strictly enforces/validates manifest and tgz #542
Assignees
Labels
enhancement
New feature or request
Comments
|
先完善在当前 registry 上发私有包的场景,公网包还是以 npm registry 为准 |
fengmk2
pushed a commit
that referenced
this issue
Jul 9, 2023
> Validate the manifest and tarball info to prevent contamination during consumption, closes #542. 1. 🔨 Added the "strictValidateTarballPkg" mode to enable validation, only applicable to the slef registry scenario. 2. 🧶 When the configuration is enabled, validate the relevant fields during publishing, currently only validating the fields affecting consumption. 3. ♻️ No corrective actions will be taken for existing scenario data. ----- > 发布时校验 manifest 和 tarball 字段是否陪陪,防止消费时被污染 closes #542 1. 🔨 新增 strictValidateTarballPkg 配置,仅对在发布当前 registry 场景下生效 2. 🧶 配置开启时,发布时校验相关字段,目前仅校验影响消费相关字段 3. ♻️ 存量场景数据不做订正处理
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem?utm_source=ESnextNews.com&utm_medium=Weekly+Newsletter&utm_campaign=2023-07-04
cc @elrrrrrrr
The text was updated successfully, but these errors were encountered: