Package age filtering for proxy mode

[tgolebiowski-tbscg]

Given raising number of supply chain attacks against public npm registries, it would be great to be able to delay package availability in proxy mode until N hours (configurable) . Idea is to prevent access to those packages until they live for a while in public space and (hopefully) by the time the quarantine threshold passes the malicious activities are already discovered.

There should be some kind of override config as well (in case we want to allow critical security patches sooner) . That would be manual action though.

[juanpicado]

Pnpm released something similar you suggest https://github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10160

Not saying bad idea but worth debate side effects, challenges, etc...

[vsugrob]

Hi. I'm working on verdaccio plugin to resolve exactly that - age-based filtering of package versions (https://github.com/vsugrob/verdaccio-plugin-delay-filter). I stumbled upon several issues during development, most of them are about how verdaccio working with filter plugins. It's not a surprise since filter plugins are marked as experimental, but I think it's not very hard to make filter plugin support in verdaccio more stable.

There are several issues I'm facing right now:

1. Publicly available version of Verdaccio (6.1.6 at the time of writing) simply ignores filter plugins and even most detailed logging level doesn't show any signs that verdaccio cares about loading them.
2. Most recent version (8.0.0-next-8.23) successfuly loads my filter plugin, but filtering stops working at some point. I reported this bug Inconsistent invocation of filter plugin #5412 and created PR to fix it, but it's not reviewed yet.
3. I pulled 6.x branch from repo in hope to figure out why 6.1.6 doesn't load my plugin and to my surprise plugin was loaded and worked correct unlike 8.0.0-next-8.23. But then I figured out it's quite a lot commits ahead than 6.1.6, so I hope they release new "latest" version soon. UPD: oh my god, they actually did it very recently: 6.2.0 | 369 | 20 hours ago. I'm about to test whether my plugin works in this new version.

A note about pnpm and its minimumReleaseAge feature: it's a very brittle solution. Average developer has npm/pnpm/yarn on their machine and with minimumReleaseAge only the pnpm will be guarded against supply chain attacks. And what about npx and pnpx, these should be proxied as well if we want to be safe. So in my opinion something like Verdaccio with age-based filtering is one of the best solutions if I don't want to be involuntary tester of random updates in package code that nobody audited and checked whether it's safe or not.

[vsugrob]

Hi. I just released filter plugin that allows you to delay package availability with Verdaccio. You can install it as npm package and configure how long you want new package versions to be delayed. Note that it works in recently released Verdaccio 6.2.0. If you're on previous version, plugin won't be loaded. More instructions here: https://www.npmjs.com/package/verdaccio-plugin-delay-filter