Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What is the role of 'registry.yarnpkg.com'? #889

Closed
iamchenxin opened this Issue Oct 12, 2016 · 9 comments

Comments

Projects
None yet
9 participants
@iamchenxin
Copy link

iamchenxin commented Oct 12, 2016

What is the difference from registry.npmjs?
Does it have some new Features?
It would be nice if there is an open source version of a yarnpkg registry server. so some one can set itsown private yarnpkg server.

PS:
As the Features describe:
supports mixing registries.
How to set this? Can i set different packages to different registrys by config file?

@sebmck

This comment has been minimized.

Copy link
Contributor

sebmck commented Oct 12, 2016

Right now it's just a reverse proxy to registry.npmjs.org. This is to give us more flexibility in the future if we decide to customise the backend to work more efficiently with our client.

@sebmck sebmck closed this Oct 12, 2016

@obogobo

This comment has been minimized.

Copy link

obogobo commented Oct 13, 2016

Is there any way to change which registry yarn points to by default? Our organization would love to use Yarn internally, but we have JFrog's Artifactory setup as an npm proxy and internal package store already. Being able to point Yarn towards our Artifactory instance would make for 100's of happier devs 😄

@azu azu referenced this issue Oct 13, 2016

Closed

Yarn #20

@egoist

This comment has been minimized.

Copy link

egoist commented Oct 13, 2016

@obogobo yarn config set registry

@obogobo

This comment has been minimized.

Copy link

obogobo commented Oct 13, 2016

@egoist seems to be the right command! doesn't quite work for us yet but it's probably on our end. Thanks!

@markstos

This comment has been minimized.

Copy link
Contributor

markstos commented Oct 14, 2016

I get how the abstraction of a reverse proxy allows for some future flexibility, but for now the extra layer adds an additional point of failure both for network reliability and also for DNS or infrastructure compromise.

Isn't it the case that the checksums that are checked against are also downloaded through registry.yarnpkg.org? So if your DNS or hosting is compromised, both packages and checksums could be modified to match.

The focus on offline/no-network/cached installs is a step forward for security in the NPM eco-system, but adding another point of failure and compromise to network installs is a step back.

If the checksums were downloaded directly from registry.npmjs.org while the code was downloaded through your reverse proxy, that would provide a cross-check against both services.

@r14c

This comment has been minimized.

Copy link

r14c commented Jul 10, 2017

@egoist i still see 404 Not Found after i set the registry using that command. using a private package on gemfury and their npm-proxy

@jdxcode

This comment has been minimized.

Copy link

jdxcode commented May 26, 2018

Given the issue that arose today with the CloudFlare outage. I think we should chat about this again. It certainly seems like a case of nobody's fault, and certainly not yarn's. However this service seems at the least unnecessary, likely reducing performance adding another hop, and at worst a potential security vector.

Of course, I could edit the registry on my local, but I collaborate with lots of other developers on many projects. I (frankly) would rather not have my yarn.lock file have a bunch of mismatched hosts in it or have to add a .yarnrc to all my projects.

I think if yarn wants to start adding server-side helpers it can take advantage of there is some great potential benefits, but if there is nothing right now, why do we default to this proxy? We could always change the default later when that functionality is added.

EDIT: I found out this isn't a proxy but a CNAME. I don't think this changes anything though.

@marcdavi-es

This comment has been minimized.

Copy link

marcdavi-es commented May 30, 2018

The flip side is that https://registry.yarnpkg.com/ is really helpful for me today as the main registry's fastly CDN has chosen to hate on me personally and bug out whenever I make any request 😂

@aleclarson

This comment has been minimized.

Copy link

aleclarson commented Nov 28, 2018

Is registry.yarnpkg.com only a mirror, still? There's an edge case that only occurs when the mirror is used (instead of registry.npmjs.org).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.