[英]npm publish for a package to AWS CodeArtifact repo fails with error "The provided package is configured to block new version publishes."
I've created an AWS CodeArtifact repository with an upstream connection to npmjs.com.我创建了一个 AWS CodeArtifact 存储库,其中包含与 npmjs.com 的上游连接。 After installing the latest publicly available version of the lodash package (
4.17.21
), I tried to publish a self-patched version to the repository ( 4.17.50
).在安装了 lodash 包的最新公开版本 (
4.17.21
) 后,我尝试将自修补版本发布到存储库 ( 4.17.50
)。 When I do this, I get the following error:当我这样做时,我收到以下错误:
npm ERR! 400 Bad Request - PUT https://amazon-{redacted}.d.codeartifact.us-west-2.amazonaws.com/npm/test-repository/lodash - The provided package is configured to block new version publishes.
The provided package is configured to block new version publishes
提供的包配置为阻止新版本发布
What would cause this action to be blocked?什么会导致此操作被阻止? Similar publishes have succeeded in the past, has something recently changed?
过去类似的发布已经成功,最近有什么变化吗?
CodeArtifact recently released a feature called Package Origin Control (POC) to help avoid unintended intermixing of public (such as from npmjs.com) and private package versions. CodeArtifact 最近发布了一个名为Package Origin Control (POC)的功能,以帮助避免公共(例如来自 npmjs.com)和私有包版本的意外混合。
This feature lets repository owners block how new versions of a package get sourced into a repository by blocking publication of new versions and/or downloading upstream versions into the repository.此功能允许存储库所有者通过阻止发布新版本和/或将上游版本下载到存储库中来阻止包的新版本如何获取到存储库中。 This can help users protect against a “dependency substitution” attack where a package version for a package that is intended to be internal-only is published to a public repository by a malicious actor to trick the build systems to unintentionally consume the malicious external version instead.
这可以帮助用户防止“依赖替换”攻击,在这种攻击中,仅用于内部的包的包版本被恶意行为者发布到公共存储库,以欺骗构建系统无意中使用恶意外部版本。 . Blog post on the topic: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 .
关于该主题的博客文章: https ://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610。
Each package in a CodeArtifact repository now has two origin control flags publish
, and upstream
. CodeArtifact 存储库中的每个包现在都有两个源控制标志
publish
和upstream
。 Each can be set to either ALLOW
or BLOCK
.每个都可以设置为
ALLOW
或BLOCK
。 The publish
flag controls whether new versions of the package can be published into the repository, and the upstream
flag controls whether new versions of the package present in an upstream repository but not yet retained in the repository will be available through the upstream repository. publish
标志控制是否可以将包的新版本发布到存储库中, upstream
标志控制是否可以通过上游存储库获得上游存储库中存在但尚未保留在存储库中的包的新版本。
If a package first enters a repository as a result of being downloaded from an upstream, then the package has its publish
flag set to BLOCK
.如果一个包由于从上游下载而首先进入存储库,则该包的
publish
标志设置为BLOCK
。 This is what has happened to the package in question.这就是有问题的包裹所发生的事情。 If you wish to intentionally mix public and private packages, then you will need to set the
publish
flag for the package to ALLOW
.如果您希望有意混合公共包和私有包,则需要将包的
publish
标志设置为ALLOW
。 You can do this in the AWS Console on the CodeArtifact package details page (Repositories list -> Repository view -> Package view -> Origin controls section), or via the AWS CLI by calling put-package-origin-configuration like so:您可以在 AWS 控制台的 CodeArtifact 包详细信息页面(存储库列表 -> 存储库视图 -> 包视图 -> 源控制部分)中执行此操作,也可以通过 AWS CLI 通过调用put-package-origin-configuration来执行此操作,如下所示:
aws codeartifact put-package-origin-configuration --domain test-domain
--repository test-repository --format npm --package lodash
--restrictions publish=ALLOW,upstream=BLOCK
Note: As written, this command will allow the publish to succeed, but will prevent pulling additional public versions of lodash
into the repository from npmjs.com.注意:正如所写,此命令将允许发布成功,但会阻止将其他公共版本的
lodash
从 npmjs.com 拉入存储库。 While the restrictions can be set to publish=ALLOW,upstream=ALLOW
, the safest configuration will always have the public
/ upstream
flags inverted to prevent mixing public and private versions.虽然可以将限制设置为
publish=ALLOW,upstream=ALLOW
,但最安全的配置将始终反转public
/ upstream
标志以防止混合公共和私有版本。 The restrictions can also be set temporarily in the event you want to publish a patched version of a public package, then return to blocking future publishes.如果您想发布公共包的修补版本,也可以临时设置限制,然后返回阻止未来的发布。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.