Update verdaccio/verdaccio Docker tag to v5.4.0 (!112) · Merge requests · Utopia Planitia Fleet Yards / CI / npm Cache

Utopia Planitia Bot requested to merge renovate/verdaccio-verdaccio-5.x into main Dec 24, 2021

This MR contains the following updates:

Package	Update	Change
verdaccio/verdaccio	minor	`5.3.2` -> `5.4.0`

Release Notes

verdaccio/verdaccio

`v5.4.0`

Compare Source

Features

add cache-control header to endpoints (#2791) (`fd3ad1e`)

Some npm commands has a response the token as the body, to void cache those responses we add Cache-Control as response header.

add rate limit to user api endpoints (#2800) (#2799) (`f64e403`)

Add default rate limit to user endpoints, npm token, npm profile, npm loding/adduser to 100 request peer 15 min, customizable via

userRateLimit:
  windowMs: 50000
  max: 1000

Also X-RateLimit is part of the response headers.

curl -v http://localhost:4873/-/user/test
...
> 
< HTTP/1.1 200 OK
< X-Powered-By: foooo
< Access-Control-Allow-Origin: *
< X-RateLimit-Limit: 1000
< X-RateLimit-Remaining: 999
< Date: Fri, 24 Dec 2021 18:27:20 GMT
< X-RateLimit-Reset: 1640371089
< Content-Type: application/json; charset=utf-8
< ETag: "9bc0d4158c3e2ac5822d39f55e5ceb05"
< Content-Length: 51
< Vary: Accept-Encoding
< Connection: keep-alive
< Keep-Alive: timeout=60

add rate limit to web endpoints (#2799) (`c91d6be`) (#2803) (`5b1264c`)

The web endpoints that retrieve data from the cache are limited by default 5k request peer 15 min and customizable if your need exceeds the defautls.

web:
  title: Verdaccio
  rateLimit:
    windowMs: 50000
    max: 1000

JWT web signature default time reduced to 1 hour (#2787) (`1c17d09`)

The JWT token for web has been reduced from 7 days to 1 hour for security reasons. To restore the previous time, use configuration.

User agent is the client by default (#2793) (`e5d79ce`)

The user_agent property has been part of the config file, but undocumented, previous versions send the header User-Agent was something like Verdaccio/5.x.x. After this version is disabled and forward the one that comes from the client, also disable 'X-Powered-By by default. The new user_agent allows re-enable this feature by using true or craft your own user agent.

user_agent: true
user_agent: false
user_agent: 'custom user agent'

Bug Fixes

deps: update dependency @verdaccio/commons-api to v10.1.0 (#2789) (c5c0ef8)
deps: update dependency body-parser to v1.19.1 (#2788) (46e583f)

by @juanpicado @Splaktar

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, click this checkbox.

This MR has been generated by Renovate Bot.

Update verdaccio/verdaccio Docker tag to v5.4.0

Release Notes

v5.4.0

Features

add cache-control header to endpoints (#​2791) (fd3ad1e)

add rate limit to user api endpoints (#​2800) (#​2799) (f64e403)

add rate limit to web endpoints (#​2799) (c91d6be) (#​2803) (5b1264c)

JWT web signature default time reduced to 1 hour (#​2787) (1c17d09)

User agent is the client by default (#​2793) (e5d79ce)