Features
Package Filter Plugins (#5786, #5548) by @vsugrob, @pyhp2017
The
@verdaccio/package-filterpackage is bundled by default but must be enabled by the user.
@verdaccio/package-filter is a built-in plugin that intercepts package metadata from uplinks and removes versions matching configurable rules. With no rules configured, it acts as a no-op passthrough.
Block a compromised package version
filters:
'@verdaccio/package-filter':
block:
- package: 'event-stream'
versions: '3.3.6'Block an entire malicious scope
filters:
'@verdaccio/package-filter':
block:
- scope: '@malicious'Quarantine recently published versions
Hide versions published less than 7 days ago, giving time for review before adoption:
filters:
'@verdaccio/package-filter':
minAgeDays: 7Freeze registry to a point in time
Only serve versions published before a specific date:
filters:
'@verdaccio/package-filter':
dateThreshold: '2025-01-01'Whitelist trusted packages within blocked rules
filters:
'@verdaccio/package-filter':
minAgeDays: 30
allow:
- scope: '@my-company'
- package: 'trusted-pkg'Replace instead of remove
Substitute a blocked version with the nearest older safe version, useful when removing it would break transitive dependencies:
filters:
'@verdaccio/package-filter':
block:
- package: 'compromised-lib'
versions: '>=3.0.0'
strategy: replaceFull example
filters:
'@verdaccio/package-filter':
minAgeDays: 7
block:
- scope: '@malicious'
- package: 'typosquat-pkg'
- package: 'compromised-lib'
versions: '>=3.0.0'
strategy: replace
allow:
- scope: '@my-org'
- package: 'compromised-lib'
versions: '3.0.1'Bug Fixes
- fix(deps): Updated lodash to v4.18.1 (#5777)
- fix(deps): Updated core @verdaccio/* dependencies (#5674, #5780)
Full Changelog: v6.3.2...v6.4.0