verdaccio allows you protect publish, to achieve that you will need to set up correctly your packages access.
'my-company-*': access: admin teamA teamB teamC publish: admin teamA proxy: npmjs
With this configuration, basically we allow to groups admin and teamA to publish and teamA teamB teamC access to such dependencies.
So, if I am logged as teamD. I shouldn't be able to access all dependencies that match with
➜ npm whoami teamD
I won't have access to such dependencies and also won't be visible via web for user teamD. If I try to access the following will happen.
➜ npm install my-company-core npm ERR! code E403 npm ERR! 403 Forbidden: webpack-1@latest
➜ yarn add my-company-core yarn add v0.24.6 info No lockfile found. [1/4] 🔍 Resolving packages... 错误出现意外错误: "http://localhost:5555/webpack-1: 不允许未注册用户访问my-company-core包"。