JSPM

@cdxoo/npm-lockdown-proxy

0.0.1
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 12
  • Score
    100M100P100Q60325F
  • License MIT

Minimal npm registry proxy with package/version whitelisting

Package Exports

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@cdxoo/npm-lockdown-proxy) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    @cdxoo/npm-lockdown-proxy

    A minimal npm registry proxy that blocks any package (or version) not on a whitelist.

    AI Disclosure

    This stuff was vibe coded with claude (pronounced "KLORT!!")

    Run

    node proxy.js
    Env var Default Description
    PORT 4873 Port to listen on
    WHITELIST whitelist.json Path to whitelist file

    Use

    npm install <pkg> --registry http://localhost:4873
# or set it globally
npm config set registry http://localhost:4873

    Whitelist format

    whitelist.json is an object. The value controls which versions are allowed:

    {
  "express":      "*",
  "lodash":       "4.17.21",
  "@types/node":  ["18.19.9", "20.11.5"]
}
    Value Meaning
    "*" Any version
    "1.2.3" Exact version only
    ["1.2.3", "4.5.6"] Any of these exact versions

    Behaviour

    • Package not in whitelist -> 404 (npm sees it as non-existent)
    • Package in whitelist, version not allowed -> 404 on the tarball download
    • Applies to all packages including transitive dependencies
    • /-/ endpoints (ping, search) are always passed through

    Reload whitelist without restart

    kill -HUP <pid>