npm JavaScript air-gapped (offline) License Compliance

Problem to solve

Intended users

Further details

Proposal

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Implementation Plan

• Set up a custom npm registry in the Offline test environment.
• Exclude devDependencies from scan results. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/141
• Add integration test(s) to fetch dependencies from a custom npm registry. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/145
• Add integrations test(s) to verify that dependencies can be installed from a custom npm registry served with a custom self signed TLS certificate that is not in the default root certificate authority trust store. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/145
• Add documentation to describe any special setup or configuration required for fetching dependencies from a custom npm registry. Example !31258 (merged)
• Add documentation to describe any setup required for working in an offline environment. Example !31258 (merged)
• Add example project to templates https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/templates/js-npm

Links / references