我们已经使用私有(private)注册表设置了 NPM 配置文件 (.npmrc)。
registry=https://artifactory.someHost.com/npm/libs
当我们运行 NPM 或 YARN 时,我们的第一级依赖项将从该注册表中成功提取。
但是,如果第一级依赖项依赖于第二级依赖项,则第二级依赖项将通过 github 或第一级依赖项中定义的任何存储库拉取。
我们希望强制通过我们的私有(private)存储库且仅通过我们的私有(private)存储库提取所有依赖项。
我们如何配置它?
最佳答案
您是否执行了 https://www.jfrog.com/confluence/display/RTF/Npm+Registry#NpmRegistry-AutomaticallyRewritingExternalDependencies 中描述的步骤?
Artifactory 似乎通过重写依赖关系来支持这一点,以将依赖关系树限制为 Artifactory 服务器。
引用它,
Packages requested by the Npm client frequently use external dependencies as defined in the packages' package.json file. These dependencies may, in turn, need additional dependencies. Therefore, when downloading an npm package, you may not have full visibility into the full set of dependencies that your original package needs (whether directly or transitively). As a result, you are at risk of downloading malicious dependencies from unknown external resources.
To manage this risk, and maintain the best practice of consuming external packages through Artifactory, you may specify a "safe" whitelist from which dependencies may be downloaded, cached in Artifactory and configure to rewrite the dependencies so that the Npm client accesses dependencies through a virtual repository as follows:
Select the Enable Dependency Rewrite checkbox in the npm virtual repository advanced configuration. Specify a whitelist pattern of external resources from which dependencies may be downloaded. Specify the remote repository in which those dependencies should be cached. It is preferable to configure a dedicated remote repository for that purpose so it is easier to maintain.
关于npm - 强制 YARN 和 NPM 仅从私有(private)存储库中提取包,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/48650688/