chore(deps): update dependency verdaccio to v6.7.4#21689
Merged
Conversation
3ab9f20 to
414b5ec
Compare
giancorderoortiz
approved these changes
Jul 3, 2026
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
spartacus
|
||||||||||||||||||||||||||||
| Project |
spartacus
|
| Branch Review |
renovate/verdaccio-6.x
|
| Run status |
|
| Run duration | 04m 14s |
| Commit |
|
| Committer | renovate[bot] |
| View all properties for this run ↗︎ | |
| Test results | |
|---|---|
|
|
0
|
|
|
3
|
|
|
0
|
|
|
0
|
|
|
103
|
| View all changes introduced in this branch ↗︎ | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.7.1→6.7.4Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
verdaccio/verdaccio (verdaccio)
v6.7.4Compare Source
Patch Changes
0205c78: fix: run jwt middleware before middleware pluginsRegister the JWT middleware before middleware plugins are loaded so that
req.remote_user(anonymous by default) is available inside a plugin'sregister_middlewares. The API router keeps its own JWT middleware behind aguard so it is not executed twice.
Backport of #5697
Closes #5167
v6.7.3Compare Source
Patch Changes
f8fdfc2: fix: enforce generated npm token metadataGenerated npm tokens (
POST /-/npm/v1/tokens) stored theirreadonlyandcidr_whitelistrestrictions but never enforced them, and deleting a token didnot revoke it for the package APIs. A token marked read-only or pinned to a CIDR
range could still publish packages and change dist-tags, and a deleted token
remained usable.
Generated tokens now embed a server-issued key (in the JWT claim, or in the
encrypted legacy AES payload) and a new
enforceGeneratedTokenMetadatamiddleware looks that key up on each request, rejecting the token when it is
missing/revoked, used outside its CIDR whitelist, or used for a write while
read-only. Enforcement applies to both AES and JWT API-token modes.
Note: tokens issued before upgrading carry no key and are not retroactively
constrained — regenerate them to apply the restrictions.
be80623: fix: allow npm token create without readonly/cidr_whitelistnpm token createin npm >= 11 (and the npm 12 prereleases) rewrote therequest body: it no longer sends
readonlyand only sendscidr_whitelistwhen
--cidris passed. ThePOST /-/npm/v1/tokensendpoint required both,so modern npm clients failed with
422 the parameters are not valid.The endpoint now defaults
readonlytofalseandcidr_whitelistto[]when they are absent, while still rejecting values of the wrong type.
75c85d5: Update verdaccio dependencies to thelatestnpm dist-tag (@verdaccio/ui-themetracksnext-9):@verdaccio/ui-theme:9.0.0-next-9.19→9.0.0-next-9.20d5e5332: chore: update dependenciesUpdates runtime dependencies
@verdaccio/ui-theme(9.0.0-next-9.19) andsemver(7.8.2), along with development dependencies: Babel7.29.7,@changesets/cli2.31.0, ESLint10.4.1, Vitest4.1.8, Cypress15.16.0,Prettier
3.8.3,@verdaccio/test-helper4.0.4,@verdaccio/eslint-config13.1.2, and assorted type definitions.v6.7.2Compare Source
Patch Changes
a89aca1: chore: fix unit testa28cf71: chore: add missing types #5889 by @mbtoolsConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.
Managed by the SAP Open Source Program Office. For questions/issues please raise an issue in the renovate-controller repository.