chore(deps): update verdaccio/verdaccio docker tag to v6.4.0

[renovate]

This PR contains the following updates:

Package	Update	Change
verdaccio/verdaccio	minor	6.3.2 → 6.4.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

verdaccio/verdaccio (verdaccio/verdaccio)

v6.4.0

Compare Source

Features

Package Filter Plugins (#​5786, #​5548) by @​vsugrob, @​pyhp2017

The @verdaccio/package-filter package is bundled by default but must be enabled by the user.

@verdaccio/package-filter is a built-in plugin that intercepts package metadata from uplinks and removes versions matching configurable rules. With no rules configured, it acts as a no-op passthrough.

Block a compromised package version

filters:
  '@​verdaccio/package-filter':
    block:
      - package: 'event-stream'
        versions: '3.3.6'

Block an entire malicious scope

filters:
  '@​verdaccio/package-filter':
    block:
      - scope: '@​malicious'

Quarantine recently published versions

Hide versions published less than 7 days ago, giving time for review before adoption:

filters:
  '@​verdaccio/package-filter':
    minAgeDays: 7

Freeze registry to a point in time

Only serve versions published before a specific date:

filters:
  '@​verdaccio/package-filter':
    dateThreshold: '2025-01-01'

Whitelist trusted packages within blocked rules

filters:
  '@​verdaccio/package-filter':
    minAgeDays: 30
    allow:
      - scope: '@​my-company'
      - package: 'trusted-pkg'

Replace instead of remove

Substitute a blocked version with the nearest older safe version, useful when removing it would break transitive dependencies:

filters:
  '@​verdaccio/package-filter':
    block:
      - package: 'compromised-lib'
        versions: '>=3.0.0'
        strategy: replace

Full example

filters:
  '@​verdaccio/package-filter':
    minAgeDays: 7
    block:
      - scope: '@​malicious'
      - package: 'typosquat-pkg'
      - package: 'compromised-lib'
        versions: '>=3.0.0'
        strategy: replace
    allow:
      - scope: '@​my-org'
      - package: 'compromised-lib'
        versions: '3.0.1'

Bug Fixes

• fix(deps): Updated lodash to v4.18.1 (#​5777)
• fix(deps): Updated core @​verdaccio/* dependencies (#​5674, #​5780)

Full Changelog: verdaccio/verdaccio@v6.3.2...v6.4.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.