Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

@drubin/verdaccio-gitlab

Package Overview
Dependencies
Maintainers
1
Versions
1
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@drubin/verdaccio-gitlab

private npm registry (Verdaccio) using gitlab-ce as authentication and authorization provider

0.0.4
latest
Source
npmnpm
Version published
Maintainers
1
Created
Source

Verdaccio-GitLab

Use GitLab Community Edition as authentication provider for the private npm registry verdaccio, the sinopia fork.

The main goal and difference to other sinopia/verdaccio plugins is:

  • no admin token required
  • user authenticates with Personal Access Token
  • owned groups (no subgroups) are added to the user
  • publish packages if package scope or name is an owned group name

This is experimental!

Use it

git clone https://github.com/bufferoverflow/verdaccio-gitlab.git
cd verdaccio-gitlab
npm install
npm start

verdaccio is now up and running, now configure the following within your ~/.config/verdaccio/config.yaml to use this plugin

auth:
  gitlab:
    url: https://gitlab.com

packages:
  '@*/*':
    # scoped packages
    access: $all
    publish: $authenticated
    proxy: npmjs
    gitlab: true

  '**':
    access: $all
    publish: $authenticated
    proxy: npmjs
    gitlab: true

restart verdaccio and authenticate with your credentials:

on the web ui http://localhost:4873 or via npm

npm login --registry http://localhost:4873

and publish packages

npm publish --registry http://localhost:4873

NOTE: you need a fresh login, so that verdaccio recognizes your owned groups

Docker

git clone https://github.com/bufferoverflow/verdaccio-gitlab.git
cd verdaccio-gitlab
docker-compose up --build -d

Development

Setup development environment, npm start will do:

cd node_modules/verdaccio
npm link ../../
cd ../../

Run one of the following command to create a release:

npm run release:major
npm run release:minor
npm run release:patch

finally run

npm publish

Todo

  • authenticate with personal access token
  • compare provided user name and GitLab username
  • get user groups from GitLab
  • authorize publish based on group ownership
  • Docker Compose setup of GitLab and Verdaccio
  • how to handle group owner ship changes? timeout?
  • use openid connect for web ui
  • improve linting, eslint vs. jshint vs. babel ,etc.
  • pass repolinter
  • make it perfect ;-r

Inspired by

License

MIT

Keywords

sinopia
verdaccio
gitlab
auth
npm
registry

FAQs

Package last updated on 22 Jan 2018

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions

Security News

/

Research

Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions

Malicious npm package impersonates Nodemailer and drains wallets by hijacking crypto transactions across multiple blockchains.

By Kirill Boychenko  -  Aug 29, 2025
SocketSocket SOC 2 Logo

Product

About

Packages

Explore npm
Explore Cargo
Explore Go
Explore Maven
Explore NuGet
Explore PyPI
Explore Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc

U.S. Patent No. 12,346,443 & 12,314,394. Other pending.