Allow-only policy
Allows only defined packages and package versions to be added to a registry
Policies
Automate package workflows with rules for your registries
What are Policies?
Policies are rules that are executed before any registry action is applied.
Example policy rules include freezing registries (making them read only) and only allowing packages that are scanned and secure.
How to configure Policies
Configuration is done in the Plugins tab for a registry.
Policies are enabled per registry and configurations are not shared between registries. This allows users to tailor registries to different needs.
To enable a policy you require, toggle the selected switch to enabled.
Policy settings
Some policies include additional settings that allow more fine-grained control over how the policies functions. Depending on the policy, settings can be optional or mandatory.
To access the policy settings, click on the settings link for the specific policy.
Block policy
Prevents packages and package versions from being added to a registry
Block downstream policy
Prevents updates from downstream registries.
Block install scripts policy
Quarantines all npm packages with pre- and post-install scripts.
Quarantine new policy
Quarantines new packages and versions added to a registry to enforce review and attestation
Delay upstream policy
Prevent newly published packages from external upstreams
Freeze policy
Prevents any changes to the registry contents. The registry will be read-only
Immutable versions policy
Disallows existing versions of a package to be overwritten by publish/push/pull