mirror of
https://github.com/getnora-io/nora.git
synced 2026-04-12 11:30:32 +00:00
devitway
b3b74b8b2d
npm proxy:
- Rewrite tarball URLs in metadata to point to NORA (was broken — tarballs bypassed NORA)
- Scoped packages (@scope/package) full support in handler and repo index
- Metadata cache TTL (NORA_NPM_METADATA_TTL, default 300s) with stale-while-revalidate
- proxy_auth now wired into fetch_from_proxy (was configured but unused)
npm publish:
- PUT /npm/{package} — accepts standard npm publish payload
- Version immutability — 409 Conflict on duplicate version
- Tarball URL rewriting in published metadata
Security:
- SHA256 integrity verification on cached tarballs (immutable cache)
- Attachment filename validation (path traversal protection)
- Package name mismatch detection (URL vs payload)
Config:
- npm.metadata_ttl — configurable cache TTL (env: NORA_NPM_METADATA_TTL)
29 lines
693 B
TOML
29 lines
693 B
TOML
[workspace]
|
|
resolver = "2"
|
|
members = [
|
|
"nora-registry",
|
|
"nora-storage",
|
|
"nora-cli",
|
|
]
|
|
|
|
[workspace.package]
|
|
version = "0.2.31"
|
|
edition = "2021"
|
|
license = "MIT"
|
|
authors = ["DevITWay <devitway@gmail.com>"]
|
|
repository = "https://github.com/getnora-io/nora"
|
|
homepage = "https://getnora.io"
|
|
|
|
[workspace.dependencies]
|
|
tokio = { version = "1", features = ["full"] }
|
|
axum = "0.8"
|
|
serde = { version = "1", features = ["derive"] }
|
|
serde_json = "1"
|
|
tracing = "0.1"
|
|
tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
|
|
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
|
|
sha2 = "0.10"
|
|
async-trait = "0.1"
|
|
hmac = "0.12"
|
|
hex = "0.4"
|