-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow configuration of publish restrictions #58
Comments
Thanks for raising this, you are correct the current use case is by intention. As it stands we do not allow admins to publish under the same name as public npm. The core reason is security, to stop engineers in large organisations that have publish rights the ability to inject a module in place of a well known one such as say It could cause havoc in build pipelines with some nasty outcomes. I think for me at least it may well be better to enforce I will have a think a bit more in regards to your options and get back to you. |
This is a Feature Proposal
Description
Currently, attempting to publish a package that exists on the public registry will always fail. This restriction makes sense if we assume that users should (or only want to) store unique packages in codebox and intend to proxy all other requests to the global registry.
I'm new here and not sure if this assumption is intentional and/or a desirable characteristic of this registry solution in particular. If so, please allow me to convince you of a few good reasons to allow configuration of this restriction:
A naive implementation that would satisfy # 2 & # 3 could be accomplished by adding a new environment variable (eg:
CODEBOX_RESTRICTED_SCOPES
) formatted as a comma-delimited list of permissible scopes. A simple membership check of this list before the existing unique check should be sufficient.# 1 quickly becomes non-trivial if the ability to override at the version level is desired as existing checks and processes are limited to the package level.
What do y'all think?
The text was updated successfully, but these errors were encountered: