Gathering detailed insights and metrics for verdaccio
Gathering detailed insights and metrics for verdaccio
Gathering detailed insights and metrics for verdaccio
Gathering detailed insights and metrics for verdaccio
npm install verdaccio
Typescript
Module System
Min. Node Version
Node Version
NPM Version
60.7
Supply Chain
81.5
Quality
93.9
Maintenance
50
Vulnerability
93.8
License
TypeScript (92.8%)
JavaScript (3.97%)
CSS (1.56%)
SCSS (0.98%)
Dockerfile (0.55%)
Shell (0.08%)
HTML (0.05%)
Total
24,093,945
Last Day
16,126
Last Week
222,726
Last Month
933,851
Last Year
8,827,160
16,529 Stars
5,834 Commits
1,375 Forks
155 Watching
16 Branches
295 Contributors
Latest Version
6.0.2
Package Id
verdaccio@6.0.2
Unpacked Size
959.73 kB
Size
290.14 kB
File Count
112
NPM Version
10.7.0
Node Version
18.20.4
Publised On
17 Nov 2024
Cumulative downloads
Total Downloads
Last day
38.4%
16,126
Compared to previous day
Last week
9.8%
222,726
Compared to previous week
Last month
11.3%
933,851
Compared to previous month
Last year
46.2%
8,827,160
Compared to previous year
37
73
Verdaccio is a simple, zero-config-required local private npm registry. No need for an entire database just to get started! Verdaccio comes out of the box with its own tiny database, and the ability to proxy other registries (eg. npmjs.org), caching the downloaded modules along the way. For those looking to extend their storage capabilities, Verdaccio supports various community-made plugins to hook into services such as Amazon's s3, Google Cloud Storage or create your own plugin.
Install with npm:
1npm install --location=global verdaccio
Node.js v18 or higher is required for Verdaccio
It's recommended using Node.js 20 (or latest LTS)
or pull Docker official image
1docker pull verdaccio/verdaccio
and run
1docker run -it --rm --name verdaccio -p 4873:4873 verdaccio/verdaccio
or with helm official chart.
1helm repo add verdaccio https://charts.verdaccio.org 2helm repo update 3helm install verdaccio/verdaccio
Verdaccio can be used as a module for launch a server programmatically, you can find more info at the website.
const {runServer} = require('verdaccio');
const app = await runServer(); // default configuration
const app = await runServer('./config/config.yaml');
const app = await runServer({ configuration });
app.listen(4873, (event) => {
// do something
});
You can develop your own plugins with the verdaccio generator. Installing Yeoman is required.
npm install --location=global yo
npm install --location=global generator-verdaccio-plugin
Learn more here how to develop plugins. Share your plugins with the community.
Verdaccio is run by volunteers; nobody is working full-time on it. If you find this project to be useful and would like to support its development and maintenance.
You can donate at Open Collective 💵👍🏻 starting from $1/month or just one single contribution.
If you want to use all benefits of npm package system in your company without sending all code to the public, and use your private packages just as easy as public ones.
If you have more than one server you want to install packages on, you might want to use this to decrease latency (presumably "slow" npmjs.org will be connected to only once per package/version) and provide limited failover (if npmjs.org is down, we might still find something useful in the cache) or avoid issues like How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript, Many packages suddenly disappeared or Registry returns 404 for a package I have installed before.
If you use multiples registries in your organization and need to fetch packages from multiple sources in one single project you might take advance of the uplinks feature with Verdaccio, chaining multiple registries and fetching from one single endpoint.
If you want to use a modified version of some 3rd-party package (for example, you found a bug, but maintainer didn't accept pull request yet), you can publish your version locally under the same name. See in detail here.
Verdaccio has proved to be a lightweight registry that can be booted in a couple of seconds, fast enough for any CI. Many open source projects use verdaccio for end to end testing, to mention some examples, create-react-app, mozilla neutrino, pnpm, storybook, babel.js, angular-cli or docusaurus. You can read more in here.
Furthermore, here few examples how to start:
View more in the YouTube channel.
Run in your terminal
1verdaccio
You would need set some npm configuration, this is optional.
1$ npm set registry http://localhost:4873/
For one-off commands or to avoid setting the registry globally:
1NPM_CONFIG_REGISTRY=http://localhost:4873 npm i
Now you can navigate to http://localhost:4873/ where your local packages will be listed and can be searched.
Warning: Verdaccio does not currently support PM2's cluster mode, running it with cluster mode may cause unknown behavior.
1npm adduser --registry http://localhost:4873
if you use HTTPS, add an appropriate CA information ("null" means get CA list from OS)
1$ npm set ca null
1npm publish --registry http://localhost:4873
This will prompt you for user credentials which will be saved on the verdaccio
server.
Below are the most commonly needed information, every aspect of Docker and verdaccio is documented separately
docker pull verdaccio/verdaccio
Available as tags.
docker pull verdaccio/verdaccio:6.x-next
To run the docker container:
1docker run -it --rm --name verdaccio -p 4873:4873 verdaccio/verdaccio
Docker examples are available in this repository.
Verdaccio aims to support all features of a standard npm client that make sense to support in private repository. Unfortunately, it isn't always possible.
npm install
, npm upgrade
, etc.) - supportednpm publish
) - supportednpm unpublish
) - supportednpm tag
) - supportednpm deprecate
) - supportednpm adduser {newuser}
) - supportednpm profile set password
) - supportednpm owner add {user} {pkg}
) - not supported, PR-welcomenpm token
) - supported (under flag)npm search
) - supported (cli (/-/all
and v1
) / browser)npm ping
) - supportednpm star
, npm unstar
, npm stars
) - supportedIf you want to report a security vulnerability, please follow the steps which we have defined for you in our security policy.
Juan Picado | Ayush Sharma | Sergio Hg |
---|---|---|
@jotadeveloper | @ayusharma_ | @sergiohgz |
Priscila Oliveria | Daniel Ruf | |
@priscilawebdev | @DanielRufde |
See the full list of contributors is at the website.
🤓 Don't be shy, add yourself to this readme.
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
Thank you to all our backers! 🙏 [Become a backer]
Thanks to the following companies to help us to achieve our goals providing free open source licenses. Every company provides enough resources to move this project forward.
This project exists thanks to all the people who contribute. [Contribute].
If you have any issue you can try the following options, do no desist to ask or check our issues database, perhaps someone has asked already what you are looking for.
Verdaccio is MIT licensed
The Verdaccio documentation and logos (excluding /thanks, e.g., .md, .png, .sketch) files within the /assets folder) is Creative Commons licensed.
Stable Version
1
6.1/10
Summary
Cross-Site Scripting (XSS) in Verdaccio
Affected Versions
< 3.12.0
Patched Versions
3.12.0
Reason
30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
security policy file detected
Details
Reason
license file detected
Details
Reason
no binaries found in the repo
Reason
packaging workflow detected
Details
Reason
SAST tool detected but not run on all commits
Details
Reason
Found 19/30 approved changesets -- score normalized to 6
Reason
branch protection is not maximal on development and all release branches
Details
Reason
dependency not pinned by hash detected -- score normalized to 1
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
project is not fuzzed
Details
Reason
46 existing vulnerabilities detected
Details
Score
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More