Scope npm packages at the project level
Problem to solve
NPM is not following the convention laid out by Maven in implementing project, group, and instance-level endpoints for uploading and downloading/installing packages. This can lead to confusion when trying to understand the rules working with multiple repository types.
Intended users
Further details
Project and group level endpoints should enjoy the ability to have open naming restrictions. Instance level endpoint should use the pattern @my-top-namespace/my-subgroup+myother-subgroup+my-package.
Proposal
Add appropriate endpoints to implement group-level uploads and refactor the existing project and instance-level endpoints to be consistent with our other package managers.
Permissions and Security
| Action | Guest | Reporter | Developer | Maintainer | Owner |
|---|---|---|---|---|---|
| Pull from Maven repository or NPM registry or Conan Repository | x | x | x | x | |
| Publish to Maven repository or NPM registry or Conan Repository | x | x | x |
Documentation
Update the NPM documentation to be consistent with Maven in describing each of these endpoints (remotes) to users.
Testing
- Test permissions work as expected at instance/group/project level
- Ensure there are no issues for instances that have the repository turned on at each level.
- Ensure no existing packages will be adversely affected by these changes.
What does success look like, and how can we measure that?
What is the type of buyer?
This feature will be focused on Director and Executives, as it is a Premium/Ultimate feature. https://about.gitlab.com/handbook/ceo/pricing/#four-tiers