kpfleming/pkg-proxy
1
0
Fork 0
forked from mirrors/pkg-proxy
Code Pull requests Activity
pkg-proxy/config.example.yaml
Andrew Nesbitt 4f8f63f354
 Add version cooldown to filter recently published packages 
Hides package versions published too recently from metadata responses,
giving the community time to spot malicious releases. Configurable
per-ecosystem and per-package with duration overrides. Supported for
npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00

110 lines
3.1 KiB
YAML
Raw Permalink Blame History

# Proxy server configuration
# Copy to config.yaml and modify as needed
# Server listen address
listen: ":8080"
# Public URL where this proxy is accessible
# Used for rewriting package metadata URLs
base_url: "http://localhost:8080"
# Artifact storage configuration
storage:
# Storage backend URL
# Supported schemes:
# - file:///path/to/dir - Local filesystem (default)
# - s3://bucket-name - Amazon S3
# - s3://bucket?endpoint=http://localhost:9000 - S3-compatible (MinIO)
#
# For S3, configure credentials via environment variables:
# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
url: ""
# Local filesystem path (used when url is empty)
# Deprecated: Use url with file:// scheme instead
path: "./cache/artifacts"
# Maximum cache size (e.g., "10GB", "500MB")
# When exceeded, least recently used artifacts are evicted
# Empty or "0" means unlimited
max_size: ""
# Database configuration
database:
# Database driver: "sqlite" (default) or "postgres"
driver: "sqlite"
# SQLite database file path (used when driver is "sqlite")
path: "./cache/proxy.db"
# PostgreSQL connection URL (used when driver is "postgres")
# Example: "postgres://user:password@localhost:5432/proxy?sslmode=disable"
url: ""
# Logging configuration
log:
# Minimum log level: "debug", "info", "warn", "error"
level: "info"
# Log format: "text" or "json"
format: "text"
# Upstream registry URLs and authentication
upstream:
# npm registry URL
npm: "https://registry.npmjs.org"
# Cargo sparse index URL
cargo: "https://index.crates.io"
# Cargo crate download URL
cargo_download: "https://static.crates.io/crates"
# Authentication for upstream registries
# Keys are URL prefixes matched against request URLs.
# Values can reference environment variables using ${VAR_NAME} syntax.
#
# Supported auth types:
# - bearer: Authorization header with Bearer token
# - basic: Authorization header with Basic auth (username:password)
# - header: Custom header name and value
auth:
# Example: npm with bearer token
# "https://registry.npmjs.org":
# type: bearer
# token: "${NPM_TOKEN}"
# Example: GitHub npm registry
# "https://npm.pkg.github.com":
# type: bearer
# token: "${GITHUB_TOKEN}"
# Example: PyPI with basic auth
# "https://pypi.org":
# type: basic
# username: "__token__"
# password: "${PYPI_TOKEN}"
# Example: Custom header for private registry
# "https://maven.mycompany.com":
# type: header
# header_name: "X-Auth-Token"
# header_value: "${MAVEN_TOKEN}"
# Version cooldown configuration
# Hides package versions published too recently, giving the community time
# to spot malicious releases before they're pulled into projects.
# Supported durations: "7d" (days), "48h" (hours), "30m" (minutes), "0" (disabled)
cooldown:
# Global default cooldown for all ecosystems
# default: "3d"
# Per-ecosystem overrides
# ecosystems:
# npm: "7d"
# cargo: "0"
# Per-package overrides (keyed by PURL)
# packages:
# "pkg:npm/lodash": "0"
# "pkg:npm/@babel/core": "14d"
View git blame Copy permalink