Comment by emmanueloga_
3 months ago
I wonder if anyone use https://verdaccio.org/ to vendor packages?
In theory for each package one could:
* npm install pkg
* npm pack pkg
* npm publish --registry=https://verdaccio.company.com
* set .npmrc to "registry=https://verdaccio.company.com/ when working with the actual app.
...this way, one could vet packages one by one. The main caveat I see is that it’s very inconvenient to have to vet and publish each package manually.
It would be great if Verdaccio had a UI to make this easier, for example, showing packages that were attempted to install but not yet vetted, and then allowing approval with a single click.
I just found that someone posted a showHN for an utility to solve this issue [1].
I think this reinforces the idea that is something that could be built into verdaccio.
--
1: https://news.ycombinator.com/item?id=44891786