dependabot[bot]
94ca418155
chore(deps): bump clap from 4.5.60 to 4.6.0
...
Bumps [clap](https://github.com/clap-rs/clap ) from 4.5.60 to 4.6.0.
- [Release notes](https://github.com/clap-rs/clap/releases )
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md )
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.60...clap_complete-v4.6.0 )
---
updated-dependencies:
- dependency-name: clap
dependency-version: 4.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-17 04:25:03 +00:00
d3439ae33d
docs: changelog v0.2.31
2026-03-16 12:51:10 +00:00
b3b74b8b2d
feat: npm full proxy — URL rewriting, scoped packages, publish, integrity cache (v0.2.31)
...
npm proxy:
- Rewrite tarball URLs in metadata to point to NORA (was broken — tarballs bypassed NORA)
- Scoped packages (@scope/package) full support in handler and repo index
- Metadata cache TTL (NORA_NPM_METADATA_TTL, default 300s) with stale-while-revalidate
- proxy_auth now wired into fetch_from_proxy (was configured but unused)
npm publish:
- PUT /npm/{package} — accepts standard npm publish payload
- Version immutability — 409 Conflict on duplicate version
- Tarball URL rewriting in published metadata
Security:
- SHA256 integrity verification on cached tarballs (immutable cache)
- Attachment filename validation (path traversal protection)
- Package name mismatch detection (URL vs payload)
Config:
- npm.metadata_ttl — configurable cache TTL (env: NORA_NPM_METADATA_TTL)
2026-03-16 12:32:16 +00:00
d41b55fa3a
style: cargo fmt
2026-03-16 08:58:27 +00:00
5a68bfd695
fix: dashboard — docker namespaced repos, npm proxy cache, upstream display (v0.2.30)
2026-03-16 08:55:33 +00:00
9c8fee5a5d
docs: rewrite README — new slogan, roadmap, trim TLS/FSTEC, fix config example
2026-03-16 07:39:43 +00:00
bbff337b4c
fix: clean up stale smoke test container before run
2026-03-15 22:25:37 +00:00
a73335c549
docs: trim README, link to docs site, fix website URL
2026-03-15 22:21:08 +00:00
ad6aba46b2
chore: remove internal release runbook from public repo
2026-03-15 21:57:05 +00:00
095270d113
fix: smoke test port mapping (4000, not 5000)
2026-03-15 21:54:13 +00:00
769f5fb01d
docs: update CHANGELOG and README for v0.2.29 upstream auth
2026-03-15 21:50:14 +00:00
53884e143b
v0.2.29: upstream auth, remove dead code, version bump
...
- Remove unused DockerAuth::fetch_with_auth() method
- Fix basic_auth_header docstring
- Bump to v0.2.29
2026-03-15 21:42:49 +00:00
0eb26f24f7
refactor: extract basic_auth_header helper, add plaintext credential warnings
...
- basic_auth_header() in config.rs replaces 6 inline STANDARD.encode calls
- warn_plaintext_credentials() logs warning at startup if auth is in config.toml
- All protocol handlers use shared helper instead of duplicating base64 logic
2026-03-15 21:37:51 +00:00
fa962b2d6e
feat: upstream auth for all protocols (Docker, Maven, npm, PyPI)
...
Wire up basic auth credentials for upstream registry proxying:
- Docker: pass configured auth to Bearer token requests
- Maven: support url|auth format in NORA_MAVEN_PROXIES env var
- npm: add NORA_NPM_PROXY_AUTH env var
- PyPI: add NORA_PYPI_PROXY_AUTH env var
- Mask credentials in logs (never log plaintext passwords)
Config examples:
NORA_DOCKER_UPSTREAMS="https://registry.corp.com |user:pass"
NORA_MAVEN_PROXIES="https://nexus.corp.com/maven2 |user:pass"
NORA_NPM_PROXY_AUTH="user:pass"
NORA_PYPI_PROXY_AUTH="user:pass"
2026-03-15 21:29:20 +00:00
a1da4fff1e
fix: integration tests match actual protocol support
...
- Docker, Maven: full push/pull (write support exists)
- npm, PyPI, Cargo: endpoint checks only (read-only proxy, no publish yet)
2026-03-15 19:58:36 +00:00
868c4feca7
feat: add Maven, PyPI, Cargo integration tests
...
- Maven: PUT artifact, GET and verify checksum
- PyPI: twine upload + pip install
- Cargo: API endpoint check
- Now testing all 5 protocols: Docker, npm, Maven, PyPI, Cargo
2026-03-15 19:53:27 +00:00
5b4cba1392
fix: add npm auth token for integration test publish
2026-03-15 19:49:54 +00:00
ad890be56a
feat: add integration tests, release runbook, cache fallback
...
- CI: integration job — build NORA, docker push/pull, npm publish/install, API checks
- release: cache-from with ignore-error=true (no dependency on localhost:5000)
- RELEASE_RUNBOOK.md: rollback procedure, deploy order, verification steps
2026-03-15 19:36:38 +00:00
3b9ea37b0e
fix: cargo fmt, add .gitleaks.toml allowlist for doc examples
...
- remove extra blank lines in openapi.rs and secrets/mod.rs
- allowlist commit 92155cf (curl -u admin:yourpassword in README)
2026-03-15 19:27:36 +00:00
233b83f902
security: make CI gates blocking, add smoke test, clean up dead code
...
- gitleaks, cargo audit, trivy fs now block pipeline on findings
- add smoke test (docker run + curl /health) in release workflow
- deny.toml: add review date to RUSTSEC-2025-0119 ignore
- remove unused validation functions (maven, npm, crate)
- replace blanket #![allow(dead_code)] with targeted allows
2026-03-15 19:25:00 +00:00
d886426957
docs: fix docker badge to GHCR
2026-03-13 17:12:02 +00:00
52c2443543
docs: remove flaky logo, add docs/stars/docker-size badges
2026-03-13 17:09:13 +00:00
26d30b622d
style: cargo fmt
2026-03-13 16:59:54 +00:00
272898f43c
fix: quinn-proto CVE, add Telegram @getnora, fix website URL
2026-03-13 16:44:20 +00:00
61de6c6ddd
fix: persist dashboard metrics and count versions instead of repos
...
Metrics (downloads, uploads, cache hits) were stored in-memory only
and reset to zero on every restart. Now they persist to metrics.json
in the storage directory with:
- Load on startup from {storage_path}/metrics.json
- Background save every 30 seconds
- Final save on graceful shutdown
- Atomic writes (tmp + rename) to prevent corruption
Artifact count on dashboard now shows total tags/versions across
all registries instead of just counting unique repository names.
This matches user expectations when pushing multiple tags to the
same image (e.g. myapp:v1, myapp:v2 now shows 2, not 1).
2026-03-13 15:43:03 +00:00
b80c7c5160
docs: add authentication guide, TLS setup, FSTEC builds docs
...
- Fix docker-compose.yml: use ghcr.io/getnora-io/nora:latest
- Remove stale CHANGELOG.md.bak, add *.bak to .gitignore
- README: authentication guide (htpasswd, API tokens, RBAC)
- README: TLS/HTTPS section (reverse proxy, insecure-registries)
- README: document Dockerfile.astra and Dockerfile.redos (FSTEC)
- CHANGELOG: add 0.2.28 release notes
2026-03-13 15:08:04 +00:00
68089b2bbf
chore: bump version to 0.2.28
2026-03-12 19:23:32 +00:00
af411a2bf4
Merge pull request #28 from getnora-io/dependabot/cargo/toml-1.0.6spec-1.1.0
...
chore(deps): bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0
2026-03-12 22:14:13 +03:00
96ccd16879
Merge pull request #27 from getnora-io/dependabot/cargo/uuid-1.22.0
...
chore(deps): bump uuid from 1.21.0 to 1.22.0
2026-03-12 22:14:09 +03:00
6582000789
Merge pull request #26 from getnora-io/dependabot/cargo/tokio-1.50.0
...
chore(deps): bump tokio from 1.49.0 to 1.50.0
2026-03-12 22:14:06 +03:00
070774ac94
Merge pull request #25 from getnora-io/dependabot/cargo/bcrypt-0.19.0
...
chore(deps): bump bcrypt from 0.18.0 to 0.19.0
2026-03-12 22:14:01 +03:00
058fc41f1c
Merge pull request #24 from getnora-io/dependabot/github_actions/docker/metadata-action-6
...
chore(deps): bump docker/metadata-action from 5 to 6
2026-03-12 22:13:55 +03:00
7f5a3c7c8a
Merge pull request #23 from getnora-io/dependabot/github_actions/aquasecurity/trivy-action-0.35.0
...
chore(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0
2026-03-12 22:13:49 +03:00
5b57cc5913
Merge pull request #22 from getnora-io/dependabot/github_actions/docker/login-action-4
...
chore(deps): bump docker/login-action from 3 to 4
2026-03-12 22:13:45 +03:00
aa844d851d
Merge pull request #21 from getnora-io/dependabot/github_actions/docker/build-push-action-7
...
chore(deps): bump docker/build-push-action from 6 to 7
2026-03-12 22:13:41 +03:00
8569de23d5
Merge pull request #20 from getnora-io/dependabot/github_actions/docker/setup-buildx-action-4
...
chore(deps): bump docker/setup-buildx-action from 3 to 4
2026-03-12 22:13:38 +03:00
dependabot[bot]
9349b93757
chore(deps): bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0
...
Bumps [toml](https://github.com/toml-rs/toml ) from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0.
- [Commits](https://github.com/toml-rs/toml/compare/toml-v1.0.3...toml-v1.0.6 )
---
updated-dependencies:
- dependency-name: toml
dependency-version: 1.0.6+spec-1.1.0
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:26:09 +00:00
dependabot[bot]
69080dfd90
chore(deps): bump uuid from 1.21.0 to 1.22.0
...
Bumps [uuid](https://github.com/uuid-rs/uuid ) from 1.21.0 to 1.22.0.
- [Release notes](https://github.com/uuid-rs/uuid/releases )
- [Commits](https://github.com/uuid-rs/uuid/compare/v1.21.0...v1.22.0 )
---
updated-dependencies:
- dependency-name: uuid
dependency-version: 1.22.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:59 +00:00
dependabot[bot]
ae799aed94
chore(deps): bump tokio from 1.49.0 to 1.50.0
...
Bumps [tokio](https://github.com/tokio-rs/tokio ) from 1.49.0 to 1.50.0.
- [Release notes](https://github.com/tokio-rs/tokio/releases )
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.49.0...tokio-1.50.0 )
---
updated-dependencies:
- dependency-name: tokio
dependency-version: 1.50.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:50 +00:00
dependabot[bot]
95c6e403a8
chore(deps): bump bcrypt from 0.18.0 to 0.19.0
...
Bumps [bcrypt](https://github.com/Keats/rust-bcrypt ) from 0.18.0 to 0.19.0.
- [Commits](https://github.com/Keats/rust-bcrypt/compare/v0.18.0...v0.19.0 )
---
updated-dependencies:
- dependency-name: bcrypt
dependency-version: 0.19.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:38 +00:00
dependabot[bot]
2c886040d7
chore(deps): bump docker/metadata-action from 5 to 6
...
Bumps [docker/metadata-action](https://github.com/docker/metadata-action ) from 5 to 6.
- [Release notes](https://github.com/docker/metadata-action/releases )
- [Commits](https://github.com/docker/metadata-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/metadata-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:36 +00:00
dependabot[bot]
9ab6ccc594
chore(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.34.2 to 0.35.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.34.2...0.35.0 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:33 +00:00
dependabot[bot]
679b36b986
chore(deps): bump docker/login-action from 3 to 4
...
Bumps [docker/login-action](https://github.com/docker/login-action ) from 3 to 4.
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](https://github.com/docker/login-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/login-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:27 +00:00
dependabot[bot]
da8c473e02
chore(deps): bump docker/build-push-action from 6 to 7
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 6 to 7.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v6...v7 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:23 +00:00
dependabot[bot]
3dc8b81261
chore(deps): bump docker/setup-buildx-action from 3 to 4
...
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action ) from 3 to 4.
- [Release notes](https://github.com/docker/setup-buildx-action/releases )
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:20 +00:00
7502c583d0
docs: add changelog for v0.2.27
2026-03-03 23:17:25 +00:00
a9455c35b9
chore: bump version to 0.2.27
2026-03-03 22:30:24 +00:00
8278297b4a
feat: configurable body limit + Docker delete API
...
- Add body_limit_mb to ServerConfig (default 2048MB, env NORA_BODY_LIMIT_MB)
- Replace hardcoded 100MB DefaultBodyLimit with config value
- Add DELETE /v2/{name}/manifests/{reference} endpoint (Docker Registry V2 spec)
- Add DELETE /v2/{name}/blobs/{digest} endpoint
- Add namespace-qualified variants for both DELETE endpoints
- Return 202 Accepted on success, 404 with MANIFEST_UNKNOWN/BLOB_UNKNOWN errors
- Audit log integration for delete operations
Fixes: 413 Payload Too Large on Docker push >100MB
2026-03-03 22:25:41 +00:00
8da4c4278a
style: cargo fmt
...
DevITWay
2026-03-03 11:03:40 +00:00
99c1f9b5ec
docs: add changelog for v0.2.25 and v0.2.26
...
DevITWay
2026-03-03 11:01:12 +00:00
