Skip to content

chore(deps): update dependency verdaccio to v6.7.4#21689

Merged
giancorderoortiz merged 2 commits into
developfrom
renovate/verdaccio-6.x
Jul 3, 2026
Merged

chore(deps): update dependency verdaccio to v6.7.4#21689
giancorderoortiz merged 2 commits into
developfrom
renovate/verdaccio-6.x

Conversation

@renovate

@renovate renovate Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
verdaccio (source) 6.7.16.7.4 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

verdaccio/verdaccio (verdaccio)

v6.7.4

Compare Source

Patch Changes
  • 0205c78: fix: run jwt middleware before middleware plugins

    Register the JWT middleware before middleware plugins are loaded so that
    req.remote_user (anonymous by default) is available inside a plugin's
    register_middlewares. The API router keeps its own JWT middleware behind a
    guard so it is not executed twice.

    Backport of #​5697

    Closes #​5167

v6.7.3

Compare Source

Patch Changes
  • f8fdfc2: fix: enforce generated npm token metadata

    Generated npm tokens (POST /-/npm/v1/tokens) stored their readonly and
    cidr_whitelist restrictions but never enforced them, and deleting a token did
    not revoke it for the package APIs. A token marked read-only or pinned to a CIDR
    range could still publish packages and change dist-tags, and a deleted token
    remained usable.

    Generated tokens now embed a server-issued key (in the JWT claim, or in the
    encrypted legacy AES payload) and a new enforceGeneratedTokenMetadata
    middleware looks that key up on each request, rejecting the token when it is
    missing/revoked, used outside its CIDR whitelist, or used for a write while
    read-only. Enforcement applies to both AES and JWT API-token modes.

    Note: tokens issued before upgrading carry no key and are not retroactively
    constrained — regenerate them to apply the restrictions.

  • be80623: fix: allow npm token create without readonly/cidr_whitelist

    npm token create in npm >= 11 (and the npm 12 prereleases) rewrote the
    request body: it no longer sends readonly and only sends cidr_whitelist
    when --cidr is passed. The POST /-/npm/v1/tokens endpoint required both,
    so modern npm clients failed with 422 the parameters are not valid.

    The endpoint now defaults readonly to false and cidr_whitelist to []
    when they are absent, while still rejecting values of the wrong type.

  • 75c85d5: Update verdaccio dependencies to the latest npm dist-tag (@verdaccio/ui-theme tracks next-9):

    • @verdaccio/ui-theme: 9.0.0-next-9.199.0.0-next-9.20
  • d5e5332: chore: update dependencies

    Updates runtime dependencies @verdaccio/ui-theme (9.0.0-next-9.19) and
    semver (7.8.2), along with development dependencies: Babel 7.29.7,
    @changesets/cli 2.31.0, ESLint 10.4.1, Vitest 4.1.8, Cypress 15.16.0,
    Prettier 3.8.3, @verdaccio/test-helper 4.0.4, @verdaccio/eslint-config
    13.1.2, and assorted type definitions.

v6.7.2

Compare Source

Patch Changes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.
Managed by the SAP Open Source Program Office. For questions/issues please raise an issue in the renovate-controller repository.

@renovate renovate Bot requested a review from a team as a code owner July 3, 2026 17:28
@github-actions github-actions Bot marked this pull request as draft July 3, 2026 17:28
@renovate renovate Bot force-pushed the renovate/verdaccio-6.x branch from 3ab9f20 to 414b5ec Compare July 3, 2026 20:58
@giancorderoortiz giancorderoortiz marked this pull request as ready for review July 3, 2026 21:20
@renovate

renovate Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@cypress

cypress Bot commented Jul 3, 2026

Copy link
Copy Markdown

spartacus    Run #53903

Run Properties:  status check passed Passed #53903  •  git commit 9b16cb49cb ℹ️: Merge 3c736baca61d6c4aa0e23125da0852f3c3edd58e into a583ca4dbf8b59fa70ab52f2e32c...
Project spartacus
Branch Review renovate/verdaccio-6.x
Run status status check passed Passed #53903
Run duration 04m 14s
Commit git commit 9b16cb49cb ℹ️: Merge 3c736baca61d6c4aa0e23125da0852f3c3edd58e into a583ca4dbf8b59fa70ab52f2e32c...
Committer renovate[bot]
View all properties for this run ↗︎

Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 3
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 103
View all changes introduced in this branch ↗︎

@giancorderoortiz giancorderoortiz merged commit 5db2f3d into develop Jul 3, 2026
46 checks passed
@giancorderoortiz giancorderoortiz deleted the renovate/verdaccio-6.x branch July 3, 2026 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant