jsr
jsr copied to clipboard
jsr-io
Self hosting / private packages
Is there any way to publish private packages, and doing it with Github Actions linked to private Github repositories?
No, JSR does not support private packages. We are planning to handle private package usecases by letting organizations self host JSR. This is however not yet available.
I found JSR to be attractive but not being able to self-host a private registry would be a blocker for us. Or a cheap way to have private package could be considered. We currently use Artifactory for example. Side note, not being able to set upstream registries would also be a blocker, some companies give us access to their codebase via access to their own NPM registries. Upstreams are great for providing other sources without the need to migrate and disturb the current workflow.
Also looking forward to try this as a private proxy-registry in place of verdaccio because of verdaccio's bad performance. Hosting of @scopes would be a requirement, along with being able to proxy all other requests to another registry.
We are also using Verdaccio for testing and enabling some pre-merge CI runs. Being able to run a local version of JSR maybe even with Verdaccio behind the scene would be great.
On Thu, 21 Mar 2024 at 17:26, silverwind @.***> wrote:
Also looking forward to try this as a private proxy-registry in place of verdaccio https://github.com/verdaccio/verdaccio because of verdaccio's bad performance. Hosting of defined @scopes would be a requirement, along with being able to proxy all other requests to another registry.
— Reply to this email directly, view it on GitHub https://github.com/jsr-io/jsr/issues/203#issuecomment-2013125779, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABARLMFZ5AMPVK3CS3ZSG3YZMJ53AVCNFSM6AAAAABEH7R632VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJTGEZDKNZXHE . You are receiving this because you commented.Message ID: @.***>
-- www.soundstep.com
If JSR can somehow support git url as a dependency, that would solve private registry for a lot of folks. With SSH authentication to the git repository, it becomes dead simple to use. However npm doesn't support installing packages from sub directory of the git repository. But yarn does!
If JSR can somehow support git url as a dependency, that would solve private registry for a lot of folks. With SSH authentication to the git repository, it becomes dead simple to use. However npm doesn't support installing packages from sub directory of the git repository. But yarn does!
Git dependencies are wrong on many levels imho:
- Git content is not immutable
- Git repos or their content can easily be deleted which breaks dependants
- SSH connectivity is often not available in security-restricted environments
The prime benefit of a registry is that the content is immutable and it can be traced back to the source via provenance. So I would recommend to not support volatile and insecure git dependencies at all.
Also the request you have is not relevant to JSR a registry at all, this is something only between your client (npm) and said git repository.
Deno literally downloads from a URL / git repository.
Also the request you have is not relevant to JSR a registry at all, this is something only between your client (npm) and said git repository.
https://www.npmjs.com/package/jsr is a CLI (client) that interacts with a website called https://jsr.io/, it just happens to be embedded in a npm package. Maybe my comment should belong to https://github.com/jsr-io/jsr-npm/issues
We are planning to handle private package usecases by letting organizations self host JSR.
Nice, some ask for self hosting documentation and more simplicity #150
Is there any progress with this subject @lucacasonato? Thanks in advance.
Is there a feature that can be tracked for a self-hosted registry @lucacasonato ?
@lucacasonato do you have any update on this? else i'd start looking into building my own and i'd much rather take the easy route
I'm willing to work on this but after taking a quick look through the code I have some questions about how auth would be handled. Will it stay github only or are there plans for other OAuth methods.
Overall it feels like there are a lot of developer experience questions that I have which depend on the roadmap the jsr team has in mind
I would love to see private repository support for JSR. I have a use case for some internal libraries which cannot be open sourced, and to use JSR as an opportunity to advocate for multiple runtimes, provenance, and... well, you know folks already know the reasons why what you've built is so compelling.
It would be nice to have this if not just to have a non-hacky workaround deno limtations:
- https://github.com/denoland/deno/issues/18478
- https://github.com/denoland/deno/issues/18474
You could solve these by instead having a self-hosted local jsr registry to pull packages from
Wouldn't it be ideal to focus instead on the ability to self-host any JSR instance and proxy zero or more external JSR instances? This would allow organizations to self-host a private registry with built-in support for proxies, allow official JSR to focus on what it does, and allow additional communities of interest to focus on their own, curated approach to registries.
It would be great to have an option to self-host a private registry, especially now that we're doing away with HTTPS imports and installing packages using deno add is recommended.
I found these docs, which appear to be new too, so it looks like they are working on it: https://jsr.io/docs/private-registries