This implements the minimum package age for npm.
Parsing and updating the npm info response
A few things are needed here:
- We'll need to replace the
application/vnd.npm.install-v1+json request header with application/json
- Otherwise, the response won't contain release times of the package versions.
- Remove packages that were released in the past 24 hours from the response
- And update dist-tags that contain these versions (calculating a new latest if that one was removed)
- If the response was modified by our proxy:
- Remove response headers that triggers caching:
etag, last-modified, cache-control
- This is done to allow the same package to be downloaded 24hrs later (etag would prevent this)
- And to allow to --safe-chain-skip-minimum-package-age, which would not work for 5 minutes because of the
cache-control
Passing preferences from safe-chain to the proxy
Safe-chain has 2 flags related to the minimum package age (and more will come):
- Threshold for suppression:
--safe-chain-minimum-package-age-hours=XXX
- Don't suppress packages:
--safe-chain-skip-minimum-package-age
This data will need to be passed with proxy username tags and being used by the proxy.
This can be done with user tags:
min-pkg-age (can be set to 0 to skip the feature altogether)
Allow to report back to safe-chain
When the npm command was intercepted by safe-chain, we'll need a way to get information about:
- Were there packages suppressed
- Names of the suppressed packages
This implements the minimum package age for npm.
Parsing and updating the npm info response
A few things are needed here:
application/vnd.npm.install-v1+jsonrequest header withapplication/jsonetag,last-modified,cache-controlcache-controlPassing preferences from safe-chain to the proxy
Safe-chain has 2 flags related to the minimum package age (and more will come):
--safe-chain-minimum-package-age-hours=XXX--safe-chain-skip-minimum-package-ageThis data will need to be passed with proxy username tags and being used by the proxy.
This can be done with user tags:
min-pkg-age(can be set to 0 to skip the feature altogether)Allow to report back to safe-chain
When the npm command was intercepted by safe-chain, we'll need a way to get information about: