We are happy to introduce Policies & Plugins for Bytesafe registries!
What are Policies and Plugins?
Policies are rules that are executed before any registry action is applied. Example actions include publishing a new version of a package, or deleting a tag.
Plugins extend on Bytesafe’s core with added functionality, such as Vulnerability scanning or sending notifications to Slack.
Policies and plugins are configured in the Bytesafe web console, in the Plugins tab for a registry.
Bytesafe offers a number of built-in policies and plugins ready for use, but will also support custom and 3rd party integrations in the future.
First out: Freeze, Immutable versions & Forward
The initial release includes two policies and one plugin:
- Immutable versions
The following sections will walk you through the basic functions of these policies and plugins. For further reading and more usage examples related to this release, stay tuned for upcoming posts with more in-depth information.
The Freeze policy prevents any changes to the contents of a registry. All attempts to pull/push/publish/delete packages, tags and versions will be denied with a message that the registry is read-only.
This is a powerful way to makes sure that new packages and versions are introduced in a controlled manner, at the start of a sprint as an example.
It’s also a good way to make sure that QA and releases are made using the exact versions intended, even across different projects and teams.
Policy: Immutable versions
The Immutable versions policy disallows existing versions of a package to be overwritten by publish/push/pull.
Bytesafe by default allows versions to be overwritten, unlike the public npm registry. This enables patching of public packages or fixing errors found in QA before release etc.
Immutable versions is for situations where you want to restrict this functionality, such as in registries used for releases or integrations between teams.
With this policy enabled, attempts to re-publish (or otherwise overwrite a version) a package will fail with a warning.
The Forward plugin automatically pushes new package versions to upstreams.
This is useful for example when you want a team to be able to publish packages to public npm, without distributing the package maintainer access token to individual developers.
Policies and plugins are already available to be used with your registry.
And as always, if you have any questions regarding policies and plugins please get in touch with the Bytesafe Support Team!