@atripp
Thank you for your help.
This resolves my problem.
Good to hear that it will be default behaviour, current behaviour is not intuitive.
Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
@atripp
Thank you for your help.
This resolves my problem.
Good to hear that it will be default behaviour, current behaviour is not intuitive.
Due to a recent vulnerability reported in Axios (https://github.com/axios/axios/issues/10604
), I configured the npm setting:
min-release-age=3
When using ProGet as the npm registry, I encountered an issue where packages that were actually published several days ago are treated as if they were published just moments ago.
Steps to reproduce:
Configure npm with:
min-release-age=3
Use ProGet as the npm registry with connector to public npm registry with cache package enabled.
Attempt to install a package that was published more than 3 days ago, e.g.:
npm install --save vite-plugin-svgr@5.2.0
Observed behavior:
The installation fails with:
npm ERR! code ETARGET
npm ERR! notarget No matching version found for vite-plugin-svgr@5.2.0 with a date before <date/time according to min-release-age>.
Running:
npm view vite-plugin-svgr
shows that ProGet reports:
published XX minutes ago
Additionally, in the ProGet UI, the published date matches the cache date, which appears to be incorrect.
Actual package information:
The package vite-plugin-svgr@5.2.0 was published to the public npm registry approximately 7 days ago.
Problem:
ProGet seems to overwrite or ignore the original published timestamp from the upstream npm registry and instead uses the cache/import timestamp.
This behavior breaks compatibility with npm’s min-release-age security feature, making it ineffective when ProGet is used as a proxy.
Expected behavior:
ProGet should preserve the original published date from the upstream npm registry.
The cache/import date must not replace or be treated as the package publish date.
Impact:
This issue makes it impossible to reliably enforce security policies such as min-release-age, which are critical for mitigating risks from newly published (and potentially malicious) packages.