@pnpm/pnpr 0.0.0-26052901 → 0.0.0-26060501
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +91 -0
- package/README.md +169 -0
- package/package.json +10 -9
- package/LICENSE +0 -22
package/LICENSE.md
ADDED
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
# PolyForm Shield License 1.0.0
|
|
2
|
+
|
|
3
|
+
<https://polyformproject.org/licenses/shield/1.0.0>
|
|
4
|
+
|
|
5
|
+
Required Notice: Copyright 2026 Zoltan Kochan (https://kochan.io)
|
|
6
|
+
|
|
7
|
+
## Acceptance
|
|
8
|
+
|
|
9
|
+
In order to get any license under these terms, you must agree to them as both strict obligations and conditions to all your licenses.
|
|
10
|
+
|
|
11
|
+
## Copyright License
|
|
12
|
+
|
|
13
|
+
The licensor grants you a copyright license for the software to do everything you might do with the software that would otherwise infringe the licensor's copyright in it for any permitted purpose. However, you may only distribute the software according to [Distribution License](#distribution-license) and make changes or new works based on the software according to [Changes and New Works License](#changes-and-new-works-license).
|
|
14
|
+
|
|
15
|
+
## Distribution License
|
|
16
|
+
|
|
17
|
+
The licensor grants you an additional copyright license to distribute copies of the software. Your license to distribute covers distributing the software with changes and new works permitted by [Changes and New Works License](#changes-and-new-works-license).
|
|
18
|
+
|
|
19
|
+
## Notices
|
|
20
|
+
|
|
21
|
+
You must ensure that anyone who gets a copy of any part of the software from you also gets a copy of these terms or the URL for them above, as well as copies of any plain-text lines beginning with `Required Notice:` that the licensor provided with the software. For example:
|
|
22
|
+
|
|
23
|
+
> Required Notice: Copyright Yoyodyne, Inc. (http://example.com)
|
|
24
|
+
|
|
25
|
+
## Changes and New Works License
|
|
26
|
+
|
|
27
|
+
The licensor grants you an additional copyright license to make changes and new works based on the software for any permitted purpose.
|
|
28
|
+
|
|
29
|
+
## Patent License
|
|
30
|
+
|
|
31
|
+
The licensor grants you a patent license for the software that covers patent claims the licensor can license, or becomes able to license, that you would infringe by using the software.
|
|
32
|
+
|
|
33
|
+
## Noncompete
|
|
34
|
+
|
|
35
|
+
Any purpose is a permitted purpose, except for providing any product that competes with the software or any product the licensor or any of its affiliates provides using the software.
|
|
36
|
+
|
|
37
|
+
## Competition
|
|
38
|
+
|
|
39
|
+
Goods and services compete even when they provide functionality through different kinds of interfaces or for different technical platforms. Applications can compete with services, libraries with plugins, frameworks with development tools, and so on, even if they're written in different programming languages or for different computer architectures. Goods and services compete even when provided free of charge. If you market a product as a practical substitute for the software or another product, it definitely competes.
|
|
40
|
+
|
|
41
|
+
## New Products
|
|
42
|
+
|
|
43
|
+
If you are using the software to provide a product that does not compete, but the licensor or any of its affiliates brings your product into competition by providing a new version of the software or another product using the software, you may continue using versions of the software available under these terms beforehand to provide your competing product, but not any later versions.
|
|
44
|
+
|
|
45
|
+
## Discontinued Products
|
|
46
|
+
|
|
47
|
+
You may begin using the software to compete with a product or service that the licensor or any of its affiliates has stopped providing, unless the licensor includes a plain-text line beginning with `Licensor Line of Business:` with the software that mentions that line of business. For example:
|
|
48
|
+
|
|
49
|
+
> Licensor Line of Business: YoyodyneCMS Content Management System (http://example.com/cms)
|
|
50
|
+
|
|
51
|
+
## Sales of Business
|
|
52
|
+
|
|
53
|
+
If the licensor or any of its affiliates sells a line of business developing the software or using the software to provide a product, the buyer can also enforce [Noncompete](#noncompete) for that product.
|
|
54
|
+
|
|
55
|
+
## Fair Use
|
|
56
|
+
|
|
57
|
+
You may have "fair use" rights for the software under the law. These terms do not limit them.
|
|
58
|
+
|
|
59
|
+
## No Other Rights
|
|
60
|
+
|
|
61
|
+
These terms do not allow you to sublicense or transfer any of your licenses to anyone else, or prevent the licensor from granting licenses to anyone else. These terms do not imply any other licenses.
|
|
62
|
+
|
|
63
|
+
## Patent Defense
|
|
64
|
+
|
|
65
|
+
If you make any written claim that the software infringes or contributes to infringement of any patent, your patent license for the software granted under these terms ends immediately. If your company makes such a claim, your patent license ends immediately for work on behalf of your company.
|
|
66
|
+
|
|
67
|
+
## Violations
|
|
68
|
+
|
|
69
|
+
The first time you are notified in writing that you have violated any of these terms, or done anything with the software not covered by your licenses, your licenses can nonetheless continue if you come into full compliance with these terms, and take practical steps to correct past violations, within 32 days of receiving notice. Otherwise, all your licenses end immediately.
|
|
70
|
+
|
|
71
|
+
## No Liability
|
|
72
|
+
|
|
73
|
+
***As far as the law allows, the software comes as is, without any warranty or condition, and the licensor will not be liable to you for any damages arising out of these terms or the use or nature of the software, under any kind of legal claim.***
|
|
74
|
+
|
|
75
|
+
## Definitions
|
|
76
|
+
|
|
77
|
+
The **licensor** is the individual or entity offering these terms, and the **software** is the software the licensor makes available under these terms.
|
|
78
|
+
|
|
79
|
+
A **product** can be a good or service, or a combination of them.
|
|
80
|
+
|
|
81
|
+
**You** refers to the individual or entity agreeing to these terms.
|
|
82
|
+
|
|
83
|
+
**Your company** is any legal entity, sole proprietorship, or other kind of organization that you work for, plus all its affiliates.
|
|
84
|
+
|
|
85
|
+
**Affiliates** means the other organizations than an organization has control over, is under the control of, or is under common control with.
|
|
86
|
+
|
|
87
|
+
**Control** means ownership of substantially all the assets of an entity, or the power to direct its management and policies by vote, contract, or otherwise. Control can be direct or indirect.
|
|
88
|
+
|
|
89
|
+
**Your licenses** are all the licenses granted to you for the software under these terms.
|
|
90
|
+
|
|
91
|
+
**Use** means anything you do with the software requiring one of your licenses.
|
package/README.md
CHANGED
|
@@ -41,6 +41,7 @@ pnpm config set registry http://127.0.0.1:4873/
|
|
|
41
41
|
| `-c, --config <path>` | Path to a verdaccio-shaped YAML config. When omitted, the bundled default is used. |
|
|
42
42
|
| `--listen <addr>` | Address to bind to. Defaults to `127.0.0.1:4873`. |
|
|
43
43
|
| `--storage <path>` | Override the storage directory from the loaded config. |
|
|
44
|
+
| `--cache <path>` | Override the disposable proxy-cache directory (the mirror of upstream registries plus the install-accelerator store). Defaults to a `.pnpr-cache` subdirectory of `--storage`. |
|
|
44
45
|
| `--public-url <url>` | URL clients should use to reach the server, used when rewriting `dist.tarball` in served packuments. Defaults to `http://<listen>`. |
|
|
45
46
|
| `--packument-ttl-secs <n>` | Seconds before a cached packument is considered stale and refetched. |
|
|
46
47
|
|
|
@@ -76,3 +77,171 @@ Pass it with `-c`:
|
|
|
76
77
|
```sh
|
|
77
78
|
pnpr -c ./pnpr.yaml
|
|
78
79
|
```
|
|
80
|
+
|
|
81
|
+
### Storing hosted packages in S3 / Cloudflare R2
|
|
82
|
+
|
|
83
|
+
`pnpr` keeps two kinds of data:
|
|
84
|
+
|
|
85
|
+
- **Hosted** — the source of truth: packages published to this server
|
|
86
|
+
plus anything served in static mode. This lives under `storage`.
|
|
87
|
+
- **Cache** — the disposable mirror of upstream registries plus the
|
|
88
|
+
install-accelerator store. This lives under `cache` (defaults to
|
|
89
|
+
`<storage>/.pnpr-cache`).
|
|
90
|
+
|
|
91
|
+
By default both are local directories. Adding an `s3:` block moves the
|
|
92
|
+
**hosted** store into an S3-compatible object store, so the durable data
|
|
93
|
+
is replicated by the provider and can be shared by several stateless
|
|
94
|
+
`pnpr` replicas. The cache and the install-accelerator databases always
|
|
95
|
+
stay on local disk — only the hosted store is pluggable.
|
|
96
|
+
|
|
97
|
+
Because any S3-compatible endpoint works, this also covers **Cloudflare
|
|
98
|
+
R2**, **MinIO**, **Backblaze B2**, **Wasabi**, etc. — point `endpoint`
|
|
99
|
+
at the right host.
|
|
100
|
+
|
|
101
|
+
```yaml
|
|
102
|
+
storage: ./storage # still backs the local cache + upload staging
|
|
103
|
+
|
|
104
|
+
s3:
|
|
105
|
+
bucket: my-pnpr-packages
|
|
106
|
+
region: auto
|
|
107
|
+
# Omit `endpoint` for AWS S3. For R2 use the account endpoint:
|
|
108
|
+
endpoint: https://<account-id>.r2.cloudflarestorage.com
|
|
109
|
+
# Optional key prefix, so one bucket can hold more than the hosted store:
|
|
110
|
+
prefix: packages
|
|
111
|
+
# Credentials. Omit these to fall back to the standard
|
|
112
|
+
# AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY environment variables.
|
|
113
|
+
accessKeyId: ${PNPR_S3_ACCESS_KEY_ID}
|
|
114
|
+
secretAccessKey: ${PNPR_S3_SECRET_ACCESS_KEY}
|
|
115
|
+
```
|
|
116
|
+
|
|
117
|
+
| Key | Required | Description |
|
|
118
|
+
| --- | --- | --- |
|
|
119
|
+
| `bucket` | yes | Bucket the hosted packages are stored in. |
|
|
120
|
+
| `region` | no | AWS S3 needs a real region (e.g. `us-east-1`); Cloudflare R2 uses `auto`. |
|
|
121
|
+
| `endpoint` | no | Custom endpoint for S3-compatible providers. Omit for AWS S3; for R2 it's `https://<account-id>.r2.cloudflarestorage.com`; for MinIO it's e.g. `http://127.0.0.1:9000`. |
|
|
122
|
+
| `prefix` | no | Key prefix every object is stored under. |
|
|
123
|
+
| `accessKeyId` | no | Access key. Falls back to `AWS_ACCESS_KEY_ID` when unset. |
|
|
124
|
+
| `secretAccessKey` | no | Secret key. Falls back to `AWS_SECRET_ACCESS_KEY` when unset. |
|
|
125
|
+
| `forcePathStyle` | no | Use path-style addressing (`endpoint/bucket/key`) instead of virtual-hosted (`bucket.endpoint/key`). MinIO typically needs `true`; AWS and R2 work with the default. |
|
|
126
|
+
| `allowHttp` | no | Allow plain-HTTP endpoints — needed for a local MinIO over `http://`. Defaults to HTTPS-only. |
|
|
127
|
+
|
|
128
|
+
Any `${ENV_VAR}` in the config is substituted from the environment
|
|
129
|
+
before parsing, so secrets can be kept out of the file. Keeping the
|
|
130
|
+
credentials in `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` and
|
|
131
|
+
omitting them from the YAML works too.
|
|
132
|
+
|
|
133
|
+
Run it the same way as any other config:
|
|
134
|
+
|
|
135
|
+
```sh
|
|
136
|
+
AWS_ACCESS_KEY_ID=… AWS_SECRET_ACCESS_KEY=… pnpr -c ./pnpr.yaml
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
A complete R2 example, end to end:
|
|
140
|
+
|
|
141
|
+
```yaml
|
|
142
|
+
# pnpr.yaml
|
|
143
|
+
storage: ./storage
|
|
144
|
+
|
|
145
|
+
s3:
|
|
146
|
+
bucket: my-pnpr-packages
|
|
147
|
+
region: auto
|
|
148
|
+
endpoint: https://abc123def456.r2.cloudflarestorage.com
|
|
149
|
+
|
|
150
|
+
uplinks:
|
|
151
|
+
npmjs:
|
|
152
|
+
url: https://registry.npmjs.org/
|
|
153
|
+
|
|
154
|
+
packages:
|
|
155
|
+
'**':
|
|
156
|
+
access: $all
|
|
157
|
+
publish: $authenticated
|
|
158
|
+
proxy: npmjs
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
```sh
|
|
162
|
+
export AWS_ACCESS_KEY_ID="<r2-access-key-id>"
|
|
163
|
+
export AWS_SECRET_ACCESS_KEY="<r2-secret-access-key>"
|
|
164
|
+
pnpr -c ./pnpr.yaml --listen 0.0.0.0:4873 --public-url https://registry.example.com
|
|
165
|
+
```
|
|
166
|
+
|
|
167
|
+
(`--public-url` is what rewrites the `dist.tarball` URLs in served
|
|
168
|
+
packuments, so clients fetch tarballs back through this server rather
|
|
169
|
+
than the upstream.)
|
|
170
|
+
|
|
171
|
+
A local MinIO over plain HTTP needs `forcePathStyle` and `allowHttp`:
|
|
172
|
+
|
|
173
|
+
```yaml
|
|
174
|
+
s3:
|
|
175
|
+
bucket: pnpr
|
|
176
|
+
region: us-east-1
|
|
177
|
+
endpoint: http://127.0.0.1:9000
|
|
178
|
+
forcePathStyle: true
|
|
179
|
+
allowHttp: true
|
|
180
|
+
accessKeyId: minioadmin
|
|
181
|
+
secretAccessKey: minioadmin
|
|
182
|
+
```
|
|
183
|
+
|
|
184
|
+
### Storing users and tokens in a networked SQLite database
|
|
185
|
+
|
|
186
|
+
Auth state — the registered users and their bearer tokens — is the other
|
|
187
|
+
piece of per-instance disk state. By default users live in an
|
|
188
|
+
htpasswd file and tokens in a local SQLite database (see `auth:` above),
|
|
189
|
+
so two `pnpr` replicas don't see each other's accounts. Adding a
|
|
190
|
+
`backend:` block moves both into one **networked SQLite** database
|
|
191
|
+
(libsql / [Turso](https://turso.tech)), so several stateless replicas
|
|
192
|
+
share a consistent set of logins and tokens — the auth half of running
|
|
193
|
+
`pnpr` horizontally scaled.
|
|
194
|
+
|
|
195
|
+
The schema is the same SQLite the local backend uses (the `tokens` table
|
|
196
|
+
is identical; users move from the htpasswd file into a `users` table), so
|
|
197
|
+
a database can be migrated between the two. Token lookups happen on the
|
|
198
|
+
request hot path, so the database should be low-latency from the server.
|
|
199
|
+
|
|
200
|
+
```yaml
|
|
201
|
+
storage: ./storage
|
|
202
|
+
|
|
203
|
+
backend:
|
|
204
|
+
libsql:
|
|
205
|
+
# libsql/Turso database URL. `libsql://…` for Turso, or
|
|
206
|
+
# `http://127.0.0.1:8080` for a local `sqld`.
|
|
207
|
+
url: ${PNPR_LIBSQL_URL}
|
|
208
|
+
# Bearer token for the database. Omit for an unauthenticated local
|
|
209
|
+
# `sqld`.
|
|
210
|
+
authToken: ${PNPR_LIBSQL_TOKEN}
|
|
211
|
+
```
|
|
212
|
+
|
|
213
|
+
| Key | Required | Description |
|
|
214
|
+
| --- | --- | --- |
|
|
215
|
+
| `url` | yes | Database URL — `libsql://<db>.turso.io` (Turso) or `http://<host>:<port>` (self-hosted `sqld`). |
|
|
216
|
+
| `authToken` | no | Bearer token for the database. Omit for an unauthenticated local `sqld`. |
|
|
217
|
+
| `replicaPath` | no | Path to a local **embedded replica**. When set, reads (token lookups) hit this local file instead of a network round-trip; writes still go to the primary. Absent ⇒ every read is a remote query. |
|
|
218
|
+
| `syncIntervalSecs` | no | How often (seconds) the embedded replica pulls from the primary. Only meaningful with `replicaPath`; bounds how stale a read can be (token-revocation lag). `0` disables background sync. Defaults to `60`. |
|
|
219
|
+
|
|
220
|
+
Token lookups happen on the request hot path, so for a remote primary
|
|
221
|
+
(e.g. Turso) set `replicaPath` to serve reads from a local replica:
|
|
222
|
+
|
|
223
|
+
```yaml
|
|
224
|
+
backend:
|
|
225
|
+
libsql:
|
|
226
|
+
url: ${PNPR_LIBSQL_URL}
|
|
227
|
+
authToken: ${PNPR_LIBSQL_TOKEN}
|
|
228
|
+
replicaPath: ./auth-replica.db
|
|
229
|
+
syncIntervalSecs: 60
|
|
230
|
+
```
|
|
231
|
+
|
|
232
|
+
The trade-off is read freshness: an embedded replica reflects another
|
|
233
|
+
replica's writes (a token issued or revoked elsewhere) only after the
|
|
234
|
+
next background sync, so lower `syncIntervalSecs` means less
|
|
235
|
+
revocation lag. Omit `replicaPath` to always read the primary directly.
|
|
236
|
+
|
|
237
|
+
When the `backend:` block is absent, auth stays on local disk and the
|
|
238
|
+
`auth.htpasswd` / `auth.tokens` settings apply as before. The
|
|
239
|
+
`auth.htpasswd.max_users` registration cap is honored either way.
|
|
240
|
+
|
|
241
|
+
## License
|
|
242
|
+
|
|
243
|
+
Source-available under the [PolyForm Shield License 1.0.0](https://github.com/pnpm/pnpm/blob/main/pnpr/LICENSE.md) — **not** open source. You may run, modify, and self-host pnpr for any purpose except providing a product that competes with it. Commercial / non-compete licenses are available from Zoltan Kochan (<https://kochan.io>).
|
|
244
|
+
|
|
245
|
+
## Trademark notice
|
|
246
|
+
|
|
247
|
+
pnpr is not affiliated with, endorsed by, or sponsored by npm, Inc., GitHub, or Microsoft. "npm" is a trademark of npm, Inc., used here only to describe compatibility with the npm registry protocol.
|
package/package.json
CHANGED
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
"npm",
|
|
7
7
|
"registry"
|
|
8
8
|
],
|
|
9
|
-
"license": "
|
|
9
|
+
"license": "SEE LICENSE IN LICENSE.md",
|
|
10
10
|
"homepage": "https://github.com/pnpm/pnpm/tree/main/pnpr",
|
|
11
11
|
"bugs": "https://github.com/pnpm/pnpm/issues",
|
|
12
12
|
"repository": {
|
|
@@ -18,16 +18,17 @@
|
|
|
18
18
|
"node": ">=18.*"
|
|
19
19
|
},
|
|
20
20
|
"files": [
|
|
21
|
-
"bin/pnpr"
|
|
21
|
+
"bin/pnpr",
|
|
22
|
+
"LICENSE.md"
|
|
22
23
|
],
|
|
23
|
-
"version": "0.0.0-
|
|
24
|
+
"version": "0.0.0-26060501",
|
|
24
25
|
"optionalDependencies": {
|
|
25
|
-
"@pnpm/pnpr.win32-x64": "0.0.0-
|
|
26
|
-
"@pnpm/pnpr.win32-arm64": "0.0.0-
|
|
27
|
-
"@pnpm/pnpr.darwin-x64": "0.0.0-
|
|
28
|
-
"@pnpm/pnpr.darwin-arm64": "0.0.0-
|
|
29
|
-
"@pnpm/pnpr.linux-x64": "0.0.0-
|
|
30
|
-
"@pnpm/pnpr.linux-arm64": "0.0.0-
|
|
26
|
+
"@pnpm/pnpr.win32-x64": "0.0.0-26060501",
|
|
27
|
+
"@pnpm/pnpr.win32-arm64": "0.0.0-26060501",
|
|
28
|
+
"@pnpm/pnpr.darwin-x64": "0.0.0-26060501",
|
|
29
|
+
"@pnpm/pnpr.darwin-arm64": "0.0.0-26060501",
|
|
30
|
+
"@pnpm/pnpr.linux-x64": "0.0.0-26060501",
|
|
31
|
+
"@pnpm/pnpr.linux-arm64": "0.0.0-26060501"
|
|
31
32
|
},
|
|
32
33
|
"bin": {
|
|
33
34
|
"pnpr": "bin/pnpr"
|
package/LICENSE
DELETED
|
@@ -1,22 +0,0 @@
|
|
|
1
|
-
The MIT License (MIT)
|
|
2
|
-
|
|
3
|
-
Copyright (c) 2015-2016 Rico Sta. Cruz and other contributors
|
|
4
|
-
Copyright (c) 2016-2026 Zoltan Kochan and other contributors
|
|
5
|
-
|
|
6
|
-
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
7
|
-
of this software and associated documentation files (the "Software"), to deal
|
|
8
|
-
in the Software without restriction, including without limitation the rights
|
|
9
|
-
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
10
|
-
copies of the Software, and to permit persons to whom the Software is
|
|
11
|
-
furnished to do so, subject to the following conditions:
|
|
12
|
-
|
|
13
|
-
The above copyright notice and this permission notice shall be included in all
|
|
14
|
-
copies or substantial portions of the Software.
|
|
15
|
-
|
|
16
|
-
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
17
|
-
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
18
|
-
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
19
|
-
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
20
|
-
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
21
|
-
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
22
|
-
SOFTWARE.
|