A lightweight Node.js private proxy registry
Installations
npm install @verdaccio/core
Developer
Developer Guide
Module System
CommonJS
Min. Node Version
>=12
Typescript Support
Yes
Node Version
16.20.1
NPM Version
8.19.4
Statistics
16,490 Stars
5,819 Commits
1,375 Forks
155 Watching
15 Branches
295 Contributors
Updated on 28 Nov 2024
Languages
TypeScript (92.69%)
JavaScript (4.12%)
CSS (1.54%)
SCSS (0.97%)
Dockerfile (0.54%)
Shell (0.08%)
HTML (0.05%)
Total Downloads
Cumulative downloads
Total Downloads
11,254,845
Last day
-23%
35,385
Compared to previous day
Last week
13.3%
232,715
Compared to previous week
Last month
10.5%
885,160
Compared to previous month
Last year
150.3%
7,997,275
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dev Dependencies
4
Verdaccio stands for peace, stop the war, we will be yellow / blue 🇺🇦 until that happens.
Version Next (Development Branch)
Looking for Verdaccio version 5 or 6? Version 6 is the latest version and successor to version 5. Version 6 requires Node.js 18 or higher and is maintained in the
6.x
branch.
The plugins for versions 5 and 6 are located at the
verdaccio/monorepo
repository. Plugins for thenext-8
version are hosted in this project under the./packages/plugins
folder.
Note that contributing guidelines might be different based on the branch.
Verdaccio is a simple, zero-config-required local private npm registry. No need for an entire database just to get started! Verdaccio comes out of the box with its own tiny database, and the ability to proxy other registries (eg. npmjs.org), caching the downloaded modules along the way. For those looking to extend their storage capabilities, Verdaccio supports various community-made plugins to hook into services such as Amazon's s3, Google Cloud Storage or create your own plugin.
Versions
You can find more details about the different versions of Verdaccio, minimum requirements, as well as links to associated npm packages and docker images in the version history.
Install
Node.js v18 as minimum version required
Install with npm:
1npm install -g verdaccio@next-8
With yarn
1yarn global add verdaccio@next-8
With pnpm
1pnpm i -g verdaccio@next-8
or
1docker pull verdaccio/verdaccio:nightly-master
or with helm official chart.
1helm repo add verdaccio https://charts.verdaccio.org 2helm repo update 3helm install verdaccio/verdaccio
Furthermore, you can read the Debugging Guidelines and the Docker Examples for more advanced development.
Plugins
You can develop your own plugins with the verdaccio generator. Installing Yeoman is required.
npm install -g yo
npm install -g generator-verdaccio-plugin
Learn more here how to develop plugins. Share your plugins with the community.
Integration Tests
In our compatibility testing project, we're dedicated to ensuring that your favorite commands work seamlessly across different versions of npm, pnpm, and Yarn. From publishing packages to managing dependencies. Our goal is to give you the confidence to use your preferred package manager without any issues. So dive in, check out our matrix, and see how your commands fare across the board!
Commands
cmd | npm6 | npm7 | npm8 | npm9 | npm10 | pnpm8 | pnpm9 | pnpm10 | yarn1 | yarn2 | yarn3 | yarn4 |
---|---|---|---|---|---|---|---|---|---|---|---|---|
publish | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
unpublish | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
info | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
audit | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
install | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
deprecate | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ⛔ | ⛔ | ⛔ | ⛔ |
ping | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ⛔ | ⛔ | ⛔ | ⛔ |
search | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ⛔ | ⛔ | ⛔ | ⛔ |
star | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ⛔ | ⛔ | ⛔ | ⛔ |
stars | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ⛔ | ⛔ | ⛔ | ⛔ |
dist-tag | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
notes:
- yarn search cmd exist in modern but, it do not uses the search registry endpoint.
- yarn modern has two info commands, the one used here is
yarn npm info
❌ = no tested ✅ = tested ⛔ = no supported
Donations
Verdaccio is run by volunteers; nobody is working full-time on it. If you find this project to be useful and would like to support its development, consider doing a long support donation - and your logo will be on this section of the readme.
Donate 💵👍🏻 starting from $1/month or just one single contribution.
What does Verdaccio do for me?
Use private packages
If you want to use all benefits of npm package system in your company without sending all code to the public, and use your private packages just as easy as public ones.
Cache npmjs.org registry
If you have more than one server you want to install packages on, you might want to use this to decrease latency (presumably "slow" npmjs.org will be connected to only once per package/version) and provide limited failover (if npmjs.org is down, we might still find something useful in the cache) or avoid issues like How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript, Many packages suddenly disappeared or Registry returns 404 for a package I have installed before.
Link multiple registries
If you use multiples registries in your organization and need to fetch packages from multiple sources in one single project you might take advance of the uplinks feature with Verdaccio, chaining multiple registries and fetching from one single endpoint.
Override public packages
If you want to use a modified version of some 3rd-party package (for example, you found a bug, but maintainer didn't accept pull request yet), you can publish your version locally under the same name. See in detail here.
E2E Testing
Verdaccio has proved to be a lightweight registry that can be booted in a couple of seconds, fast enough for any CI. Many open source projects use Verdaccio for end to end testing, to mention some examples, create-react-app, mozilla neutrino, pnpm, storybook, babel.js, angular-cli or docusaurus. You can read more in here.
Furthermore, here few examples how to start:
Watch our Videos
Node 2022, February 2022, Online Free
You might want to check out as well our previous talks:
- Using Docker and Verdaccio to make Integration Testing Easy - Docker All Hands #4 December - 2021
- Juan Picado – Testing the integrity of React components by publishing in a private registry - React Finland - 2021
- BeerJS Cba Meetup No. 53 May 2021 - Juan Picado
- Node.js Dependency Confusion Attacks - April 2021 - Juan Picado
- OpenJS World 2020 about *Cover your Projects with a Multi purpose Lightweight Node.js Registry - Juan Picado
- ViennaJS Meetup - Introduction to Verdaccio by Priscila Olivera and Juan Picado
- Open Source? trivago - Verdaccio (Ayush and Juan Picado) January 2020
- GitNation Open Source Stage - How we have built a Node.js Registry with React - Juan Picado December 2019
- Verdaccio - A lightweight Private Proxy Registry built in Node.js | Juan Picado at The Destro Dev Show
Get Started
Run in your terminal
1verdaccio
You would need set some npm configuration, this is optional.
1npm set registry http://localhost:4873/
For one-off commands or to avoid setting the registry globally:
1NPM_CONFIG_REGISTRY=http://localhost:4873 npm i
Now you can navigate to http://localhost:4873/ where your local packages will be listed and can be searched.
Warning: Verdaccio does not currently support PM2's cluster mode, running it with cluster mode may cause unknown behavior.
Publishing
1. create a user and log in
1npm adduser --registry http://localhost:4873
if you use HTTPS, add an appropriate CA information ("null" means get CA list from OS)
1npm set ca null
2. publish your package
1npm publish --registry http://localhost:4873
This will prompt you for user credentials which will be saved on the verdaccio
server.
Docker
Below are the most commonly needed information, every aspect of Docker and verdaccio is documented separately
docker pull verdaccio/verdaccio:nightly-master
Available as tags.
Running Verdaccio using Docker
To run the docker container:
1docker run -it --rm --name verdaccio -p 4873:4873 verdaccio/verdaccio
Docker examples are available in this repository.
Compatibility
Verdaccio aims to support all features of a standard npm client that make sense to support in a private repository. Unfortunately, it isn't always possible.
Basic features
- Installing packages (
npm install
,npm update
, etc.) - supported - Publishing packages (
npm publish
) - supported
Advanced package control
- Unpublishing packages (
npm unpublish
) - supported - Tagging (
npm dist-tag
) - supported - Deprecation (
npm deprecate
) - supported
User management
- Registering new users (
npm adduser {newuser}
) - supported - Change password (
npm profile set password
) - supported - Transferring ownership (
npm owner
) - supported - Token (
npm token
) - supported
Miscellaneous
- Searching (
npm search
) - supported (cli / browser) - Ping (
npm ping
) - supported - Starring (
npm star
,npm unstar
,npm stars
) - supported
Security
- Audit (
npm/yarn audit
) - supported
Report a vulnerability
If you want to report a security vulnerability, please follow the steps which we have defined for you in our security policy.
Special Thanks
Thanks to the following companies to help us to achieve our goals providing free open source licenses. Every company provides enough resources to move this project forward.
Maintainers
Juan Picado | Ayush Sharma | Sergio Hg |
---|---|---|
@jotadeveloper | @ayusharma_ | @sergiohgz |
Priscila Oliveria | Daniel Ruf | |
@priscilawebdev | @DanielRufde |
You can find and chat with them over Discord, click here or follow them at Twitter.
Who is using Verdaccio?
- create-react-app (+86.2k ⭐️)
- Grafana (+54.9k ⭐️)
- Gatsby (+49.2k ⭐️)
- Babel.js (+38.5k ⭐️)
- Docusaurus (+34k ⭐️)
- Vue CLI (+27.4k ⭐️)
- Angular CLI (+24.3k ⭐️)
- Uppy (+23.8k ⭐️)
- bit (+13k ⭐️)
- Aurelia Framework (+11.6k ⭐️)
- pnpm (+10.1k ⭐️)
- ethereum/web3.js (+9.8k ⭐️)
- Webiny CMS (+6.6k ⭐️)
- NX (+6.1k ⭐️)
- Mozilla Neutrino (+3.7k ⭐️)
- workshopper how to npm (+1k ⭐️)
- Amazon SDK v3
- Amazon Encryption SDK for Javascript
🤓 Don't be shy, add yourself to this readme.
Open Collective Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
Open Collective Backers
Thank you to all our backers! 🙏 [Become a backer]
Contributors
This project exists thanks to all the people who contribute. [Contribute].
FAQ / Contact / Troubleshoot
If you have any issue you can try the following options. Do no hesitate to ask or check our issues database. Perhaps someone has asked already what you are looking for.
License
Verdaccio is MIT licensed
The Verdaccio documentation and logos (excluding /thanks, e.g., .md, .png, .sketch) files within the /assets folder) is Creative Commons licensed.
No vulnerabilities found.
Reason
30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
no binaries found in the repo
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/docker-publish.yml:23
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 14 commits out of 22 are checked with a SAST tool
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'master'
- Info: 'force pushes' disabled on branch 'master'
- Warn: required approving review count is 1 on branch 'master'
- Warn: codeowners review is not required on branch 'master'
- Warn: no status checks found to merge onto branch 'master'
- Info: PRs are required in order to make changes on branch 'master'
Reason
Found 13/23 approved changesets -- score normalized to 5
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/changesets.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/changesets.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-publish.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/docker-publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-publish.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/docker-publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-publish.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/docker-publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-publish.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/docker-publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/shared-docker-publish.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/shared-docker-publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/shared-docker-publish.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/shared-docker-publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/shared-docker-publish.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/shared-docker-publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/shared-docker-publish.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/verdaccio/verdaccio/shared-docker-publish.yml/master?enable=pin
- Warn: containerImage not pinned by hash: Dockerfile:1
- Warn: containerImage not pinned by hash: Dockerfile:23: pin your Docker image by updating node:21-alpine to node:21-alpine@sha256:78c45726ea205bbe2f23889470f03b46ac988d14b6d813d095e2e9909f586f93
- Warn: containerImage not pinned by hash: docker-examples/v4/amazon-s3-docker-example/localStack-resources/Dockerfile:1: pin your Docker image by updating python:3.7-alpine to python:3.7-alpine@sha256:f3d31c8677d03f0b3c724446077f229a6ce9d3ac430f5c08cd7dff00292048c3
- Warn: containerImage not pinned by hash: docker-examples/v4/amazon-s3-docker-example/s3Plugin/Dockerfile:1: pin your Docker image by updating verdaccio/verdaccio:4 to verdaccio/verdaccio:4@sha256:c059ee7ae4603e8bf2e70c6b4c941c143be66377d706c9bcc79798072691e8b4
- Warn: containerImage not pinned by hash: docker-examples/v4/apache-verdaccio/apache_proxy/Dockerfile:1: pin your Docker image by updating eboraas/apache to eboraas/apache@sha256:c7c5d67f9f6590fa07e19cb83cb6c29813a844b859b7302adb7989f447f17928
- Warn: containerImage not pinned by hash: docker-examples/v4/ldap-verdaccio/verdaccio-ldap/Dockerfile:1: pin your Docker image by updating verdaccio/verdaccio:4.2.2 to verdaccio/verdaccio:4.2.2@sha256:63d1bd1efb23f4365ee9b574a9971a4adf1b403b02f3f3efec1ff61d3d884215
- Warn: containerImage not pinned by hash: docker-examples/v4/plugins/docker-extend/Dockerfile:1: pin your Docker image by updating verdaccio/verdaccio to verdaccio/verdaccio@sha256:b8a3d22c97695569e79bab83f863ccd1f36107cdd474f2f4cbd0fa7ecddd408e
- Warn: containerImage not pinned by hash: docker-examples/v4/reverse_proxy/nginx/relative_path/nginx/Dockerfile:1: pin your Docker image by updating nginx:1.21-alpine to nginx:1.21-alpine@sha256:a74534e76ee1121d418fa7394ca930eb67440deda413848bc67c68138535b989
- Warn: containerImage not pinned by hash: docker-examples/v4/reverse_proxy/nginx/relative_path/nginx_ssl/Dockerfile:1: pin your Docker image by updating nginx:1 to nginx:1@sha256:bc5eac5eafc581aeda3008b4b1f07ebba230de2f27d47767129a6a905c84f470
- Warn: containerImage not pinned by hash: docker-examples/v4/reverse_proxy/nginx/root_path/conf/nginx/Dockerfile:1: pin your Docker image by updating tutum/nginx to tutum/nginx@sha256:69a727916ab40de88f66407fb0115e35b759d7c6088852d901208479bec47429
- Warn: containerImage not pinned by hash: docker-examples/v5/plugins/docker-build-install-plugin/Dockerfile:2: pin your Docker image by updating verdaccio/verdaccio:5 to verdaccio/verdaccio:5@sha256:9c02076ba2aadb0f44b803a35297adda39387329a0e5194712991a63c13a414e
- Warn: containerImage not pinned by hash: docker-examples/v5/plugins/docker-local-plugin/Dockerfile:4
- Warn: containerImage not pinned by hash: docker-examples/v5/plugins/docker-local-plugin/Dockerfile:15: pin your Docker image by updating verdaccio/verdaccio:5 to verdaccio/verdaccio:5@sha256:9c02076ba2aadb0f44b803a35297adda39387329a0e5194712991a63c13a414e
- Warn: containerImage not pinned by hash: docker-examples/v5/reverse_proxy/nginx/relative_path/nginx/Dockerfile:1: pin your Docker image by updating nginx:1.21-alpine to nginx:1.21-alpine@sha256:a74534e76ee1121d418fa7394ca930eb67440deda413848bc67c68138535b989
- Warn: containerImage not pinned by hash: docker-examples/v5/reverse_proxy/nginx/relative_path/nginx_ssl/Dockerfile:1: pin your Docker image by updating nginx:1 to nginx:1@sha256:bc5eac5eafc581aeda3008b4b1f07ebba230de2f27d47767129a6a905c84f470
- Warn: containerImage not pinned by hash: docker-examples/v5/reverse_proxy/nginx/root_path/conf/nginx/Dockerfile:1: pin your Docker image by updating tutum/nginx to tutum/nginx@sha256:69a727916ab40de88f66407fb0115e35b759d7c6088852d901208479bec47429
- Warn: containerImage not pinned by hash: docker-examples/v5/reverse_proxy/nginx_relative/nginx/Dockerfile:1: pin your Docker image by updating nginx:1.21-alpine to nginx:1.21-alpine@sha256:a74534e76ee1121d418fa7394ca930eb67440deda413848bc67c68138535b989
- Warn: containerImage not pinned by hash: docker-examples/v5/reverse_proxy/nginx_relative/nginx_ssl/Dockerfile:1: pin your Docker image by updating nginx:1 to nginx:1@sha256:bc5eac5eafc581aeda3008b4b1f07ebba230de2f27d47767129a6a905c84f470
- Warn: containerImage not pinned by hash: docker-examples/v6/plugins/docker-build-install-plugin/Dockerfile:5
- Warn: containerImage not pinned by hash: docker-examples/v6/plugins/docker-build-install-plugin/Dockerfile:17: pin your Docker image by updating verdaccio/verdaccio:nightly-master to verdaccio/verdaccio:nightly-master@sha256:e5e8997be9308a16955943c384fa5895ee41c8464c2e81f04c0c20ba5b6a53ad
- Warn: containerImage not pinned by hash: docker-examples/v6/plugins/docker-local-plugin/Dockerfile:4
- Warn: containerImage not pinned by hash: docker-examples/v6/plugins/docker-local-plugin/Dockerfile:15: pin your Docker image by updating verdaccio/verdaccio:nightly-master to verdaccio/verdaccio:nightly-master@sha256:e5e8997be9308a16955943c384fa5895ee41c8464c2e81f04c0c20ba5b6a53ad
- Warn: containerImage not pinned by hash: docker-examples/v6/proxy/apache-verdaccio/apache_proxy/Dockerfile:1: pin your Docker image by updating eboraas/apache to eboraas/apache@sha256:c7c5d67f9f6590fa07e19cb83cb6c29813a844b859b7302adb7989f447f17928
- Warn: containerImage not pinned by hash: docker-examples/v6/reverse_proxy/nginx/relative_path/nginx/Dockerfile:1: pin your Docker image by updating nginx:1.21-alpine to nginx:1.21-alpine@sha256:a74534e76ee1121d418fa7394ca930eb67440deda413848bc67c68138535b989
- Warn: containerImage not pinned by hash: docker-examples/v6/reverse_proxy/nginx/relative_path/nginx_ssl/Dockerfile:1: pin your Docker image by updating nginx:1 to nginx:1@sha256:bc5eac5eafc581aeda3008b4b1f07ebba230de2f27d47767129a6a905c84f470
- Warn: containerImage not pinned by hash: docker-examples/v6/reverse_proxy/nginx/root_path/conf/nginx/Dockerfile:1: pin your Docker image by updating tutum/nginx to tutum/nginx@sha256:69a727916ab40de88f66407fb0115e35b759d7c6088852d901208479bec47429
- Warn: containerImage not pinned by hash: e2e/docker/apache-verdaccio/apache_proxy/Dockerfile:1: pin your Docker image by updating eboraas/apache to eboraas/apache@sha256:c7c5d67f9f6590fa07e19cb83cb6c29813a844b859b7302adb7989f447f17928
- Warn: containerImage not pinned by hash: e2e/docker/docker-build-install-plugin/Dockerfile:1: pin your Docker image by updating verdaccio/verdaccio:nightly-master to verdaccio/verdaccio:nightly-master@sha256:e5e8997be9308a16955943c384fa5895ee41c8464c2e81f04c0c20ba5b6a53ad
- Warn: containerImage not pinned by hash: e2e/docker/docker-e2e-ui/Dockerfile:1: pin your Docker image by updating verdaccio/verdaccio:nightly-master to verdaccio/verdaccio:nightly-master@sha256:e5e8997be9308a16955943c384fa5895ee41c8464c2e81f04c0c20ba5b6a53ad
- Warn: containerImage not pinned by hash: e2e/docker/proxy-nginx/conf/nginx/Dockerfile:1: pin your Docker image by updating tutum/nginx to tutum/nginx@sha256:69a727916ab40de88f66407fb0115e35b759d7c6088852d901208479bec47429
- Warn: npmCommand not pinned by hash: Dockerfile:14-18
- Warn: pipCommand not pinned by hash: docker-examples/v4/amazon-s3-docker-example/localStack-resources/Dockerfile:7
- Warn: npmCommand not pinned by hash: docker-examples/v4/amazon-s3-docker-example/s3Plugin/Dockerfile:14
- Warn: npmCommand not pinned by hash: docker-examples/v4/amazon-s3-docker-example/s3Plugin/Dockerfile:14
- Warn: npmCommand not pinned by hash: docker-examples/v4/ldap-verdaccio/verdaccio-ldap/Dockerfile:3
- Warn: npmCommand not pinned by hash: docker-examples/v4/ldap-verdaccio/verdaccio-ldap/Dockerfile:3
- Warn: npmCommand not pinned by hash: docker-examples/v4/plugins/docker-extend/Dockerfile:7
- Warn: npmCommand not pinned by hash: docker-examples/v4/plugins/docker-extend/Dockerfile:7
- Warn: npmCommand not pinned by hash: docker-examples/v5/plugins/docker-build-install-plugin/Dockerfile:5-6
- Warn: npmCommand not pinned by hash: docker-examples/v5/plugins/docker-build-install-plugin/Dockerfile:5-6
- Warn: npmCommand not pinned by hash: docker-examples/v5/plugins/docker-local-plugin/Dockerfile:11-12
- Warn: npmCommand not pinned by hash: docker-examples/v6/plugins/docker-build-install-plugin/Dockerfile:12-14
- Warn: npmCommand not pinned by hash: docker-examples/v6/plugins/docker-local-plugin/Dockerfile:11-12
- Warn: npmCommand not pinned by hash: e2e/docker/docker-build-install-plugin/Dockerfile:5-7
- Warn: npmCommand not pinned by hash: e2e/docker/docker-build-install-plugin/Dockerfile:5-7
- Warn: npmCommand not pinned by hash: .github/workflows/docker-proxy-apache-e2e.yml:40
- Warn: npmCommand not pinned by hash: .github/workflows/docker-proxy-apache-e2e.yml:42
- Warn: npmCommand not pinned by hash: .github/workflows/docker-proxy-apache-e2e.yml:46
- Warn: npmCommand not pinned by hash: .github/workflows/docker-proxy-nginx-e2e.yml:38
- Warn: npmCommand not pinned by hash: .github/workflows/docker-proxy-nginx-e2e.yml:40
- Warn: npmCommand not pinned by hash: .github/workflows/docker-proxy-nginx-e2e.yml:44
- Warn: npmCommand not pinned by hash: .github/workflows/plugin-generator-e2e.yaml:40
- Warn: npmCommand not pinned by hash: .github/workflows/plugin-generator-e2e.yaml:50
- Warn: npmCommand not pinned by hash: .github/workflows/plugin-generator-e2e.yaml:52
- Warn: npmCommand not pinned by hash: .github/workflows/static-data.yml:32
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:18
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:35
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:39
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:55
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:72
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:76
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:91
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:108
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-angular-cli-workflow.yml:112
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-audit-workflow.yml:18
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-audit-workflow.yml:30
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-gatsbyjs-cli-workflow.yml:18
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-gatsbyjs-cli-workflow.yml:36
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-gatsbyjs-cli-workflow.yml:53
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-gatsbyjs-cli-workflow.yml:71
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:116
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:128
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:149
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:161
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:182
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:215
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:83
- Warn: npmCommand not pinned by hash: .github/workflows/x-e2e-jest-workflow.yml:95
- Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-docker.yml:27
- Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-docker.yml:29
- Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-docker.yml:31
- Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-docker.yml:33
- Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-module.yml:35
- Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-module.yml:41
- Warn: npmCommand not pinned by hash: .github/workflows/x-smok-test-module.yml:42
- Info: 100 out of 100 GitHub-owned GitHubAction dependencies pinned
- Info: 4 out of 13 third-party GitHubAction dependencies pinned
- Info: 0 out of 30 containerImage dependencies pinned
- Info: 0 out of 54 npmCommand dependencies pinned
- Info: 0 out of 1 pipCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:25
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:26
- Warn: jobLevel 'deployments' permission set to 'write': .github/workflows/ui-components.yml:18
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ui-components.yml:17
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/website.yml:16
- Warn: jobLevel 'deployments' permission set to 'write': .github/workflows/website.yml:17
- Warn: no topLevel permission defined: .github/workflows/changesets.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:16
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:16
- Warn: no topLevel permission defined: .github/workflows/docker-proxy-apache-e2e.yml:1
- Warn: no topLevel permission defined: .github/workflows/docker-proxy-nginx-e2e.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/docker-publish.yml:20
- Info: topLevel 'contents' permission set to 'read': .github/workflows/e2e-ci.yml:5
- Info: topLevel 'contents' permission set to 'read': .github/workflows/e2e-ui.yml:5
- Warn: no topLevel permission defined: .github/workflows/plugin-generator-e2e.yaml:1
- Warn: no topLevel permission defined: .github/workflows/shared-docker-publish.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/static-data.yml:15
- Warn: no topLevel permission defined: .github/workflows/test-docker-build.yml:1
- Warn: no topLevel permission defined: .github/workflows/test-publish-package.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/ui-components.yml:9
- Info: topLevel 'contents' permission set to 'read': .github/workflows/website.yml:7
- Warn: no topLevel permission defined: .github/workflows/x-e2e-angular-cli-workflow.yml:1
- Warn: no topLevel permission defined: .github/workflows/x-e2e-audit-workflow.yml:1
- Warn: no topLevel permission defined: .github/workflows/x-e2e-gatsbyjs-cli-workflow.yml:1
- Warn: no topLevel permission defined: .github/workflows/x-e2e-jest-workflow.yml:1
- Warn: no topLevel permission defined: .github/workflows/x-release-snapshot.yml:1
- Warn: no topLevel permission defined: .github/workflows/x-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/x-smok-test-docker.yml:1
- Warn: no topLevel permission defined: .github/workflows/x-smok-test-module.yml:1
- Warn: no topLevel permission defined: .github/workflows/yarn-ci-lint.yml:1
- Warn: no topLevel permission defined: .github/workflows/yarn-ci.yml:1
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
46 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw
- Warn: Project is vulnerable to: GHSA-w8qv-6jwh-64r5
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-gx9m-whjm-85jf
- Warn: Project is vulnerable to: GHSA-mmhx-hmjr-r674
- Warn: Project is vulnerable to: GHSA-434g-2637-qmqr
- Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m
- Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw
- Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p
- Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
- Warn: Project is vulnerable to: GHSA-mf6x-hrgr-658f
- Warn: Project is vulnerable to: GHSA-xrh7-m5pp-39r6
- Warn: Project is vulnerable to: GHSA-rrr8-f88r-h8q6
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-9pv7-vfvm-6vr7
- Warn: Project is vulnerable to: GHSA-33f9-j839-rf8h
- Warn: Project is vulnerable to: GHSA-c36v-fmgq-m8hx
- Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq
- Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488
- Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g
- Warn: Project is vulnerable to: GHSA-m4gq-x24j-jpmf
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
- Warn: Project is vulnerable to: GHSA-5rrq-pxf6-6jx5
- Warn: Project is vulnerable to: GHSA-8fr3-hfg3-gpgp
- Warn: Project is vulnerable to: GHSA-gf8q-jrpm-jvxq
- Warn: Project is vulnerable to: GHSA-2r2c-g63r-vccr
- Warn: Project is vulnerable to: GHSA-cfm4-qjh2-4765
- Warn: Project is vulnerable to: GHSA-x4jg-mjrx-434g
- Warn: Project is vulnerable to: GHSA-hj9c-8jmm-8c52
- Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
- Warn: Project is vulnerable to: GHSA-g4rg-993r-mgx7
- Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
- Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq
- Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
Score
6
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More