Skip to content

pnpr backend parity with verdaccio — Tracking Issue #11973

Description

@zkochan

Tracking issue for bringing @pnpm/pnpr to feature parity with verdaccio as a backend.

Scope

  • In scope: every HTTP and on-disk capability a registry server needs in production — auth, ACLs, uplinks, caching, publish lifecycle, storage integrity, observability, config.
  • In scope: a complete enough HTTP/JSON surface that an external project could build a browser UI on top of it.
  • Out of scope: a built-in browser UI / web frontend. We might ship one but that is not part of this issue.
  • Out of scope: verdaccio's plugin-as-npm-package model. If we add extensibility it will be compile-time Rust traits, not dynamic JS plugins. Decision required (see below).

Already done

  • packument and tarball serving (full + abbreviated)
  • publish, unpublish (full + per-version), dist-tag CRUD
  • per-package glob policy ($all / $authenticated)
  • htpasswd-style auth (bcrypt, persisted to disk), basic + bearer
  • bearer tokens persisted to a SQLite database (SHA-256-hashed)
  • uplink proxying with packument TTL cache
  • local search (/-/v1/search)
  • atomic writes, verdaccio-compatible on-disk layout
  • integration tests covering the above

Required for verdaccio parity

Auth & user endpoints

Access control

Uplinks & caching

Storage & integrity

  • SHA verification on tarball read (detect on-disk corruption)
  • SHA verification on publish (hash payload, compare to packument integrity) — landed in fix(registry): verify tarball SHA on publish #11976
  • Ownership / maintainer tracking per package
  • Garbage collection of orphaned tarballs

Publish lifecycle

  • npm deprecate (PUT packument with deprecated field on a version)
  • Configurable strict mode: reject re-publish of an existing version
  • Tarball format validation (gzip header, tar entries)
  • Maintainer add/remove (PUT /-/package/:pkg/owner)
  • Star / unstar endpoints (optional, npm-client uses them)

Admin / management API (surface for external UIs)

  • User list endpoint
  • Package metadata / sidebar endpoint suitable for a UI
  • Audit endpoint (POST /-/npm/v1/security/audits) — proxy or local

Health & observability

Config

  • ${ENV_VAR} substitution in YAML
  • Schema validation with miette-style diagnostics
  • Hot reload (SIGHUP)

Networking

  • Decide: built-in TLS termination, or document reverse-proxy-only
  • Trust-proxy / X-Forwarded-* handling for dist.tarball rewriting

Notifications

  • Configurable webhooks on publish / unpublish / deprecate

Extensibility decision

  • Decide whether pnpr exposes a stable Rust trait surface for auth / storage / middleware backends. If yes, define and document it; if no, document it as deliberately out of scope.

Non-goals (explicit)

  • Verdaccio-style dynamic plugin loading from npm packages.
  • A verdaccio.yaml drop-in compatibility guarantee. The config is verdaccio-shaped, not byte-identical.

Written by an agent (Claude Code, claude-opus-4-7).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions