixes

😊 I've updated the old UI theme without noticed, does not break anything but this version fix that.

Read the previous minor v5.21.0 release here

v5.21.0

Compare Source

One more step to Verdaccio 5 migration to v6 silently, refactored and better tested modules replace internals without migration required, the idea is help move to verdaccio 6 smoothly as possible without users do much in the near future. You are already using v6 😉 or parts of it.

Noticeable improvements:

  • Update logger library Pinojs 6 -> 7
  • Internals HTML render engine, same as v6 improved
  • Express.js middlewares improved
  • The first plugin migrated verdaccio-audit improved, not longer use request and refactored from v6

Some dependencies are limited due verdaccio@5 still supports Node.js 12 (but probably not many users are actually using it and is not recommended)

Features

v5.20.1

Compare Source

Bug Fixes
  • 🐞 (previous build failures) pushed wrong types library and broken build (45d7c95)
5.20.0 (2023-01-29) (⚠️ Never published on npmjs by mistake)

Since 5.20.0 some internals are new, modules from the next major v6 but backward compatible, if causes any troubles please report. Future releases from now on might benefit of fixes, compatible features on v6 alpha into any new v5 version.

Please check E2E test on this repo, includes all package managers, docker images and plugins.

Features
Bug Fixes

v5.19.1

Compare Source

5.19.1 (2023-01-07)

ℹ️ TS types were added in v5.18.0 but weren't included in the package, this change might be a minor in some cases, if you have troubles report it.

Bug Fixes

v5.19.0

Compare Source

Features
Bug Fixes

v5.18.0

Compare Source

Features

ℹ️ There were no types before, not expecting breaking changes but if you are using TS with verdaccio programatically might have some impact here.

Bug Fixes

v5.17.0

Compare Source

Features
  • Upgrade to React 18 + react dependencies
  • highlight readme source code (#​3506) (8715a5c)
Screenshot 2022-11-19 at 22 14 31
Bug Fixes

v5.16.3

Compare Source

Same as v5.16.0 https://github.com/verdaccio/verdaccio/releases/tag/v5.16.0

⚠️ I broke the release ^_^ so I had to release 5.16.1, 5.16.2 and 5.16.3. The 5.16.1, 5.16.2 are broken, don't use please. Consequences I moved E2E to https://github.com/verdaccio/e2e-5.x for 5.x release to simplify the maintenance (but it came with a cost).

v5.16.1

Compare Source

v5.16.0

Compare Source

😊 due some package manager migration I broke the release, so the latest [email protected] is literally same version as v5.16.0, sorry

Features
Docker refactoring
  • Big changes on the docker image, while until version v5.15.4 has been using yarn as a runner, since this minor should not use yarn at all, it is just used at the builder phase and then it is just run verdaccio natively as a Node.js module installed globally at the image.
  • Improved documentation for using plugins here with the image 5.x

If the new docker image causes any troubles, please report it ! or just use verdaccio/verdaccio:5.15.4 as a workaround to stick the old one. The new Docker 6.x image will follow same approach very soon.

Docker base moves from TLS v14 -> v18
Bug Fixes

v5.15.4

Compare Source

5.15.4 (2022-09-29)
Bug Fixes

v5.15.3

Compare Source

5.15.3 (2022-09-07)
Bug Fixes

v5.15.2

Compare Source

5.15.2 (2022-09-05)
Bug Fixes

v5.15.1

Compare Source

5.15.1 (2022-09-04)
Bug Fixes

v5.15.0

Compare Source

Features

Enable abbreviated manifest data by adding the header:

curl -H "Accept: application/vnd.npm.install-v1+json" https://registry.npmjs.org/verdaccio

It returns a filtered manifest, additionally includes the time field by request. You can read more here or start using with [email protected].

Current support for packages managers:

  • npm: yes
  • pnpm: yes
  • yarn classic: yes
  • yarn modern (+2.x): no

https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md#abbreviated-metadata-format

v5.14.0

Compare Source

Features
Bug Fixes

v5.13.3

Compare Source

5.13.3 (2022-07-13)
Bug Fixes

v5.13.2

Compare Source

5.13.2 (2022-07-12)
Bug Fixes

v5.13.1

Compare Source

5.13.1 (2022-06-23)
Bug Fixes

There was a regression on initial release https://github.com/verdaccio/verdaccio/issues/2141 where the location of the storage was not taken in account, hopefully does not break anything. Fixed here
and here.

v5.13.0

Compare Source

Features

Enable more algorithms for hasing password only for htpasswd plugin, crypt by default to avoid breaking changes for next major release bcrypt is highly recommended.

auth:
  htpasswd:
    file: ./htpasswd

### Maximum amount of users allowed to register, defaults to "+inf".
### You can set this to -1 to disable registration.

### max_users: 1000
### Hash algorithm, possible options are: "bcrypt", "md5", "sha1", "crypt".
    algorithm: bcrypt # by default is crypt, but is recommended use bcrypt for new installations

### Rounds number for "bcrypt", will be ignored for other algorithms.
    rounds: 10

ref https://github.com/verdaccio/monorepo/pull/580

v5.12.0

Compare Source

Features

Example

middlewares:
  audit:
    enabled: true
  '@​xlts.dev/verdaccio-prometheus-middleware':
      metricsPath: /custom/path/metrics
Bug Fixes

v5.11.0

Compare Source

The way to use verdaccio programatically is not very friendly if you are using

const startVerdaccio = require('verdaccio');

as this example.

⚠️ Deprecations
  • Using verdaccio with multiples listeners display a deprecation warning
    • (runServer) forbid this and only allows the first one listener listed
  • On verdaccio 6 will be removed and will throw an error

❌ Bad

listen:
 - localhost:4873            # default value
 - http://localhost:4873     # same thing

✅ Good (on v6.0.0 won't be a list anymore)

listen: localhost:4873
🚀 Feature
runServer method to run verdaccio programatically as a promise

I am looking for a better name, feel free to drop your ideas.

On v6 https://github.com/verdaccio/verdaccio/pull/2165 this was improved and I am moving the same API to v5 so is much easier to migrate in the future.

It's a bit experimental, it does not replace the old way, so won't break anything, but allows smooth migration

There are three ways to use it:

  • No input, it will find the config.yaml as is you would run verdaccio in the console
  • With a absolute path
  • With an object (there is a catch here, see below)
    const {runServer} = require('verdaccio');
    const app = await runServer(); // default configuration
    const app = await runServer('./config/config.yaml');
    const app = await runServer({ configuration });
    app.listen(4000, (event) => {
      // do something
    });

With an object you need to add self_path, manually (it's not nice but would be a breaking change changing it now) on v6 this is not longer need it.

      const configPath = join(__dirname, './config.yaml');
      const c = parseConfigFile(configPath);
      // workaround
      // on v5 the `self_path` still exists and will be removed in v6
      c.self_path = 'foo';
      runServer(c).then(() => {});

Read more here https://verdaccio.org/docs/verdaccio-programmatically

parseConfigFile method

Exposed for easy use parse a yaml file as an object

v5.10.3

Compare Source

5.10.3 (2022-05-30)
Bug Fixes

v5.10.2

Compare Source

5.10.2 (2022-05-07)
Bug Fixes

v5.10.1

Compare Source

5.10.1 (2022-05-05)
Bug Fixes

v5.10.0

Compare Source

Features
🌞 Initial new set of variables to hide features (more to come)

Add set of new variables that allow hide different parts of the UI, buttons, footer or download tarballs. ℹ️ All are
enabled by default.

### web:
###  login: true <-- already exist but worth the reminder

###  showInfo: true
###  showSettings: true

### In combination with darkMode you can force specific theme
###  showThemeSwitch: true

###  showFooter: true
###  showSearch: true

###  showDow

@quentinderoubaix quentinderoubaix merged commit 4415f1a into main May 21, 2024
16 checks passed
@github-actions github-actions bot deleted the renovate/verdaccio-5.x branch May 21, 2024 07:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@quentinderoubaix