Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@cdxoo/npm-lockdown-proxy) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
@cdxoo/npm-lockdown-proxy
A minimal npm registry proxy that blocks any package (or version) not on a whitelist.
AI Disclosure
This stuff was vibe coded with claude (pronounced "KLORT!!"). I hope I never have to actually mantain this...
Run
# env var defaults are PORT=4873 WHITELIST=whitelist.json
npx @cdxoo/npm-lockdown-proxy
# or
npm install -g @cdxoo/npm-lockdown-proxy
npm-lockdown-proxy
npm-lockdown-proxy-whitelist-from-lockfile some-package-lock.json [--merge]
Use
npm install <pkg> --registry http://localhost:4873
# or
echo "registry=http://localhost:4873" >> my-project/.npmrc # or ~/.npmrc
# or
npm config set registry http://localhost:4873Server Env Vars
| Env var | Default | Description |
|---|---|---|
PORT |
4873 |
Port to listen on |
WHITELIST |
whitelist.json |
Path to whitelist file |
Whitelist format
whitelist.json is an object. The value controls which versions are allowed:
{
"express": "*",
"lodash": "4.17.21",
"@types/node": ["18.19.9", "20.11.5"]
}| Value | Meaning |
|---|---|
"*" |
Any version |
"1.2.3" |
Exact version only |
["1.2.3", "4.5.6"] |
Any of these exact versions |
Behaviour
- Package not in whitelist ->
404(npm sees it as non-existent) - Package in whitelist, version not allowed ->
404on the tarball download - Applies to all packages including transitive dependencies
/-/endpoints (ping, search) are always passed through
Reload whitelist without restart
kill -HUP <pid>