5.4.0 (2021-12-24)
Features
add cache-control header to endpoints (#2791) (fd3ad1e)
Some npm commands has a response the token as the body, to void cache those responses we add Cache-Control as response header.
add rate limit to user api endpoints (#2800) (#2799) (f64e403)
Add default rate limit to user endpoints, npm token, npm profile, npm loding/adduser to 100 request peer 15 min, customizable via
userRateLimit:
windowMs: 50000
max: 1000
Also X-RateLimit is part of the response headers.
curl -v http://localhost:4873/-/user/test
...
>
< HTTP/1.1 200 OK
< X-Powered-By: foooo
< Access-Control-Allow-Origin: *
< X-RateLimit-Limit: 1000
< X-RateLimit-Remaining: 999
< Date: Fri, 24 Dec 2021 18:27:20 GMT
< X-RateLimit-Reset: 1640371089
< Content-Type: application/json; charset=utf-8
< ETag: "9bc0d4158c3e2ac5822d39f55e5ceb05"
< Content-Length: 51
< Vary: Accept-Encoding
< Connection: keep-alive
< Keep-Alive: timeout=60
add rate limit to web endpoints (#2799) (c91d6be) (#2803) (5b1264c)
The web endpoints that retrieve data from the cache are limited by default 5k request peer 15 min and customizable if your need exceeds the defautls.
web:
title: Verdaccio
rateLimit:
windowMs: 50000
max: 1000
JWT web signature default time reduced to 1 hour (#2787) (1c17d09)
The JWT token for web has been reduced from 7 days to 1 hour for security reasons. To restore the previous time, use configuration.
User agent is the client by default (#2793) (e5d79ce)
The user_agent property has been part of the config file, but undocumented, previous versions send the header User-Agent was something like Verdaccio/5.x.x. After this version is disabled and forward the one that comes from the client, also disable 'X-Powered-By by default. The new user_agent allows re-enable this feature by using true or craft your own user agent.
user_agent: true
user_agent: false
user_agent: 'custom user agent'