[RRFC] Add "registryRules" to package.json to specify which registry to choose from #331
Comments
|
To avoid a supply chain attack, you'd only want your internal packages to be under scopes (scopes that you publicly control), and you'd want your internal scopes to be different than the scopes you used for public packages to avoid accidentally publishing an internal package. If one followed these best practices, what would be the remaining use cases for |
|
Hmm, I haven't think about that, my initial thought was just trying to address some of the concerns in #314. Yes, the differences are subtle, but I think the
You can also argue this is making the process too strict and complex, and I agree. Now I have conflicting thoughts, I think I'm going to close this for now and think more thoroughly about this, thanks @ljharb . |
Motivation ("The Why")
First, I want mention that I'm very glad for #275 RFC, I believe it can make the NPM ecosystem more open and safer, thank you! While I would agree with #275, but I think adding
registry:to all my private packages can be a little tedious, especially if I have multiple packages that are in@myorgScope and IMO can makepackage.jsonharder to read.So my proposal is to add new key called
registryRulesinpackage.json, it is an object that its key acts like a prefix-pattern that will be matched against packages that are independenciesor*Dependencies, if the package name match the pattern, it will look up the package to the registries that are defined in that particular pattern.Example
{ "name": "package-name", // ... "registryRules": { // <patterns> "<pattern>": [ // Arrray of <registry> { "url": "<registry_url>", }, // ... ] } }A concrete example would be something like
{ "name": "fabulous-package", // ... "registryRules": { "@myorg": [ { "url":"https://registry.npmjs.org"}, { "url":"https://registry.example.com"}, ], "@myorg/legacy-app-*": [ { "url":"https://legacy-registry.example.com" }, ] } }Details:
<registry>object holds the details about the registry, with properties:url:string - the url of the registryWhy an object? This will make future extension easier. Let's say NPM decided to have v10 API, you can add
versionkey to maintain backward compatibility with older API.<patterns>is an object, that have a string as the key and<registry>object for the value@myorgis will affect all the dependency that have prefix@myorg, the pattern not limited to Scope name but can also match full package name like@myorg/fabulous-packageas well.*, to match the package name, example:@myorg/app-*-demoit will only match@myorg/app-super-demoand not@myorg/app-superAlternatively, use regex instead of prefix + wildcard patterns.
Implementation details proposal:
<patterns>respect it's key ordering. If a package name match multiple patters itwill search through the pattern that have lowest index, and if the package not found, continue the search to the second lowest index.
<registry>inside a<pattern>also respect it's ordering, so if the package found in multiple registry, it will use use registry that have the lowest index number as a tie breaker.npm login.package.json(dependenciesand*Dependencies), it does not affect it's the dependencies of it's package. For example:Dependency tree for
@myorg/package-aIn this scenario,
@myorg/package-aexplicitly define theregistryRulesin it's package.json as{ "name": "@myorg/package-a", "registryRules": { "@myorg": [ { "url": "https://registry.example.com", } ] } }Thus this explicit
registryRuleswill only affect@myorg/package-b,@myorg/package-cnot@myorg/package-x,@myorg/package-yI have no concrete argument for this, but I think this behavior is easier to grasp compared to propagating the rules to the dependency tree.
Current Behaviour
AFAIK it will try to match given pattern specified in
npm login --scope=@organization --registry=registry.organization.comand fall back to NPM public registry if the package is not found.Related
registry:<url>#<name>[@<version-range>]dependency specifier #275And lastly, I just want to point out that something similar but slightly different has been done by other community, I want to point this out, maybe we can get some inspiration or concerns from their implementation:
The text was updated successfully, but these errors were encountered: