Skip to main content

Release 4.2.0

ยท 3 min read

Verdaccio keeps growing, thanks to their users. This release is a minor one we do every month, for further information about our releases, it can be read here.

We have some highlights to share:

  • At this stage, Docker downloads have grown to 5.1 million pulls.
  • New Verdaccio Monorepo development has begun early this month, we are migrating small repositories, plugins and other tools to create a unique ecosystem, feel free to contribute. This first steps are developed by @sergiohgz with the contributions of @griffithtp.
  • We finally migrated all repositories to Typescript, we do not support Flow types anymore.

If you ๐Ÿ˜ Verdaccio as we do, helps us to grow more donating to the project via OpenCollective, this project is addressed by voluntaries, help us to be sustainable.

Thanks for support Verdaccio ! ๐Ÿ‘๐Ÿ‘๐Ÿ‘๐Ÿ‘.

Use this versionโ€‹


docker pull verdaccio/verdaccio:4.2.0


npm install -g verdaccio@4.2.0

New Featuresโ€‹

Typescript migration by @juanpicado, @priscilawebdev and @griffithtpโ€‹

Now, Verdaccio is built entirely in Typescript, the last phase was convert the main project.

The UI-Theme was also migrated to Typescript by @priscilawebdev with the help of @griffithtp for finishing the refactor and make ESLint looks great again.

audit module doesn't support strict_ssl flag by @dfrenchamโ€‹

There are some scenarios where Verdaccio runs behind company proxy with self-certificates. Now the audit middleware supports the flag strict_ssl, replicating the same feature availabe in uplinks.

enabled: true
strict_ssl: true # optional, defaults to true


prevent secrets from leaking to source control by @lirantalโ€‹

Adds support through detect-secrets which wraps Yelp's generic detect-secrets tool, to test for secrets being committed to source control using the pre-commit Git hook the project already has, and as a result prevent secrets like passwords, tokens and others to leak into source control.

The detect-secrets npm package will try different methods of invoking the detect-secrets-hook tool to run the secrets test for each file, and if it isn't able to find it will silently fail to not interrupt developer workflow. In a future re-visit of this capability we can update this to be a breaking change and fail the commit (or perhaps fail the CI, which might be a bit late, but better than never).

storage plugins can throw http status codes by @juanpicadoโ€‹

The storage plugins were forced to return some specific error codes that are not part of Node.js. Now we allow storage plugins to return the same error codes that Verdaccio returns to the Node Package Manager. Read more context in the PR.