top | item 45043976

(no title)

I wonder if anyone use https://verdaccio.org/ to vendor packages?

In theory for each package one could:

* npm install pkg

* npm pack pkg

* npm publish --registry=https://verdaccio.company.com

* set .npmrc to "registry=https://verdaccio.company.com/ when working with the actual app.

...this way, one could vet packages one by one. The main caveat I see is that it’s very inconvenient to have to vet and publish each package manually.

It would be great if Verdaccio had a UI to make this easier, for example, showing packages that were attempted to install but not yet vetted, and then allowing approval with a single click.

discuss

emmanueloga_|6 months ago

I just found that someone posted a showHN for an utility to solve this issue [1].

I think this reinforces the idea that is something that could be built into verdaccio.

1: https://news.ycombinator.com/item?id=44891786