JSPM

@cdxoo/npm-lockdown-proxy

0.0.5
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 17
  • Score
    100M100P100Q60167F
  • License MIT

Minimal npm registry proxy with package/version whitelisting

Package Exports

    This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@cdxoo/npm-lockdown-proxy) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

    Readme

    @cdxoo/npm-lockdown-proxy

    A minimal npm registry proxy that blocks any package (or version) not on a whitelist.

    AI Disclosure

    This stuff was vibe coded with claude (pronounced "KLORT!!"). I hope I never have to actually mantain this...

    Run

    # env var defaults are PORT=4873 WHITELIST=whitelist.json 
npx @cdxoo/npm-lockdown-proxy 

# or

npm install -g @cdxoo/npm-lockdown-proxy
npm-lockdown-proxy
npm-lockdown-proxy-whitelist-from-lockfile some-package-lock.json [--merge]

    Use

    npm install <pkg> --registry http://localhost:4873
# or
echo "registry=http://localhost:4873" >> my-project/.npmrc # or ~/.npmrc
# or
npm config set registry http://localhost:4873

# if you previously installed a version of the same package that is not whitelisted
# you may hit the local npm cache which will make it fail in this case install with
npm install --cache /dev/null ...
# or clear the local cache with
npm cache clean --force

    Server Env Vars

    Env var Default Description
    PORT 4873 Port to listen on
    WHITELIST whitelist.json Path to whitelist file

    Whitelist format

    whitelist.json is an object. The value controls which versions are allowed:

    {
  "express":      "*",
  "lodash":       "4.17.21",
  "@types/node":  ["18.19.9", "20.11.5"]
}
    Value Meaning
    "*" Any version
    "1.2.3" Exact version only
    ["1.2.3", "4.5.6"] Any of these exact versions

    Behaviour

    • Package not in whitelist -> 404 (npm sees it as non-existent)
    • Package in whitelist, version not allowed -> 404 on the tarball download
    • Applies to all packages including transitive dependencies
    • /-/ endpoints (ping, search) are always passed through

    Reload whitelist without restart

    kill -HUP <pid>