核心要点仅允许企业白名单注册表域名并强制 `https` 与 `strict-ssl`。令牌权限最小化,默认只读拉取;发布权限隔离在受控环境。`always-auth` 启用以避免匿名回退;对作用域与路径进行限制。实现示例type RegistryCfg = { registry: string; strictSsl: boolean; alwaysAuth: boolean; tokenScope?: string; scope?: string }
const allowRegistries = new Set<string>([
'https://registry.npmjs.org',
'https://registry.example.com'
])
function validRegistry(u: string): boolean {
try {
const url = new URL(u)
return url.protocol === 'https:' && allowRegistries.has(url.origin)
} catch {
return false
}
}
function policy(cfg: RegistryCfg): { ok: boolean; errors: string[] } {
const errors: string[] = []
if (!validRegistry(cfg.registry)) errors.push('registry')
if (!cfg.strictSsl) errors.push('strict-ssl')
if (!cfg.alwaysAuth) errors.push('always-auth')
if (cfg.tokenScope && !/^read:packages$/.test(cfg.tokenScope)) errors.push('token-scope')
return { ok: errors.length === 0, errors }
}
运行治理开发与生产分离配置;生产环境禁止使用用户级配置并仅加载受控机器配置。镜像切换采用受控回退;记录所有来源变更与校验状态以支持追溯。
发表评论 取消回复