npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

wombat-dressing-room

v1.0.0

Published

npm registry proxy designed to reduce the attack surface of npm publish

Downloads

5

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

google-wombotgoogle-wombot

Keywords

Readme

Wombat Dressing Room

Google's npm registry proxy. Designed to reduce the attack surface of npm packages.

Build Status Known Vulnerabilities Code Style: Google

This is intended to be used from the git checkout at this time. Publishing to npm for thoroughness.

What it does

  • You publish to Wombat Dressing Room, and it enforces additional security rules, before redirecting to registry.npmjs.org.

  • Publishes are made from a single npm account with 2FA enabled (a bot account).

  • Publishes can be made using the npm CLI, by making Wombat Dressing Room the default registry (npm config set registry https://external-project.appspot.com).

Deployment

This service is deployed in 2 distinct services: an external service for registry access; and a protected service for authentication/authorization (you can use a proxy, such as IAP, to limit access to the authentication server).

Prerequisites

Wombat Dressing Room requires:

Create an npm account

You will need to create an npm account, which will be used or publication. This account should be configured such that 2FA is enabled for authentication and publication. When you are given a QR code to scan for your authenticator app, use a QR code reader to fetch and store the secret associated with the 2FA configuration. You will also need to scan the QR code with an authenticator app, so that you can provide an OTP token to npm.

Create a GitHub OAuth Application

As well as an npm account, you must create a GitHub OAuth application. These credentials are used when performing authenication: both when logging into Wombat Dressing Room, for creating tokens, and when verifying certain types of tokens.

Note: the Authorization callback configured with the OAuth application should be the URL of the internal service, with the suffix /oauth/github.

Setup your environment

Once you've addressed the prerequisites, you should create environment files in the config/ directory populating the appropriate variables.

In order to start this service in development you need to create a config/local.env, in order to deploy you'll need an config/external.env and config/internal.env.

Internal environment variables

NPM_OTP_SECRET={the text value of the otp secret}
NPM_TOKEN={the npm token}
GITHUB_CLIENT_ID={github app id}
GITHUB_CLIENT_SECRET={github app secret}
DATASTORE_PROJECT={project datastore is configured for}
LOGIN_ENABLED=yes-this-is-a-login-server
LOGIN_URL=https://project.appspot.com]
REGISTRY_URL=https://external-project.appspot.com

External environment variables

NPM_OTP_SECRET={the text value of the otp secret}
NPM_TOKEN={the npm token}
GITHUB_CLIENT_ID={github app id}
GITHUB_CLIENT_SECRET={github app secret}
DATASTORE_PROJECT={project datastore is configured for}
LOGIN_ENABLED=this-is-not-enabled
LOGIN_URL=https://project.appspot.com]
REGISTRY_URL=https://external-project.appspot.com

Development environment variables

NPM_OTP_SECRET={the text value of the otp secret}
NPM_TOKEN={the npm token}
GITHUB_CLIENT_ID={github app id}
GITHUB_CLIENT_SECRET={github app secret}
DATASTORE_PROJECT={project datastore is configured for}
LOGIN_ENABLED=yes-this-is-a-login-server
LOGIN_URL=http://127.0.0.1:8080
REGISTRY_URL=hhttp://127.0.0.1:8080

Deploy the application

To configure the Google App Engine services used by Wombat Dressing Room, perorm an initial deployment:

  1. install the gcloud command line tool, and run gcloud auth login.
  2. run GCLOUD_PROJECT=my-project npm run deploy, where my-project is the project configured in Prerequisites.

Create a datastore table

The tokens used by Wombat Dressing Room are stored in a datastore table, before accessing the application for the first time you should run:

GCLOUD_PROJECT=my-project npm run create-indexes

To populate this datastore schema.

Note: it takes datastore a while to initialize the first time you run the application. You can view the status of index creation in the Cloud Console.

Protect your application with IAP

Wombat Dressing Room consists of an internal application, used for authorization, and an external app, used for proxing to npm. You should limit access to the internal application, a great way to do so is with IAP: configuring the default application, such that only select accounts have access; and configuring the external application with the allUsers group, such that anyone can access the proxy.

Developing the service locally

Populate config/local.env, and run:

npm run develop

Deploying updates

Populate config/external.env, and config/internal.env, and run:

npm run deploy

Contributing

Contributions welcome! See the Contributing Guide.

License

Apache Version 2.0