mirror of
https://github.com/verdaccio/verdaccio.git
synced 2024-12-23 22:27:34 -05:00
45 lines
1.4 KiB
Markdown
45 lines
1.4 KiB
Markdown
|
---
|
||
|
id: protect-your-dependencies
|
||
|
title: Protecting packages
|
||
|
---
|
||
|
`verdaccio` allows you protect publish, to achieve that you will need to set up correctly your [packages acces](packages).
|
||
|
|
||
|
### Package configuration
|
||
|
|
||
|
Let's see for instance the following set up. You have a set of dependencies what are prefixed with `my-company-*` and you need to protect them from anonymous or another logged user without right credentials.
|
||
|
|
||
|
```yaml
|
||
|
'my-company-*':
|
||
|
access: admin teamA teamB teamC
|
||
|
publish: admin teamA
|
||
|
proxy: npmjs
|
||
|
```
|
||
|
|
||
|
With this configuration, basically we allow to groups **admin** and **teamA** to * publish* and **teamA** **teamB** **teamC** *access* to such dependencies.
|
||
|
|
||
|
### Use case: teamD try to access the dependency
|
||
|
|
||
|
So, if I am logged as **teamD**. I shouldn't be able to access all dependencies that match with `my-company-*` pattern.
|
||
|
|
||
|
```bash
|
||
|
➜ npm whoami
|
||
|
teamD
|
||
|
```
|
||
|
|
||
|
I won't have access to such dependencies and also won't be visible via web for user **teamD**. If I try to access the following will happen.
|
||
|
|
||
|
```bash
|
||
|
➜ npm install my-company-core
|
||
|
npm ERR! code E403
|
||
|
npm ERR! 403 Forbidden: webpack-1@latest
|
||
|
```
|
||
|
|
||
|
or with `yarn`
|
||
|
|
||
|
```bash
|
||
|
➜ yarn add my-company-core
|
||
|
yarn add v0.24.6
|
||
|
info No lockfile found.
|
||
|
[1/4]
|
||
|
error An unexpected error occurred: "http://localhost:5555/webpack-1: unregistered users are not allowed to access package my-company-core".
|
||
|
```
|