vsr aims to be a minimal "npm-compatible" registry which replicates the core features found in registry.npmjs.org as well as adding net-new capabilities.
Table of Contents:
You can quickly get started by installing/executing vsr with the following command:
npx -y vltpkg/vsrYou can deploy vsr to Cloudflare in under 5 minutes, for free, with a single click (coming soon).
Alternatively, you can deploy to production using wrangler after following the Development quick start steps.
# clone the repo
git clone https://github.com/vltpkg/vsr.git
# navigate to the repository directory
cd ./vsr
# install the project's dependencies
npm install
# run tbe development script
npm run dev- Cloudflare (free account at minimum)
- Workers (free: 100k requests /day)
- D1 Database (free: 100k writes, 5M reads /day & 5GB Storage /mo)
- R2 Bucket (free: 1M writes, 10M reads & 10GB /mo)
Note: all usage numbers & pricing documented is as of October 24th, 2024. Plans & metering is subject to change at Cloudflare's discretion.
gitnodenpm
All tokens are considered "granular access tokens" (GATs). Token entries in the database consist of 3 parts:
tokenthe unique token valueuuidassociative value representing a single user/scopescopevalue representing the granular access/privileges
A scope contains an array of privileges that define both the type(s) of & access value(s) for a token.
Note
Tokens can be associated with multiple "types" of access
type(s):pkg:readread associated packagespkg:read+writewrite associated packages (requires read access)user:readread associated useruser:read+writewrite associated user (requires read access)
value(s):*an ANY selector foruser:orpkg:access types~<user>user selector for theuser:access type@<scope>/<pkg>package specific selector for thepkg:access type@<scope>/*glob scope selector forpkg:access types
Note
- user/org/team management via
@<scope>is not supported at the moment
Scope Examples
- specific package read access
- individual user read+write access
[
{
"values": ["@organization/package-name"],
"types": {
"pkg": {
"read": true,
}
}
},
{
"values": ["~johnsmith"],
"types": {
"user": {
"read": true,
"write": true,
}
}
}
]- scoped package read+write access
- individual user read+write access
[
{
"values": ["@organization/*"],
"types": {
"pkg": {
"read": true
}
}
},
{
"values": ["~johnsmith"],
"types": {
"user": {
"read": true,
"write": true,
}
}
}
]- organization scoped packages read+write access
- individual user read+write access
[
{
"values": ["@organization/package-name"],
"types": {
"pkg": {
"read": true
}
}
},
{
"values": ["~johnsmith"],
"types": {
"user": {
"read": true,
"write": true,
}
}
}
]- organization scoped package read+write access
- organization users read+write access
[
{
"values": ["@company/*"],
"types": {
"pkg": {
"read": true,
"write": true
},
"user": {
"read": true,
"write": true
}
}
}
][
{
"values": ["*"],
"types": {
"pkg": {
"read": true,
"write": true
},
{
"user": {
"read": true,
"write": true
}
}
}
}
]We have rich, interactive API docs out-of-the-box with the help of our friends Scalar. The docs can be found at the registry root when running vsr locally (ex. run npx -y vltpkg/vsr &/or check out this repo & run npm run dev)
The following commands should work out-of-the-box with npm & any other npm "compatible" clients although their specific commands & arguments may vary (ex. vlt, yarn, pnpm & bun)
To use vsr as your registry you must either pass a registry config through a client-specific flag (ex. --registry=... for npm) or define client-specific configuration which stores the reference to your registry (ex. .npmrc for npm). Access to the registry & packages is private by default although an "admin" user is created during setup locally (for development purposes) with a default auth token of "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx".
; .npmrc
registry=http://localhost:1337
//localhost:1337/:_authToken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx- β implemented
- β³ in progress
- π€ planned to support
| Support | Commannd |
|---|---|
| β | access |
| β | access list packages |
| β | access get status |
| β | access set status |
| β | access set mfa |
| β | access grant |
| β | access revoke |
| π€ | adduser - PUT /-/org/@<org>/<user>: Adds/updates a user (requires admin privileges) |
| β | audit |
| β | bugs |
| β | dist-tag add |
| β | dist-tag rm |
| β | dist-tag ls |
| β | deprecate |
| β | docs |
| β | exec |
| β | hook |
| β | install |
| β | login |
| β | logout |
| β | org |
| β | outdated |
| β | owner add |
| β | owner rm |
| β | owner ls |
| β | ping |
| β | profile enable-2fa |
| β | profile disable-2fa |
| β | profile get |
| π€ | profile set - PUT /-/npm/v1/user: Updates a user (requires auth) |
| β | publish |
| β | repo |
| β | search |
| β | star |
| β | team |
| β | view |
| β | whoami |
- β supported
- β unsupported
| Feature | vsr |
verdaccio |
jsr |
|---|---|---|---|
| Serverless | β | β | β |
| JavaScript Backend | β | β | β |
| Granular Access/Permissions | β | β | β |
| Proxy Upstream Registries | β³ | β | β |
| Unscoped Package Names | β | β | β |
| npm Package Publishing | β | β | β |
| npm Package Installation | β | β | β * |
| CDN | π€ | β | β |
| ESM | π€ | β | β |
| Manifest Validation | β | β | β |
| Plugins | β³ | β | β |
| Events/Hooks | π€ | β | β |
| Programmatic API | β | β | β |
| Web Interface | π€ | β | β |
| Search | π€ | β | β |
| First-Class Typescript | β | β | β |
| API Documentation Generation | β | β | β |
| Multi-Cloud | π€ | β | β |
| Azure DevOps Artifacts Upstream | β | β | β |
| JFrog Artifactory Upstream | β | β | β |
| Google Artifact Registry Upstream | β | β | β |
*requiresjsr-specific tooling or use a modified package name when using traditional npm clients (ref. https://jsr.io/docs/npm-compatibility)
| Status | Feature |
|---|---|
| β | api: minimal package metadata |
| β | api: full package manifests |
| β | api: publishing private, scoped packages |
| β | api: package manifest validation |
| β | api: admin user management (add/update/remove users) |
| β | api: user token management (add/update/remove tokens) |
| β | web: docs portal |
| β | api: unscoped packages |
| β³ | web & api: custom dist-tags (latest is supported) |
| β³ | web & api: token rate-limiting |
| π€ | web & api: search |
| π€ | web & api: staging |
| π€ | web: admin user management |
| π€ | web: user registration |
| π€ | web: user login (ex. npm login / --auth-type=web) |
| π€ | web: user account management |
This project is licensed under the Functional Source License (FSL-1.1-MIT).
