vsr
aims to be a minimal "npm-compatible" registry which replicates the core features found in registry.npmjs.org
as well as adding net-new capabilities.
Table of Contents:
You can quickly get started by installing/executing vsr
with the following command:
npx -y vltpkg/vsr
You can deploy vsr
to Cloudflare in under 5 minutes, for free, with a single click (coming soon).
Alternatively, you can deploy to production using wrangler
after following the Development quick start steps.
# clone the repo
git clone https://github.com/vltpkg/vsr.git
# navigate to the repository directory
cd ./vsr
# install the project's dependencies
npm install
# run tbe development script
npm run dev
- Cloudflare (free account at minimum)
- Workers (free: 100k requests /day)
- D1 Database (free: 100k writes, 5M reads /day & 5GB Storage /mo)
- R2 Bucket (free: 1M writes, 10M reads & 10GB /mo)
Note: all usage numbers & pricing documented is as of October 24th, 2024. Plans & metering is subject to change at Cloudflare's discretion.
git
node
npm
All tokens are considered "granular access tokens" (GATs). Token entries in the database consist of 3 parts:
token
the unique token valueuuid
associative value representing a single user/scopescope
value representing the granular access/privileges
A scope
contains an array of privileges that define both the type(s) of & access value(s) for a token.
Note
Tokens can be associated with multiple "types" of access
type(s)
:pkg:read
read associated packagespkg:read+write
write associated packages (requires read access)user:read
read associated useruser:read+write
write associated user (requires read access)
value(s)
:*
an ANY selector foruser:
orpkg:
access types~<user>
user selector for theuser:
access type@<scope>/<pkg>
package specific selector for thepkg:
access type@<scope>/*
glob scope selector forpkg:
access types
Note
- user/org/team management via
@<scope>
is not supported at the moment
Scope Examples
- specific package read access
- individual user read+write access
[
{
"values": ["@organization/package-name"],
"types": {
"pkg": {
"read": true,
}
}
},
{
"values": ["~johnsmith"],
"types": {
"user": {
"read": true,
"write": true,
}
}
}
]
- scoped package read+write access
- individual user read+write access
[
{
"values": ["@organization/*"],
"types": {
"pkg": {
"read": true
}
}
},
{
"values": ["~johnsmith"],
"types": {
"user": {
"read": true,
"write": true,
}
}
}
]
- organization scoped packages read+write access
- individual user read+write access
[
{
"values": ["@organization/package-name"],
"types": {
"pkg": {
"read": true
}
}
},
{
"values": ["~johnsmith"],
"types": {
"user": {
"read": true,
"write": true,
}
}
}
]
- organization scoped package read+write access
- organization users read+write access
[
{
"values": ["@company/*"],
"types": {
"pkg": {
"read": true,
"write": true
},
"user": {
"read": true,
"write": true
}
}
}
]
[
{
"values": ["*"],
"types": {
"pkg": {
"read": true,
"write": true
},
{
"user": {
"read": true,
"write": true
}
}
}
}
]
We have rich, interactive API docs out-of-the-box with the help of our friends Scalar. The docs can be found at the registry root when running vsr
locally (ex. run npx -y vltpkg/vsr
&/or check out this repo & run npm run dev
)
The following commands should work out-of-the-box with npm
& any other npm
"compatible" clients although their specific commands & arguments may vary (ex. vlt
, yarn
, pnpm
& bun
)
To use vsr
as your registry you must either pass a registry config through a client-specific flag (ex. --registry=...
for npm
) or define client-specific configuration which stores the reference to your registry (ex. .npmrc
for npm
). Access to the registry & packages is private by default although an "admin"
user is created during setup locally (for development purposes) with a default auth token of "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
.
; .npmrc
registry=http://localhost:1337
//localhost:1337/:_authToken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- β implemented
- β³ in progress
- π€ planned to support
Support | Commannd |
---|---|
β | access |
β | access list packages |
β | access get status |
β | access set status |
β | access set mfa |
β | access grant |
β | access revoke |
π€ | adduser - PUT /-/org/@<org>/<user> : Adds/updates a user (requires admin privileges) |
β | audit |
β | bugs |
β | dist-tag add |
β | dist-tag rm |
β | dist-tag ls |
β | deprecate |
β | docs |
β | exec |
β | hook |
β | install |
β | login |
β | logout |
β | org |
β | outdated |
β | owner add |
β | owner rm |
β | owner ls |
β | ping |
β | profile enable-2fa |
β | profile disable-2fa |
β | profile get |
π€ | profile set - PUT /-/npm/v1/user : Updates a user (requires auth) |
β | publish |
β | repo |
β | search |
β | star |
β | team |
β | view |
β | whoami |
- β supported
- β unsupported
Feature | vsr |
verdaccio |
jsr |
---|---|---|---|
Serverless | β | β | β |
JavaScript Backend | β | β | β |
Granular Access/Permissions | β | β | β |
Proxy Upstream Registries | β³ | β | β |
Unscoped Package Names | β | β | β |
npm Package Publishing | β | β | β |
npm Package Installation | β | β | β * |
CDN | π€ | β | β |
ESM | π€ | β | β |
Manifest Validation | β | β | β |
Plugins | β³ | β | β |
Events/Hooks | π€ | β | β |
Programmatic API | β | β | β |
Web Interface | π€ | β | β |
Search | π€ | β | β |
First-Class Typescript | β | β | β |
API Documentation Generation | β | β | β |
Multi-Cloud | π€ | β | β |
Azure DevOps Artifacts Upstream | β | β | β |
JFrog Artifactory Upstream | β | β | β |
Google Artifact Registry Upstream | β | β | β |
*
requiresjsr
-specific tooling or use a modified package name when using traditional npm clients (ref. https://jsr.io/docs/npm-compatibility)
Status | Feature |
---|---|
β | api: minimal package metadata |
β | api: full package manifests |
β | api: publishing private, scoped packages |
β | api: package manifest validation |
β | api: admin user management (add/update/remove users) |
β | api: user token management (add/update/remove tokens) |
β | web: docs portal |
β | api: unscoped packages |
β³ | web & api: custom dist-tags (latest is supported) |
β³ | web & api: token rate-limiting |
π€ | web & api: search |
π€ | web & api: staging |
π€ | web: admin user management |
π€ | web: user registration |
π€ | web: user login (ex. npm login / --auth-type=web ) |
π€ | web: user account management |
This project is licensed under the Functional Source License (FSL-1.1-MIT).