Skip to content

Protected packages: npm packages push protection

What does this MR do and why?

  • This MR enables the package protection for the package format 'npm'.
  • When a PackageProtectionRule exists then newly pushed packages will be protected / rejected.
  • This MR concentrates only on push protection for new packages; deletion protection of packages is out of scope for this MR.
  • This MR is part of the EPIC Identify packages as protected to prevent accid... (&5574)

🛠 with at Siemens

Screenshots or screen recordings

There are no visuals for this MR. The local validation steps contain a demo of the rejected command when a package is pushed.

How to set up and validate locally

  1. rails db:migrate
  2. Enable feature flag via rails c
Feature.enable(:packages_protected_packages)
  1. Open the rails console (rails c) and start playing around with the new model
Packages::Protection::Rule.create(
  project: Project.find_by(name: "Flight"),
  package_name_pattern: "@flightjs/test-npm-package-*",
  package_type: :npm,
  push_protected_up_to_access_level: :owner
)
  1. Create a dummy project for npm package for testing publishing
# Go to a directory outside of the gitlab and gdk directory
mkdir test-npm-package && cd test-npm-package
npm init esm --yes
  1. Adjust the package name in package.json and set it to "@flightjs/test-npm-package-prod" <= this should match the given package_name_pattern in step 3
  2. Create or adjust file .npmrc in order to push the npm package to the GitLab registry, see https://docs.gitlab.com/ee/user/packages/npm_registry/#authenticating-via-the-npmrc
  3. Publish npm test package
NPM_TOKEN=ypCa3Dzb23o5nvsixwPA npm publish
  1. Pushing the package should be blocked by the Packages::Protection::Rule 💥
  2. Now, change the package name in package.json and set it to "@flightjs/test-npm-package2-prod" <= this will not match the given package_name_pattern in step 3
  3. Now, try again to publish the npm package
NPM_TOKEN=ypCa3Dzb23o5nvsixwPA npm publish
  1. Pushing the npm package should not be blocked by the Packages::Protection::Rule as the package name does not match 👍

Todos

  • Refactor code

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #323970

Edited by Gerardo Navarro

Merge request reports

Loading