Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add artifact repository docs for pnpm and yarn #246

Merged
merged 3 commits into from
Dec 11, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 63 additions & 2 deletions docs/artifact_repositories/npm.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,9 @@ authentication details.
[API Keys documentation]: ../knowledge_base/api-keys.md#generate-an-api-key
[policy]: ../knowledge_base/policy.md

### `npm`
### `npm` and `pnpm`

Custom NPM registries can be configured with `npm`:
Both `npm` and `pnpm` allow setting custom NPM registries using `npm`:

```sh
npm config set replace-registry-host never
Expand Down Expand Up @@ -58,5 +58,66 @@ npm error notarget In most cases you or one of your dependencies are requesting
npm error notarget a package version that doesn't exist.
```

If you're using `pnpm`, the output will look like this:

```text
 ERR_PNPM_NO_VERSIONS  No versions available for malicious. The package may be unpublished.

This error happened while installing a direct dependency of /tmp/testing
```

If a version range is accepted by the manifest, the package manager will
automatically attempt to use a version that passes Phylum's policy.

### `yarn`

Custom NPM registries can be configured with `yarn`:

```sh
yarn config set -H npmRegistryServer "https://npm.phylum.io/"
yarn config set -H npmAuthIdent "<PHYLUM_ORG>/<PHYLUM_GROUP:<PHYLUM_API_KEY>"
yarn config set -H npmAlwaysAuth true
```

> ⚠️ **WARNING** ⚠️
>
> Do not accidentally save your token into your shell history.

A blocked package will show up in `yarn` output as missing:

```text
➤ YN0027: malicious@unknown can't be resolved to a satisfying range
➤ YN0001: TypeError: Cannot read properties of undefined (reading 'dist')
at Fv.getCandidates (/home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:688:7154)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
at async Pg.getCandidates (/home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:141:1271)
at async uH (/home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:401:9441)
at async /home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:401:8776
at async C (/home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:401:7127)
at async T2 (/home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:401:8456)
at async /home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:402:531
at async Promise.all (index 0)
at async /home/chris/.cache/node/corepack/v1/yarn/4.5.3/yarn.js:402:488

➤ Errors happened when preparing the environment required to run this command.

TODO: OR MAYBE THIS?

➤ YN0027: malicious@unknown can't be resolved to a satisfying range
➤ YN0035: Package not found
➤ YN0035: Response Code: 404 (Not Found)
➤ YN0035: Request Method: GET
➤ YN0035: Request URL: https://npm.phylum.io/malicious

➤ Errors happened when preparing the environment required to run this command.
```
cd-work marked this conversation as resolved.
Show resolved Hide resolved

Alternatively, if only a specific version is affected:

```text
➤ YN0000: · Yarn 4.5.3
➤ YN0000: ┌ Resolution step
➤ YN0082: │ malicious@npm:1.0.0: No candidates found
➤ YN0000: └ Completed in 4s 398ms
➤ YN0000: · Failed with errors in 4s 405ms
```
Loading