npm - com.jimuwd.xian.registry-proxy - Versions diffs - 1.0.121 → 1.0.123 - Mend

com.jimuwd.xian.registry-proxy 1.0.121 → 1.0.123

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +4 -4
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -299,7 +299,7 @@ function getDownstreamClientIp(req) {
     // 直接连接时，取 socket.remoteAddress
     return req.socket.remoteAddress;
 }
-// 同时启动ipv6,ipv4监听，比如当客户端访问http://localhost:port时，无论客户端DNS解析到IPV4-127.0.0.1还是IPV6-::1地址，咱server都能轻松应对！
+// deprecated 出于安全考虑只监听::1地址，废弃本注释：同时启动ipv6,ipv4监听，比如当客户端访问http://localhost:port时，无论客户端DNS解析到IPV4-127.0.0.1还是IPV6-::1地址，咱server都能轻松应对！
 export async function startProxyServer(proxyConfigPath, localYarnConfigPath, globalYarnConfigPath, port = 0) {
     const proxyInfo = await loadProxyInfo(proxyConfigPath, localYarnConfigPath, globalYarnConfigPath);
     const registryInfos = proxyInfo.registries;
@@ -358,7 +358,7 @@ export async function startProxyServer(proxyConfigPath, localYarnConfigPath, glo
             resToDownstreamClient.writeHead(404).end('All upstream registries failed');
         }
     };
-    // 注意：需要同时启动ipv6,ipv4监听，比如当客户端访问http://localhost:port时，无论客户端DNS解析到IPV4-127.0.0.1还是IPV6-::1地址，咱server都能轻松应对！
+    // deprecated 废弃本注释：需要同时启动ipv6,ipv4监听，比如当客户端访问http://localhost:port时，无论客户端DNS解析到IPV4-127.0.0.1还是IPV6-::1地址，咱server都能轻松应对！
     let server;
     if (proxyInfo.https) {
         const { key, cert } = proxyInfo.https;
@@ -406,8 +406,8 @@ export async function startProxyServer(proxyConfigPath, localYarnConfigPath, glo
         };
         server.on('error', errHandler /*this handler will call 'reject'*/);
         server.on('connection', connectionHandler);
-        // 为了代理服务器的健壮性，要同时监听ipv4、v6地址
-        const listenOptions = { port, ipv6Only: false };
+        // 为了代理服务器的安全性，暂时只监听本机ipv6地址【::1】，不能对本机之外暴露本代理服务地址避免造成安全隐患
+        const listenOptions = { port, host: '::1', ipv6Only: true };
         server.listen(listenOptions, () => {
             const addressInfo = server.address();
             port = addressInfo.port; // 回写上层局部变量

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "com.jimuwd.xian.registry-proxy",
-  "version": "1.0.121",
+  "version": "1.0.123",
   "description": "A lightweight npm registry proxy with fallback support",
   "type": "module",
   "main": "dist/index.js",