NPM.Security.RegistryPolicy (NPM v0.7.0)

Copy Markdown View Source

Enforces registry origin policy for packuments and tarballs.

Registry and mirror confusion can move package metadata or tarballs to an unexpected host. The default policy allows the configured registry and mirror origins, blocks cross-origin redirects, and rejects tarball URLs outside the allowlist.

Summary

Functions

allowed_origins()

Return normalized allowed registry origins.

origin(url)

Return the normalized scheme://host[:port] origin for a URL.

validate_url!(url)

Validate that a URL belongs to an allowed registry origin.

Functions

allowed_origins()

@spec allowed_origins() :: [String.t()]

Return normalized allowed registry origins.

origin(url)

@spec origin(String.t()) :: String.t() | nil

Return the normalized scheme://host[:port] origin for a URL.

validate_url!(url)

@spec validate_url!(String.t()) :: :ok

Validate that a URL belongs to an allowed registry origin.