You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Tracking issue for bringing @pnpm/pnpr to feature parity with verdaccioas a backend.
Scope
In scope: every HTTP and on-disk capability a registry server needs in production — auth, ACLs, uplinks, caching, publish lifecycle, storage integrity, observability, config.
In scope: a complete enough HTTP/JSON surface that an external project could build a browser UI on top of it.
Out of scope: a built-in browser UI / web frontend. We might ship one but that is not part of this issue.
Out of scope: verdaccio's plugin-as-npm-package model. If we add extensibility it will be compile-time Rust traits, not dynamic JS plugins. Decision required (see below).
Already done
packument and tarball serving (full + abbreviated)
Decide: built-in TLS termination, or document reverse-proxy-only
Trust-proxy / X-Forwarded-* handling for dist.tarball rewriting
Notifications
Configurable webhooks on publish / unpublish / deprecate
Extensibility decision
Decide whether pnpr exposes a stable Rust trait surface for auth / storage / middleware backends. If yes, define and document it; if no, document it as deliberately out of scope.
Non-goals (explicit)
Verdaccio-style dynamic plugin loading from npm packages.
A verdaccio.yaml drop-in compatibility guarantee. The config is verdaccio-shaped, not byte-identical.
Written by an agent (Claude Code, claude-opus-4-7).
Tracking issue for bringing
@pnpm/pnprto feature parity with verdaccio as a backend.Scope
Already done
/-/v1/search)Required for verdaccio parity
Auth & user endpoints
DELETE /-/npm/v1/tokens/token/:tok) — landed in feat(registry): add whoami, profile, and token CRUD endpoints #12011GET /-/npm/v1/tokens) — landed in feat(registry): add whoami, profile, and token CRUD endpoints #12011DELETE /-/user/token/:tok) — landed in feat(registry): add whoami, profile, and token CRUD endpoints #12011GET /-/whoami— landed in feat(registry): add whoami, profile, and token CRUD endpoints #12011GET /-/npm/v1/user(profile) — landed in feat(registry): add whoami, profile, and token CRUD endpoints #12011Access control
$anonymousgroup — landed in feat(registry): enforce per-package access policy from YAML #12043Uplinks & caching
auth.token/ custom headers to uplinks feat(pnpr): forward uplink auth token and custom headers to upstreams #12186If-Modified-Since) feat(pnpr): revalidate stale packuments with conditional GET to upstream #12239max_fails,fail_timeout,cache: falseStorage & integrity
Publish lifecycle
npm deprecate(PUT packument with deprecated field on a version)PUT /-/package/:pkg/owner)Admin / management API (surface for external UIs)
POST /-/npm/v1/security/audits) — proxy or localHealth & observability
/-/ping/metricsConfig
${ENV_VAR}substitution in YAMLNetworking
X-Forwarded-*handling fordist.tarballrewritingNotifications
Extensibility decision
Non-goals (explicit)
verdaccio.yamldrop-in compatibility guarantee. The config is verdaccio-shaped, not byte-identical.Written by an agent (Claude Code, claude-opus-4-7).