Skip to content
Snippets Groups Projects
Closed Maven dependency proxy
  • View options

    • Maven dependency proxy

  • View options

    • Maven dependency proxy

    Closed Epic created by Tim Rizzi

    TLDR; This epic is intended to capture all of the work in expanding the NPM Registry to include remote and virtual registries.

    Problem to solve

    A typical software project relies on a variety of dependencies, which we call Packages. Packages can be internally built and maintained, or sourced from a public repository. Based on our user research, we’ve learned that most projects use a 50/50 mix of public vs. private packages. When installing packages, the order in which they are found and downloaded is very important, as downloading/using an incorrect package or version of a package can introduce breaking changes and security vulnerabilities into their pipelines.

    Sidney wants to rely solely on GitLab as a universal package manager so that they can reduce costs and drive operational efficiencies. However, GitLab only supports privately hosted package repositories, which only accounts for half of their team's use cases. In addition, the naming conventions enforced by the GitLab Package Registry, make it impossible for organizations with many teams and many developers to use GitLab’s offering.

    Target audience

    Proposal

    Give users the ability to add/configure one external Java repository. Once added, when a user tries to install a Java package using their project-level endpoint, GitLab will first look for the package in the project and if it's not found, will attempt to pull the package from the external repository.

    • Project owners will be able to configure this via a project's settings (API or UI)
    • We will support external repositories that require authentication, such as Artifactory or Sonatype

    When a package is pulled from the external repository it will be imported into the GitLab project so that the next time that particular package/version is pulled it's pulled from GitLab and not the external repository.

    • The benefit of this is that it as time goes on, fewer packages will have to be pulled externally.
    • This will be a fast follow, once we've added initial support for the dependency proxy.

    If the package is not found in their GitLab project or the external repository we will return an error.

    Edited by Tim Rizzi

    Linked items 0

    • Link items together to show that they're related or that one is blocking others.

    Activity

    • All activity
    • Comments only
    • History only
    • Newest first
    • Oldest first
    Loading Loading Loading Loading Loading Loading Loading Loading Loading Loading