Introducing Policies & Plugins

Introducing Policies & Plugins

We are happy to introduce Policies & Plugins for Bytesafe registries!

Bytesafe’s offering does not stop at enterprise grade private npm registries. With policies and plugins, Bytesafe takes your Javascript package workflow to the next level!

What are Policies and Plugins?

Policies are rules that are executed before any registry action is applied. Example actions include publishing a new version of a package, or deleting a tag.

Plugins extend on Bytesafe’s core with added functionality, such as Vulnerability scanning or sending notifications to Slack.

Policies and plugins are configured inside Bytesafe, in the Plugins tab for a registry.

Bytesafe offers a number of built-in policies and plugins ready for use, but will also support custom and 3rd party integrations in the future.

Policies are especially powerful in combination with upstreams, so be sure to read the introduction to upstreams.

First out: Freeze, Immutable versions & Forward

The initial release includes two policies and one plugin:

  • Freeze
  • Immutable versions
  • Forward

The following sections will walk you through the basic functions of these policies and plugins. For further reading and more usage examples related to this release, stay tuned for upcoming posts with more in-depth information.

Policy: Freeze

The Freeze policy prevents any changes to the contents of a registry. All attempts to pull/push/publish/delete packages, tags and versions will be denied with a message that the registry is read-only.

This is a powerful way to makes sure that new packages and versions are introduced in a controlled manner, at the start of a sprint as an example.

It’s also a good way to make sure that QA and releases are made using the exact versions intended, even across different projects and teams.

Policy: Immutable versions

The Immutable versions policy disallows existing versions of a package to be overwritten by publish/push/pull.

Bytesafe by default allows versions to be overwritten, unlike the public npm registry. This enables patching of public packages or fixing errors found in QA before release etc.

Immutable versions is for situations where you want to restrict this functionality, such as in registries used for releases or integrations between teams.

With this policy enabled, attempts to re-publish (or otherwise overwrite a version) a package will fail with a warning.

Plugin: Forward

The Forward plugin automatically pushes new package versions to upstreams.

This is useful for example when you want a team to be able to publish packages to public npm, without distributing the package maintainer access token to individual developers.

Available now!

Policies and plugins are already available to be used with your registry.

And as always, if you have any questions regarding policies and plugins please get in touch with the Bytesafe Support Team!

Stay Updated!
We’ll keep you up to date on supply chain security and send you the latest information.