feat: npm full proxy — URL rewriting, scoped packages, publish, integrity cache (v0.2.31) · 01027888cb - nora

mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 06:50:31 +00:00

feat: npm full proxy — URL rewriting, scoped packages, publish, integrity cache (v0.2.31)

npm proxy:
- Rewrite tarball URLs in metadata to point to NORA (was broken — tarballs bypassed NORA)
- Scoped packages (@scope/package) full support in handler and repo index
- Metadata cache TTL (NORA_NPM_METADATA_TTL, default 300s) with stale-while-revalidate
- proxy_auth now wired into fetch_from_proxy (was configured but unused)

npm publish:
- PUT /npm/{package} — accepts standard npm publish payload
- Version immutability — 409 Conflict on duplicate version
- Tarball URL rewriting in published metadata

Security:
- SHA256 integrity verification on cached tarballs (immutable cache)
- Attachment filename validation (path traversal protection)
- Package name mismatch detection (URL vs payload)

Config:
- npm.metadata_ttl — configurable cache TTL (env: NORA_NPM_METADATA_TTL)

This commit is contained in:

devitway

2026-03-16 12:32:16 +00:00

parent b2be7102fe

commit 01027888cb

5 changed files with 516 additions and 71 deletions

									
										2

Cargo.toml
									
												View File
												
				@@ -7,7 +7,7 @@ members = [

				]

				[workspace.package]

				version = "0.2.30"

				version = "0.2.31"

				edition = "2021"

				license = "MIT"

				authors = ["DevITWay <devitway@gmail.com>"]

feat: npm full proxy — URL rewriting, scoped packages, publish, integrity cache (v0.2.31)

2 Cargo.toml Unescape Escape View File

2

Cargo.toml

View File