Skip to content

build(deps-dev): bump verdaccio from 6.7.2 to 6.7.4#520

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/verdaccio-6.7.4
Jun 26, 2026
Merged

build(deps-dev): bump verdaccio from 6.7.2 to 6.7.4#520
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/verdaccio-6.7.4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps verdaccio from 6.7.2 to 6.7.4.

Release notes

Sourced from verdaccio's releases.

v6.7.4

Patch Changes

  • 0205c78: fix: run jwt middleware before middleware plugins

    Register the JWT middleware before middleware plugins are loaded so that req.remote_user (anonymous by default) is available inside a plugin's register_middlewares. The API router keeps its own JWT middleware behind a guard so it is not executed twice.

    Backport of verdaccio/verdaccio#5697

    Closes #5167

v6.7.3

Patch Changes

  • f8fdfc2: fix: enforce generated npm token metadata

    Generated npm tokens (POST /-/npm/v1/tokens) stored their readonly and cidr_whitelist restrictions but never enforced them, and deleting a token did not revoke it for the package APIs. A token marked read-only or pinned to a CIDR range could still publish packages and change dist-tags, and a deleted token remained usable.

    Generated tokens now embed a server-issued key (in the JWT claim, or in the encrypted legacy AES payload) and a new enforceGeneratedTokenMetadata middleware looks that key up on each request, rejecting the token when it is missing/revoked, used outside its CIDR whitelist, or used for a write while read-only. Enforcement applies to both AES and JWT API-token modes.

    Note: tokens issued before upgrading carry no key and are not retroactively constrained — regenerate them to apply the restrictions.

  • be80623: fix: allow npm token create without readonly/cidr_whitelist

    npm token create in npm >= 11 (and the npm 12 prereleases) rewrote the request body: it no longer sends readonly and only sends cidr_whitelist when --cidr is passed. The POST /-/npm/v1/tokens endpoint required both, so modern npm clients failed with 422 the parameters are not valid.

    The endpoint now defaults readonly to false and cidr_whitelist to [] when they are absent, while still rejecting values of the wrong type.

  • 75c85d5: Update verdaccio dependencies to the latest npm dist-tag (@verdaccio/ui-theme tracks next-9):

    • @verdaccio/ui-theme: 9.0.0-next-9.199.0.0-next-9.20

  • d5e5332: chore: update dependencies

    Updates runtime dependencies @verdaccio/ui-theme (9.0.0-next-9.19) and

... (truncated)

Changelog

Sourced from verdaccio's changelog.

6.7.4

Patch Changes

  • 0205c78: fix: run jwt middleware before middleware plugins

    Register the JWT middleware before middleware plugins are loaded so that req.remote_user (anonymous by default) is available inside a plugin's register_middlewares. The API router keeps its own JWT middleware behind a guard so it is not executed twice.

    Backport of verdaccio/verdaccio#5697

    Closes #5167

6.7.3

Patch Changes

  • f8fdfc2: fix: enforce generated npm token metadata

    Generated npm tokens (POST /-/npm/v1/tokens) stored their readonly and cidr_whitelist restrictions but never enforced them, and deleting a token did not revoke it for the package APIs. A token marked read-only or pinned to a CIDR range could still publish packages and change dist-tags, and a deleted token remained usable.

    Generated tokens now embed a server-issued key (in the JWT claim, or in the encrypted legacy AES payload) and a new enforceGeneratedTokenMetadata middleware looks that key up on each request, rejecting the token when it is missing/revoked, used outside its CIDR whitelist, or used for a write while read-only. Enforcement applies to both AES and JWT API-token modes.

    Note: tokens issued before upgrading carry no key and are not retroactively constrained — regenerate them to apply the restrictions.

  • be80623: fix: allow npm token create without readonly/cidr_whitelist

    npm token create in npm >= 11 (and the npm 12 prereleases) rewrote the request body: it no longer sends readonly and only sends cidr_whitelist when --cidr is passed. The POST /-/npm/v1/tokens endpoint required both, so modern npm clients failed with 422 the parameters are not valid.

    The endpoint now defaults readonly to false and cidr_whitelist to [] when they are absent, while still rejecting values of the wrong type.

  • 75c85d5: Update verdaccio dependencies to the latest npm dist-tag (@verdaccio/ui-theme tracks next-9):

    • @verdaccio/ui-theme: 9.0.0-next-9.199.0.0-next-9.20

  • d5e5332: chore: update dependencies

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 26, 2026
@github-actions github-actions Bot enabled auto-merge (squash) June 26, 2026 07:05
@dependabot
build(deps-dev): bump verdaccio from 6.7.2 to 6.7.4
11b4d1a 
Bumps [verdaccio](https://github.com/verdaccio/verdaccio) from 6.7.2 to 6.7.4.
- [Release notes](https://github.com/verdaccio/verdaccio/releases)
- [Changelog](https://github.com/verdaccio/verdaccio/blob/v6.7.4/CHANGELOG.md)
- [Commits](verdaccio/verdaccio@v6.7.2...v6.7.4)

---
updated-dependencies:
- dependency-name: verdaccio
  dependency-version: 6.7.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/verdaccio-6.7.4 branch from ee115a1 to 11b4d1a Compare June 26, 2026 07:12
@github-actions github-actions Bot merged commit b2bf1be into main Jun 26, 2026
2 checks passed
@github-actions github-actions Bot deleted the dependabot/npm_and_yarn/verdaccio-6.7.4 branch June 26, 2026 07:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants