@pnpm/pnpr 0.0.0-26052601 → 0.0.0-26060501

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/LICENSE.md +91 -0
  2. package/README.md +231 -4
  3. package/package.json +12 -11
  4. package/LICENSE +0 -22
package/LICENSE.md ADDED
@@ -0,0 +1,91 @@
1
+ # PolyForm Shield License 1.0.0
2
+
3
+ <https://polyformproject.org/licenses/shield/1.0.0>
4
+
5
+ Required Notice: Copyright 2026 Zoltan Kochan (https://kochan.io)
6
+
7
+ ## Acceptance
8
+
9
+ In order to get any license under these terms, you must agree to them as both strict obligations and conditions to all your licenses.
10
+
11
+ ## Copyright License
12
+
13
+ The licensor grants you a copyright license for the software to do everything you might do with the software that would otherwise infringe the licensor's copyright in it for any permitted purpose. However, you may only distribute the software according to [Distribution License](#distribution-license) and make changes or new works based on the software according to [Changes and New Works License](#changes-and-new-works-license).
14
+
15
+ ## Distribution License
16
+
17
+ The licensor grants you an additional copyright license to distribute copies of the software. Your license to distribute covers distributing the software with changes and new works permitted by [Changes and New Works License](#changes-and-new-works-license).
18
+
19
+ ## Notices
20
+
21
+ You must ensure that anyone who gets a copy of any part of the software from you also gets a copy of these terms or the URL for them above, as well as copies of any plain-text lines beginning with `Required Notice:` that the licensor provided with the software. For example:
22
+
23
+ > Required Notice: Copyright Yoyodyne, Inc. (http://example.com)
24
+
25
+ ## Changes and New Works License
26
+
27
+ The licensor grants you an additional copyright license to make changes and new works based on the software for any permitted purpose.
28
+
29
+ ## Patent License
30
+
31
+ The licensor grants you a patent license for the software that covers patent claims the licensor can license, or becomes able to license, that you would infringe by using the software.
32
+
33
+ ## Noncompete
34
+
35
+ Any purpose is a permitted purpose, except for providing any product that competes with the software or any product the licensor or any of its affiliates provides using the software.
36
+
37
+ ## Competition
38
+
39
+ Goods and services compete even when they provide functionality through different kinds of interfaces or for different technical platforms. Applications can compete with services, libraries with plugins, frameworks with development tools, and so on, even if they're written in different programming languages or for different computer architectures. Goods and services compete even when provided free of charge. If you market a product as a practical substitute for the software or another product, it definitely competes.
40
+
41
+ ## New Products
42
+
43
+ If you are using the software to provide a product that does not compete, but the licensor or any of its affiliates brings your product into competition by providing a new version of the software or another product using the software, you may continue using versions of the software available under these terms beforehand to provide your competing product, but not any later versions.
44
+
45
+ ## Discontinued Products
46
+
47
+ You may begin using the software to compete with a product or service that the licensor or any of its affiliates has stopped providing, unless the licensor includes a plain-text line beginning with `Licensor Line of Business:` with the software that mentions that line of business. For example:
48
+
49
+ > Licensor Line of Business: YoyodyneCMS Content Management System (http://example.com/cms)
50
+
51
+ ## Sales of Business
52
+
53
+ If the licensor or any of its affiliates sells a line of business developing the software or using the software to provide a product, the buyer can also enforce [Noncompete](#noncompete) for that product.
54
+
55
+ ## Fair Use
56
+
57
+ You may have "fair use" rights for the software under the law. These terms do not limit them.
58
+
59
+ ## No Other Rights
60
+
61
+ These terms do not allow you to sublicense or transfer any of your licenses to anyone else, or prevent the licensor from granting licenses to anyone else. These terms do not imply any other licenses.
62
+
63
+ ## Patent Defense
64
+
65
+ If you make any written claim that the software infringes or contributes to infringement of any patent, your patent license for the software granted under these terms ends immediately. If your company makes such a claim, your patent license ends immediately for work on behalf of your company.
66
+
67
+ ## Violations
68
+
69
+ The first time you are notified in writing that you have violated any of these terms, or done anything with the software not covered by your licenses, your licenses can nonetheless continue if you come into full compliance with these terms, and take practical steps to correct past violations, within 32 days of receiving notice. Otherwise, all your licenses end immediately.
70
+
71
+ ## No Liability
72
+
73
+ ***As far as the law allows, the software comes as is, without any warranty or condition, and the licensor will not be liable to you for any damages arising out of these terms or the use or nature of the software, under any kind of legal claim.***
74
+
75
+ ## Definitions
76
+
77
+ The **licensor** is the individual or entity offering these terms, and the **software** is the software the licensor makes available under these terms.
78
+
79
+ A **product** can be a good or service, or a combination of them.
80
+
81
+ **You** refers to the individual or entity agreeing to these terms.
82
+
83
+ **Your company** is any legal entity, sole proprietorship, or other kind of organization that you work for, plus all its affiliates.
84
+
85
+ **Affiliates** means the other organizations than an organization has control over, is under the control of, or is under common control with.
86
+
87
+ **Control** means ownership of substantially all the assets of an entity, or the power to direct its management and policies by vote, contract, or otherwise. Control can be direct or indirect.
88
+
89
+ **Your licenses** are all the licenses granted to you for the software under these terms.
90
+
91
+ **Use** means anything you do with the software requiring one of your licenses.
package/README.md CHANGED
@@ -1,8 +1,12 @@
1
1
  # @pnpm/pnpr
2
2
 
3
- A pnpm-compatible npm registry server, written in Rust.
3
+ A pnpm-compatible npm registry server, written in Rust. Speaks the npm
4
+ registry protocol, so any npm-compatible client (pnpm, npm, yarn) can
5
+ talk to it. Proxies packages from a configured upstream like
6
+ npmjs.org and serves them with its own auth and access controls.
4
7
 
5
- Lives in the [pnpm monorepo](https://github.com/pnpm/pnpm) under [`registry/`](https://github.com/pnpm/pnpm/tree/main/registry).
8
+ Lives in the [pnpm monorepo](https://github.com/pnpm/pnpm) under
9
+ [`pnpr/`](https://github.com/pnpm/pnpm/tree/main/pnpr).
6
10
 
7
11
  ## Install
8
12
 
@@ -11,10 +15,233 @@ pnpm add -g @pnpm/pnpr
11
15
  ```
12
16
 
13
17
  The wrapper resolves to the native binary published under
14
- `@pnpm/pnpr.<platform>-<arch>` (e.g. `@pnpm/pnpr.linux-x64`).
18
+ `@pnpm/pnpr.<platform>-<arch>` (e.g. `@pnpm/pnpr.linux-x64`). Prebuilt
19
+ binaries are available for `linux-x64`, `linux-arm64`, `darwin-x64`,
20
+ `darwin-arm64`, `win32-x64`, and `win32-arm64`.
15
21
 
16
22
  ## Usage
17
23
 
24
+ Start the server with the bundled default config:
25
+
26
+ ```sh
27
+ pnpr
28
+ ```
29
+
30
+ It listens on `127.0.0.1:4873` and proxies `https://registry.npmjs.org/`
31
+ by default. Point a client at it with:
32
+
33
+ ```sh
34
+ pnpm config set registry http://127.0.0.1:4873/
35
+ ```
36
+
37
+ ## CLI flags
38
+
39
+ | Flag | Description |
40
+ | --- | --- |
41
+ | `-c, --config <path>` | Path to a verdaccio-shaped YAML config. When omitted, the bundled default is used. |
42
+ | `--listen <addr>` | Address to bind to. Defaults to `127.0.0.1:4873`. |
43
+ | `--storage <path>` | Override the storage directory from the loaded config. |
44
+ | `--cache <path>` | Override the disposable proxy-cache directory (the mirror of upstream registries plus the install-accelerator store). Defaults to a `.pnpr-cache` subdirectory of `--storage`. |
45
+ | `--public-url <url>` | URL clients should use to reach the server, used when rewriting `dist.tarball` in served packuments. Defaults to `http://<listen>`. |
46
+ | `--packument-ttl-secs <n>` | Seconds before a cached packument is considered stale and refetched. |
47
+
48
+ Log level is controlled via the standard `RUST_LOG` environment
49
+ variable (e.g. `RUST_LOG=debug pnpr`).
50
+
51
+ ## Configuration
52
+
53
+ `pnpr` uses a [verdaccio](https://verdaccio.org/docs/configuration)-shaped
54
+ YAML config. A minimal example:
55
+
56
+ ```yaml
57
+ storage: ./storage
58
+
59
+ uplinks:
60
+ npmjs:
61
+ url: https://registry.npmjs.org/
62
+
63
+ packages:
64
+ '@*/*':
65
+ access: $all
66
+ publish: $authenticated
67
+ proxy: npmjs
68
+
69
+ '**':
70
+ access: $all
71
+ publish: $authenticated
72
+ proxy: npmjs
73
+ ```
74
+
75
+ Pass it with `-c`:
76
+
77
+ ```sh
78
+ pnpr -c ./pnpr.yaml
79
+ ```
80
+
81
+ ### Storing hosted packages in S3 / Cloudflare R2
82
+
83
+ `pnpr` keeps two kinds of data:
84
+
85
+ - **Hosted** — the source of truth: packages published to this server
86
+ plus anything served in static mode. This lives under `storage`.
87
+ - **Cache** — the disposable mirror of upstream registries plus the
88
+ install-accelerator store. This lives under `cache` (defaults to
89
+ `<storage>/.pnpr-cache`).
90
+
91
+ By default both are local directories. Adding an `s3:` block moves the
92
+ **hosted** store into an S3-compatible object store, so the durable data
93
+ is replicated by the provider and can be shared by several stateless
94
+ `pnpr` replicas. The cache and the install-accelerator databases always
95
+ stay on local disk — only the hosted store is pluggable.
96
+
97
+ Because any S3-compatible endpoint works, this also covers **Cloudflare
98
+ R2**, **MinIO**, **Backblaze B2**, **Wasabi**, etc. — point `endpoint`
99
+ at the right host.
100
+
101
+ ```yaml
102
+ storage: ./storage # still backs the local cache + upload staging
103
+
104
+ s3:
105
+ bucket: my-pnpr-packages
106
+ region: auto
107
+ # Omit `endpoint` for AWS S3. For R2 use the account endpoint:
108
+ endpoint: https://<account-id>.r2.cloudflarestorage.com
109
+ # Optional key prefix, so one bucket can hold more than the hosted store:
110
+ prefix: packages
111
+ # Credentials. Omit these to fall back to the standard
112
+ # AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY environment variables.
113
+ accessKeyId: ${PNPR_S3_ACCESS_KEY_ID}
114
+ secretAccessKey: ${PNPR_S3_SECRET_ACCESS_KEY}
115
+ ```
116
+
117
+ | Key | Required | Description |
118
+ | --- | --- | --- |
119
+ | `bucket` | yes | Bucket the hosted packages are stored in. |
120
+ | `region` | no | AWS S3 needs a real region (e.g. `us-east-1`); Cloudflare R2 uses `auto`. |
121
+ | `endpoint` | no | Custom endpoint for S3-compatible providers. Omit for AWS S3; for R2 it's `https://<account-id>.r2.cloudflarestorage.com`; for MinIO it's e.g. `http://127.0.0.1:9000`. |
122
+ | `prefix` | no | Key prefix every object is stored under. |
123
+ | `accessKeyId` | no | Access key. Falls back to `AWS_ACCESS_KEY_ID` when unset. |
124
+ | `secretAccessKey` | no | Secret key. Falls back to `AWS_SECRET_ACCESS_KEY` when unset. |
125
+ | `forcePathStyle` | no | Use path-style addressing (`endpoint/bucket/key`) instead of virtual-hosted (`bucket.endpoint/key`). MinIO typically needs `true`; AWS and R2 work with the default. |
126
+ | `allowHttp` | no | Allow plain-HTTP endpoints — needed for a local MinIO over `http://`. Defaults to HTTPS-only. |
127
+
128
+ Any `${ENV_VAR}` in the config is substituted from the environment
129
+ before parsing, so secrets can be kept out of the file. Keeping the
130
+ credentials in `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` and
131
+ omitting them from the YAML works too.
132
+
133
+ Run it the same way as any other config:
134
+
135
+ ```sh
136
+ AWS_ACCESS_KEY_ID=… AWS_SECRET_ACCESS_KEY=… pnpr -c ./pnpr.yaml
137
+ ```
138
+
139
+ A complete R2 example, end to end:
140
+
141
+ ```yaml
142
+ # pnpr.yaml
143
+ storage: ./storage
144
+
145
+ s3:
146
+ bucket: my-pnpr-packages
147
+ region: auto
148
+ endpoint: https://abc123def456.r2.cloudflarestorage.com
149
+
150
+ uplinks:
151
+ npmjs:
152
+ url: https://registry.npmjs.org/
153
+
154
+ packages:
155
+ '**':
156
+ access: $all
157
+ publish: $authenticated
158
+ proxy: npmjs
159
+ ```
160
+
18
161
  ```sh
19
- pnpr --help
162
+ export AWS_ACCESS_KEY_ID="<r2-access-key-id>"
163
+ export AWS_SECRET_ACCESS_KEY="<r2-secret-access-key>"
164
+ pnpr -c ./pnpr.yaml --listen 0.0.0.0:4873 --public-url https://registry.example.com
165
+ ```
166
+
167
+ (`--public-url` is what rewrites the `dist.tarball` URLs in served
168
+ packuments, so clients fetch tarballs back through this server rather
169
+ than the upstream.)
170
+
171
+ A local MinIO over plain HTTP needs `forcePathStyle` and `allowHttp`:
172
+
173
+ ```yaml
174
+ s3:
175
+ bucket: pnpr
176
+ region: us-east-1
177
+ endpoint: http://127.0.0.1:9000
178
+ forcePathStyle: true
179
+ allowHttp: true
180
+ accessKeyId: minioadmin
181
+ secretAccessKey: minioadmin
20
182
  ```
183
+
184
+ ### Storing users and tokens in a networked SQLite database
185
+
186
+ Auth state — the registered users and their bearer tokens — is the other
187
+ piece of per-instance disk state. By default users live in an
188
+ htpasswd file and tokens in a local SQLite database (see `auth:` above),
189
+ so two `pnpr` replicas don't see each other's accounts. Adding a
190
+ `backend:` block moves both into one **networked SQLite** database
191
+ (libsql / [Turso](https://turso.tech)), so several stateless replicas
192
+ share a consistent set of logins and tokens — the auth half of running
193
+ `pnpr` horizontally scaled.
194
+
195
+ The schema is the same SQLite the local backend uses (the `tokens` table
196
+ is identical; users move from the htpasswd file into a `users` table), so
197
+ a database can be migrated between the two. Token lookups happen on the
198
+ request hot path, so the database should be low-latency from the server.
199
+
200
+ ```yaml
201
+ storage: ./storage
202
+
203
+ backend:
204
+ libsql:
205
+ # libsql/Turso database URL. `libsql://…` for Turso, or
206
+ # `http://127.0.0.1:8080` for a local `sqld`.
207
+ url: ${PNPR_LIBSQL_URL}
208
+ # Bearer token for the database. Omit for an unauthenticated local
209
+ # `sqld`.
210
+ authToken: ${PNPR_LIBSQL_TOKEN}
211
+ ```
212
+
213
+ | Key | Required | Description |
214
+ | --- | --- | --- |
215
+ | `url` | yes | Database URL — `libsql://<db>.turso.io` (Turso) or `http://<host>:<port>` (self-hosted `sqld`). |
216
+ | `authToken` | no | Bearer token for the database. Omit for an unauthenticated local `sqld`. |
217
+ | `replicaPath` | no | Path to a local **embedded replica**. When set, reads (token lookups) hit this local file instead of a network round-trip; writes still go to the primary. Absent ⇒ every read is a remote query. |
218
+ | `syncIntervalSecs` | no | How often (seconds) the embedded replica pulls from the primary. Only meaningful with `replicaPath`; bounds how stale a read can be (token-revocation lag). `0` disables background sync. Defaults to `60`. |
219
+
220
+ Token lookups happen on the request hot path, so for a remote primary
221
+ (e.g. Turso) set `replicaPath` to serve reads from a local replica:
222
+
223
+ ```yaml
224
+ backend:
225
+ libsql:
226
+ url: ${PNPR_LIBSQL_URL}
227
+ authToken: ${PNPR_LIBSQL_TOKEN}
228
+ replicaPath: ./auth-replica.db
229
+ syncIntervalSecs: 60
230
+ ```
231
+
232
+ The trade-off is read freshness: an embedded replica reflects another
233
+ replica's writes (a token issued or revoked elsewhere) only after the
234
+ next background sync, so lower `syncIntervalSecs` means less
235
+ revocation lag. Omit `replicaPath` to always read the primary directly.
236
+
237
+ When the `backend:` block is absent, auth stays on local disk and the
238
+ `auth.htpasswd` / `auth.tokens` settings apply as before. The
239
+ `auth.htpasswd.max_users` registration cap is honored either way.
240
+
241
+ ## License
242
+
243
+ Source-available under the [PolyForm Shield License 1.0.0](https://github.com/pnpm/pnpm/blob/main/pnpr/LICENSE.md) — **not** open source. You may run, modify, and self-host pnpr for any purpose except providing a product that competes with it. Commercial / non-compete licenses are available from Zoltan Kochan (<https://kochan.io>).
244
+
245
+ ## Trademark notice
246
+
247
+ pnpr is not affiliated with, endorsed by, or sponsored by npm, Inc., GitHub, or Microsoft. "npm" is a trademark of npm, Inc., used here only to describe compatibility with the npm registry protocol.
package/package.json CHANGED
@@ -6,28 +6,29 @@
6
6
  "npm",
7
7
  "registry"
8
8
  ],
9
- "license": "MIT",
10
- "homepage": "https://github.com/pnpm/pnpm/tree/main/registry",
9
+ "license": "SEE LICENSE IN LICENSE.md",
10
+ "homepage": "https://github.com/pnpm/pnpm/tree/main/pnpr",
11
11
  "bugs": "https://github.com/pnpm/pnpm/issues",
12
12
  "repository": {
13
13
  "type": "git",
14
14
  "url": "https://github.com/pnpm/pnpm",
15
- "directory": "registry/npm/pnpr"
15
+ "directory": "pnpr/npm/pnpr"
16
16
  },
17
17
  "engines": {
18
18
  "node": ">=18.*"
19
19
  },
20
20
  "files": [
21
- "bin/pnpr"
21
+ "bin/pnpr",
22
+ "LICENSE.md"
22
23
  ],
23
- "version": "0.0.0-26052601",
24
+ "version": "0.0.0-26060501",
24
25
  "optionalDependencies": {
25
- "@pnpm/pnpr.win32-x64": "0.0.0-26052601",
26
- "@pnpm/pnpr.win32-arm64": "0.0.0-26052601",
27
- "@pnpm/pnpr.darwin-x64": "0.0.0-26052601",
28
- "@pnpm/pnpr.darwin-arm64": "0.0.0-26052601",
29
- "@pnpm/pnpr.linux-x64": "0.0.0-26052601",
30
- "@pnpm/pnpr.linux-arm64": "0.0.0-26052601"
26
+ "@pnpm/pnpr.win32-x64": "0.0.0-26060501",
27
+ "@pnpm/pnpr.win32-arm64": "0.0.0-26060501",
28
+ "@pnpm/pnpr.darwin-x64": "0.0.0-26060501",
29
+ "@pnpm/pnpr.darwin-arm64": "0.0.0-26060501",
30
+ "@pnpm/pnpr.linux-x64": "0.0.0-26060501",
31
+ "@pnpm/pnpr.linux-arm64": "0.0.0-26060501"
31
32
  },
32
33
  "bin": {
33
34
  "pnpr": "bin/pnpr"
package/LICENSE DELETED
@@ -1,22 +0,0 @@
1
- The MIT License (MIT)
2
-
3
- Copyright (c) 2015-2016 Rico Sta. Cruz and other contributors
4
- Copyright (c) 2016-2026 Zoltan Kochan and other contributors
5
-
6
- Permission is hereby granted, free of charge, to any person obtaining a copy
7
- of this software and associated documentation files (the "Software"), to deal
8
- in the Software without restriction, including without limitation the rights
9
- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10
- copies of the Software, and to permit persons to whom the Software is
11
- furnished to do so, subject to the following conditions:
12
-
13
- The above copyright notice and this permission notice shall be included in all
14
- copies or substantial portions of the Software.
15
-
16
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17
- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19
- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20
- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22
- SOFTWARE.