6.5.2 (2026-04-19)

Bug Fixes

• avoid sharing default security object across configs (#5812) (9cca86e)
• Missing package refresh after logging into WebUI (#5825) (e6bbea4), closes #5814
• remove basic header on login error 401 (#5821) (1c1723d)
• update ui-theme dependency (#5822) (c4f2cd9)

What's Changed

• chore: enable ui e2e test by @juanpicado in #5803
• fix: web validate password issue by @juanpicado in #5811

Full Changelog: v6.5.0...v6.5.1

6.5.0 (2026-04-11)

Features

• update ui to major (#5794) (b957c6f) @juanpicado
  • Big UI refactoring #5563

Bug Fixes

• package-filter: fix O(n²) complexity in cleanupDistFiles (b15f622) #5797 by @plottodev
• ui search returns no output #5798 (3edd3ee) @juanpicado

Patch Changes

• f44ddfc: fix(package-filter): fix O(n²) complexity in cleanupDistFiles

Features

Package Filter Plugins (#5786, #5548) by @vsugrob, @pyhp2017 @juanpicado

⚠️ Please help us to test this feature (it is pretty new and might be not perfect) ref https://github.com/orgs/verdaccio/discussions/5796
The @verdaccio/package-filter package is bundled by default but must be enabled by the user.

@verdaccio/package-filter is a built-in plugin that intercepts package metadata from uplinks and removes versions matching configurable rules. With no rules configured, it acts as a no-op passthrough.

Block a compromised package version

filters:
  '@verdaccio/package-filter':
    block:
      - package: 'event-stream'
        versions: '3.3.6'

Block an entire malicious scope

filters:
  '@verdaccio/package-filter':
    block:
      - scope: '@malicious'

Quarantine recently published versions

Hide versions published less than 7 days ago, giving time for review before adoption:

filters:
  '@verdaccio/package-filter':
    minAgeDays: 7

Freeze registry to a point in time

Only serve versions published before a specific date:

filters:
  '@verdaccio/package-filter':
    dateThreshold: '2025-01-01'

Whitelist trusted packages within blocked rules

filters:
  '@verdaccio/package-filter':
    minAgeDays: 30
    allow:
      - scope: '@my-company'
      - package: 'trusted-pkg'

Replace instead of remove

Substitute a blocked version with the nearest older safe version, useful when removing it would break transitive dependencies:

filters:
  '@verdaccio/package-filter':
    block:
      - package: 'compromised-lib'
        versions: '>=3.0.0'
        strategy: replace

Full example

filters:
  '@verdaccio/package-filter':
    minAgeDays: 7
    block:
      - scope: '@malicious'
      - package: 'typosquat-pkg'
      - package: 'compromised-lib'
        versions: '>=3.0.0'
        strategy: replace
    allow:
      - scope: '@my-org'
      - package: 'compromised-lib'
        versions: '3.0.1'

Bug Fixes

• fix(deps): Updated lodash to v4.18.1 (#5777)
• fix(deps): Updated core @verdaccio/* dependencies (#5674, #5780)
  • fix(middleware): stream is not readable (http 500) #5655 @mbtools
  • fix: handle missing host header in URL basename resolution eabde8c @juanpicado
  • fix: replace deprecated pseudoRandomBytes with randomBytes from node:crypto eabde8c @juanpicado

Full Changelog: v6.3.2...v6.4.0

What's Changed

• chore(deps): update node.js to v22.22.1 (6.x) by @renovate[bot] in #5623
• fix(deps): update core verdaccio dependencies (6.x) by @renovate[bot] in #5636

Full Changelog: v6.3.1...v6.3.2

What's Changed

• fix(deps): update dependency express to v5 (7.x) by @renovate[bot] in #5622

Full Changelog: v7.0.0-beta.3...v7.0.0-beta.4

7.0.0-beta.3 (2026-03-08)

Features

• add dual ESM and CJS build output (ff457b8)
• improve Dockerfile layer caching, reduce image size, and add healthcheck (6f4e96b)

What's Changed

• chore(deps): update node.js to v24 (7.x) by @renovate[bot] in #5615

Full Changelog: v6.3.0...v7.0.0-beta.2

• No changes
• Only to create new docker latest image

Full Changelog: v6.3.0...v6.3.1