Allow package-filter minAgeDays to apply only to upstream packages

[davidus27]

Hello,

I am using the new package-filter feature and I have a question about handling a dynamic allow list of internal packages.

Problem

I can configure minAgeDays, which filters out all package versions newer than the configured age. This is useful for packages coming from an upstream registry.

However, when Verdaccio is also used as an internal registry, I do not want this rule to affect internally published packages. Internal packages should be available immediately after publishing.

The current allow list works well for scoped packages. However, if the registry contains many unscoped internal packages, the configuration becomes difficult to manage. Every newly created internal package would need to be added manually to the allow list, which would require periodic configuration updates and rebuilds.

As far as I can tell, there is currently no way to apply minAgeDays only to packages resolved from upstream while excluding packages that exist locally in Verdaccio.

Is that correct, or is there already a supported way to configure this?

Potential solution

It would be useful if Package Filters supported an option that controls whether the filter applies to:

• all packages, including local/internal packages
• only packages resolved from upstream/proxy registries

This would let teams use age-based filtering for supply-chain protection without having to manually maintain exceptions for every internal package.

[juanpicado]

Is that correct, or is there already a supported way to configure this?

No yet, but seems reasonable.

How this config would look like in your eyes?

[davidus27]

I think there could be a simple boolean attribute, something like skipLocalPackages. It would apply to the filter (with default to false) and check if the packages are upstream, or published locally. Then we could have filter like this:

filters:
  '@verdaccio/package-filter':
    minAgeDays: 7
    skipLocalPackages: true

Which would apply 7 day cooldown to only upstream packages.

I think the change could be relatively simple in code. If we agree on possible attribute I can propose PR for it.

[davidus27]

Hi, may I create issue/PR with possible implementation of this provided design? or do you have ideas how it could work differently or do you see possible issues with it?

[juanpicado]

sorry, I didn't follow up, let me write some thoughts first a bit later.

[juanpicado]

The problem I see with this approach is that skipLocalPackages would skip all packages, it would disallow common approaches that happens often, like a temporary prelreease of lodash or any other library. So what actually means local has to be a bit more clear.

My proposal would be similar what package managers are doing, example:

filters:
  '@verdaccio/package-filter':
    minAgeDays: 7
    preapproved:
      - '@my/*'
      - '@yours/*'
      - 'home-*'
      - 'internal-mac'

I haven't gave it second thoughts but let me know what you think, if you are agree I'd recommend you start at branch 8.x so can go directly to 6.x (we can cherry pick it later to master)

(note: my example won't cover for instance a prerelease of lodash, so might need some tweaking )

[davidus27]

Thanks, that makes sense. I agree that the meaning of “local” needs to be precise here.

What I had in mind was not a name-based exemption. I meant source-based behavior:

• if a version is available only from Verdaccio local storage / was published directly to this Verdaccio instance, do not apply minAgeDays
• if a version comes from an uplink/proxy registry, apply minAgeDays
• if the same package name exists both locally and upstream, the rule should be evaluated per version/source, not only by package name

So for example, if someone publishes an internal lodash prerelease locally, that local version would be available immediately because it is intentionally published to the internal registry. But a new lodash version coming from npmjs through an uplink would still be subject to the cooldown.

The main use case is supply-chain protection for newly released upstream packages, while avoiding operational friction for packages that are intentionally published internally. The current/preapproved approach helps for scoped packages or predictable naming patterns, but it still requires maintaining name patterns or explicit exceptions. The feature I am suggesting is more about origin/source of the package version than package name.

Maybe skipLocalPackages is not the best name because it sounds package-name based. A clearer option could be something like:

filters:
  '@verdaccio/package-filter':
    minAgeDays: 7
    applyTo: upstream

or:

filters:
  '@verdaccio/package-filter':
    minAgeDays: 7
    skipLocalVersions: true

The important part for me is that local/internal publishes are available immediately, while upstream/proxied versions still go through the cooldown.

Would that distinction address your concern, or is there a case where this wouldn't work?