Verdaccio allows you protect publishing to your registry. To achieve that you will need to set up correctly configure your packages access.
Let's see for instance the following set up. You have a set of dependencies that are prefixed with
my-company-* and you need to protect them from anonymous or other non-authorized logged-in users.
"my-company-*": access: admin teamA teamB teamC publish: admin teamA
With this configuration, we allow the groups admin and teamA to publish and teamA, teamB and teamC to access the specified dependencies.
So, if I am logged as teamD. I shouldn't be able to access all dependencies that match the
➜ npm whoamiteamD
I won't have access to such dependencies and they also won't be visible via the web interface for user teamD. If I try to access it, the following will happen:
➜ npm install my-company-corenpm ERR! code E403npm ERR! 403 Forbidden: webpack-1@latest
➜ yarn add my-company-coreyarn add v0.24.6info No lockfile found.[1/4] 🔍 Resolving packages...error An unexpected error occurred: "http://localhost:5555/webpack-1: unregistered users are not allowed to access package my-company-core".