Upload public packages on gemfury - gem-fury

Using the command line tool, is there a way to upload package already marked as public ?

An initial upload of a package to Gemfury will always be private. Once you've marked an uploaded package as public, all subsequently uploaded versions of that package will be public as well.

Related

Does Gemfury protect against dependency confusion?

Given Alex Birsan's revelation that he was able to run code internally within major private companies via dependency confusion (uploading packages to a public repo with the same name as a company's private/internal package, but with a higher version number), does Gemfury have protections against this?
I know the blended index goes a long way because all dependencies will be pulled from the Gemfury repo first if applicable, but does this include version checks? For example: if my Gemfury repo contains package A with version 1.1 and the public repo contains package A with version 1.2, and my package.json is set to pull the package with the highest minor number, is Gemfury smart enough to pull version 1.1 from my local repo instead of 1.2 from the public repo?
The answer is dependent on the package manager. For package managers that do multi-repo resolution on the client side, this will be dependent on the implementation of the package manager. For some, you can explicitly specify the source for each dependency, which avoids repo confusion. Given Alex Birsan's revelation, various package managers are addressing this individually.
As far as Gemfury's blending indexes for npm and Go Modules, the blending is done at the package level, so if a named package exists in your private account, only private versions are surfaced to the client for that package. This avoids versions in the public index interfering with a private package.

How do I edit a Meteor package from Atmosphere that's not on GitHub?

I have some Twitter functionality I'm working on and I want to use "Application-Only Authentication" which only needs my Twitter application credentials to just perform GETS in my app (e.g. random tweet searches based on user inputted tags, etc. - no actual user posting.)
Twitter supports this but most of the Twitter packages on Atmosphere and NPM do not. They force you to pass both application credentials and OAuth tokens, if you don't, your requests come back invalid. The most popular Meteor Twitter API package called mrt:twit actually wraps the NPM package ttezel/twit which actually implements Application-Only Authentication correctly, however the wrapper package for Meteor mrt:twit forces you to use Full Authentication requiring the user's OAuth tokens which I don't want or need to use. So I'd like to edit mrt:twit to properly follow ttezel/twit's interface.
However, the mrt:twit package is not on GitHub. How do I figure out where this lives and/or if I can access it locally and modify it and/or find some repository online for where it lives? Atmosphere doesn't offer much help providing no links from where this package is actually downloading?
Link for mrt:twit: https://atmospherejs.com/mrt/twit
Link for ttezel/twit: https://github.com/ttezel/twit
EDIT: I'm using Meteor 1.1.0.2. I was able to find where mrt:twit is locally. It's at:
.../.meteor/local/build/programs/server/packages/
After investigating, it's not that mrt:twit doesn't "implement" ttezel/twit's interface correctly, it's that mrt:twit is using/requiring an old version of ttezel/twit, version 1.1.9 instead of the current 2.1.0. That old version of ttezel/twit doesn't support the "application-only" authorization - I can see it in the code. Hence my above original issue. ttezel/twit downloads to the following folder:
.../.meteor/local/build/programs/server/npm/mrt_twit/node_modules/twit
Inside the above folder I see the full .git package for ttezel/twit but it's version 1.1.9. So I assume I could just replace this folder with the latest 2.1.0 version of ttezel/twit but I don't think you're supposed to have to mess with anything inside of an node_modules folder right? Shouldn't there be a config file somewhere to edit?
For the life of me I can't find where mrt:twit is declaring to use version 1.1.9. In all the code it just calls Npm.require('twit'). There's no config file I can find that sets the version to 1.1.9. The only thing I found is a file at the second path above sitting next to the twit folder called .node_version and all it has in it is v0.10.20 which is a version of Node to use I assume. That wouldn't "force" whatever package versions were out at that time would it? If so, then that's probably what is setting ttezel/twit to use 1.1.9.
My original post question still exists though, where can I find mrt:twit on a server so I can fork it/edit it and not have to edit the code locally?
I emailed the creators of Atmosphere (percolatestudio.com) and Tom was really helpful and pointed me to where mrt:twit lives on GitHub. It's on the old 1.0 atmosphere:
https://old-atmosphere.meteor.com/package/twit
And that page points to the actual GitHub location which is:
https://github.com/subhog/meteor-twit
So the above link is from where the current mrt:twit package downloads into your Meteor app if you add it to your app (as of this writing). Once I found that I could easily see in the package.js file it declares Npm.depends({twit: "1.1.9"}). On a side note: It would be nice if the current version of Atmosphere pointed you to the GitHub location of older/legacy packages how it does the new packages.
So I was able to fork this and update the package to use version 2.1.0 of ttezel/twit. I made a pull request for mrt:twit so hopefully the author updates it - as this is the number one Twitter API package for Meteor with 1,200 downloads. Seemed better to update it than to publish my own version.
Until then, I made a local package following the below link and everything is working great - including application-only authentication. Thanks for the comments - they were helpful. I'm still pretty new at Meteor and how the packaging system works.
http://www.webtempest.com/meteor-js-packages-tutorial
If you want to access the updated package I made it's at the below link but it's not a published meteor package - so you'll have to download it and use it locally:
https://github.com/evolross/meteor-twit
You should check .meteor/local/* folders.
I have a lot of packages files in .meteor/local/build/programs/server/packages
I'm afraid it's all compiled but you can grab some code you need and make your own package.

Azure web-sites private packages source

On my project I need to use private packages.
Does azure web sites support publishing project using private packages via npm or other source?
We support npm from private git repo. See this. However, you will have to set up ssh keys (See this). Hope it helps.

Latest ServiceStack Swagger-ui NuGet package (v 4.0.30) does not deploy the swagger-ui resource folder

I have a project that was using the ServiceStack with Swagger-UI, I have installed and setup this up with v4.0.24 and recently upgraded to v4.0.30.
The latest ServiceStack.Api.Swagger NuGet package : https://www.nuget.org/packages/ServiceStack.Api.Swagger/ Does not seem to install the /swagger-ui resource folder as the previous package did.
I tried this with a new clean servicestack asp.net solution in VS2013. Added ServiceStack.Api.Swagger from nuget, and enabled the plugin in AppHost.cs thus :
public override void Configure(Container container)
{
this.AddPlugin(new SwaggerFeature());
}
The swagger-ui feature seems to works fine, but it appears the resources (index.html, js, css, etc.) are embedded in the dll, and it is required to edit the index.html at a minumum to configure Swagger-UI.
Am I missing something, or is this a bug in the latest NuGet package?
I have edited my swagger v4.0.24 html, css and js, am I safe to pull these from the ServiceStack Git (https://github.com/ServiceStack/ServiceStack/tree/master/src/ServiceStack.Api.Swagger) and manually add / merge them to my solution?
It's a good idea to check the ServiceStack Release Notes to find out what's changed in each release.
Notes for Swagger changes in v4.0.30:
All static resources are now embedded
All of Swagger's static resources embedded into a single ServiceStack.Api.Swagger.dll, taking advantage of the Virtual File Systems transparent support for Embedded Resources, making it easier to manage and upgrade Swagger as a self-contained unit.
In summary, you no longer need Swagger's assets as they're now embedded in the dll.
Virtual File System
The docs on the Virtual File System shows how to override embedded resources:
Overriding Swaggers Embedded Resources
ServiceStack's Virtual File System supports multiple file source locations where you can override Swagger's embedded files by including your own custom files in the same location as the existing embedded files. This lets you replace built-in ServiceStack embedded resources with your own by simply copying the /swagger-ui or /swagger-ui-bootstrap files you want to customize and placing them in your Website Directory at the same paths, i.e:
/swagger-ui
/css
/images
/lib
index.html
/swagger-ui-bootstrap
index.html
swagger-like-template.html

Can I run a private npm repository without replicating the public repository?

I'm writing a number of pieces of code (for internal use) using node.js and want to store the modules (packaged up for npm) in a package repository for each distribution to the various machines they will be installed on.
Ideally, I'd like a solution similar to Debian's apt repositories in which I can run a private repository server and configure npm to use a list of repositories to install from (When installing "foo", if "foo" is known by my private server install it from there, otherwise install it from the public server).
However, it looks like the npm registry configuration key only accepts a single URL.
Is there a way to achieve what I want?
The closest I've been able to find have been:
Mirroring the public repository locally and adding my packages on top of it… but I don't want to keep that amount of data (2.5G and still downloading) replicated on AWS.
Hosting all my packages in git repositories and installing from there (which is more of a hassle).
Hosting static packages on HTTP (as far as I can tell, this would prevent me from automatically getting "the latest version". I suppose I could do something with symlinks, but that is still less flexible than git, requires full URLs (which need to be kept up to date), and doesn't give a searchable repository.
I just set this up for my work. Here's what I did:
Setup empty NPM registry: I followed the instructions from this fork of npmjs.org, which adds much improved documentation.
Setup Kappa: I used Kappa, a great npm proxy from Paypal. (I'm guessing they have a very similar use case to most people who want a private repository; this was exactly what I wanted).
Setup npm_lazy (optional): I wanted a nice cache of frequently used packages in case npmjs.org went down, so I added npm_lazy in front of the whole thing, as a caching layer.
Whole thing took two days(ish) to get up and running. As a side note, if you're worried about people pushing to the public registry by accident, I recommend adding this to your package.json:
"publishConfig": { "registry": "http://my-registry.example.com" },
This really is just a bit of paranoia; once you setup your npm to point to your Kappa/npm_lazy instance, Kappa handles publishing to your private repository for you.
Note: Kappa will only every publish to the first repository in it's config. If you need to publish to both your private registry, and the public, you will need to work out your own solution.
In your package.json, you can use any url that points to a valid npm packed module. I use an s3 with a bucket name that is hard to guess.
npm pack
s3cmd put *.tgz s3://path-to-your bucket
S3 is just an example, you could use any mean that can place a file on a web server, it can even be protected via basic auth.
I believe Paypal's Kappa project would suit your need.
Here is an article describing Paypal's Kraken project and how Kappa fits in.
I understand it wasn't available at the time of Quentin's question, but perhaps this will be useful for others that come along here.
npm-registry-client GitHub issue #42 lists several ways how to create your own repository mirror. namely:
https://github.com/cnpm/cnpmjs.org
https://github.com/rlidwka/sinopia
https://github.com/rlidwka/sinopia#similar-existing-things
https://github.com/davglass/registry-static
Overall it seems to me that you can get best answers by searching through issues in repositories owned by https://github.com/npm or by asking your question there
Based only on listening to a recent episode of NodeUp (#37?), I think you may want to have a look at irisnpm. From what I remember it's a service which gives you a merged set of the public modules and your own private modules.
As Dominic Barnes suggested, we can replicate only _design documents (CouchDB table schemes)
How to replicate design documents only?
However, it needs to check if some data needed.
You could replicate the modules you need and then write a proxy server which looks for a module in your replication. If a module doesn't exist, it could pipe the request to NPM and return the result from there.

Resources