核心要点仅允许企业白名单注册表域名并强制 `https` 与 `strict-ssl`。令牌权限最小化,默认只读拉取;发布权限隔离在受控环境。`always-auth` 启用以避免匿名回退;对作用域与路径进行限制。实现示例type RegistryCfg = { registry: string; strictSsl: boolean; alwaysAuth: boolean; tokenScope?: string; scope?: string } const allowRegistries = new Set<string>([ 'https://registry.npmjs.org', 'https://registry.example.com' ]) function validRegistry(u: string): boolean { try { const url = new URL(u) return url.protocol === 'https:' && allowRegistries.has(url.origin) } catch { return false } } function policy(cfg: RegistryCfg): { ok: boolean; errors: string[] } { const errors: string[] = [] if (!validRegistry(cfg.registry)) errors.push('registry') if (!cfg.strictSsl) errors.push('strict-ssl') if (!cfg.alwaysAuth) errors.push('always-auth') if (cfg.tokenScope && !/^read:packages$/.test(cfg.tokenScope)) errors.push('token-scope') return { ok: errors.length === 0, errors } } 运行治理开发与生产分离配置;生产环境禁止使用用户级配置并仅加载受控机器配置。镜像切换采用受控回退;记录所有来源变更与校验状态以支持追溯。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复