强制 YARN 和 NPM 只从私有存储库中拉取包
Force YARN and NPM to only pull packages from private repository
我们已经使用私有注册表设置了 NPM 配置文件 (.npmrc)。
registry=https://artifactory.someHost.com/npm/libs
当我们 运行 NPM 或 YARN 时,我们的第一级依赖项成功地从此注册表中拉出。
但是,如果一级依赖依赖于二级依赖,那么二级依赖将通过 github 或在一级依赖中定义的任何存储库被拉出。
我们想强制通过我们的私有存储库拉取所有依赖项,并且仅通过我们的私有存储库。
我们如何配置它?
您是否执行了 https://www.jfrog.com/confluence/display/RTF/Npm+Registry#NpmRegistry-AutomaticallyRewritingExternalDependencies 中描述的步骤?
Artifactory 似乎通过重写依赖项来支持这一点,以使您的依赖项树仅限于您的 Artifactory 服务器。
引用它,
Packages requested by the Npm client frequently use external
dependencies as defined in the packages' package.json file. These
dependencies may, in turn, need additional dependencies. Therefore,
when downloading an npm package, you may not have full visibility into
the full set of dependencies that your original package needs (whether
directly or transitively). As a result, you are at risk of downloading
malicious dependencies from unknown external resources.
To manage this risk, and maintain the best practice of consuming
external packages through Artifactory, you may specify a "safe"
whitelist from which dependencies may be downloaded, cached in
Artifactory and configure to rewrite the dependencies so that the Npm
client accesses dependencies through a virtual repository as follows:
Select the Enable Dependency Rewrite checkbox in the npm virtual repository advanced configuration.
Specify a whitelist pattern of external resources from which dependencies may be downloaded.
Specify the remote repository in which those dependencies should be cached.
It is preferable to configure a dedicated remote repository for that purpose so it is easier to maintain.
您是否尝试过使用 yarn 的 --registry 选项,或将其写入 .yarnrc?
例如:
yarn --registry='https://artifactory.someHost.com/npm/libs'
或在 .yarnrc 中:
--注册表“https://artifactory.someHost.com/npm/libs”
我们已经使用私有注册表设置了 NPM 配置文件 (.npmrc)。
registry=https://artifactory.someHost.com/npm/libs
当我们 运行 NPM 或 YARN 时,我们的第一级依赖项成功地从此注册表中拉出。
但是,如果一级依赖依赖于二级依赖,那么二级依赖将通过 github 或在一级依赖中定义的任何存储库被拉出。
我们想强制通过我们的私有存储库拉取所有依赖项,并且仅通过我们的私有存储库。
我们如何配置它?
您是否执行了 https://www.jfrog.com/confluence/display/RTF/Npm+Registry#NpmRegistry-AutomaticallyRewritingExternalDependencies 中描述的步骤?
Artifactory 似乎通过重写依赖项来支持这一点,以使您的依赖项树仅限于您的 Artifactory 服务器。
引用它,
Packages requested by the Npm client frequently use external dependencies as defined in the packages' package.json file. These dependencies may, in turn, need additional dependencies. Therefore, when downloading an npm package, you may not have full visibility into the full set of dependencies that your original package needs (whether directly or transitively). As a result, you are at risk of downloading malicious dependencies from unknown external resources.
To manage this risk, and maintain the best practice of consuming external packages through Artifactory, you may specify a "safe" whitelist from which dependencies may be downloaded, cached in Artifactory and configure to rewrite the dependencies so that the Npm client accesses dependencies through a virtual repository as follows:
Select the Enable Dependency Rewrite checkbox in the npm virtual repository advanced configuration. Specify a whitelist pattern of external resources from which dependencies may be downloaded. Specify the remote repository in which those dependencies should be cached. It is preferable to configure a dedicated remote repository for that purpose so it is easier to maintain.
您是否尝试过使用 yarn 的 --registry 选项,或将其写入 .yarnrc?
例如:
yarn --registry='https://artifactory.someHost.com/npm/libs'
或在 .yarnrc 中:
--注册表“https://artifactory.someHost.com/npm/libs”