Allow-only policy

Allows only defined packages and package versions to be added to a registry

Use the Allow-only policy to allow only specific packages or package versions in a registry. This is done by creating a definition list for a registry where the policy has been enabled.

Each allow-only definition is linked to a specific registry, allowing custom lists for different scenarios.

This policy requires configuration of an allow-only definition list to take effect. Configuration is added by the user in the policy settings.

Allow-only policy settings

The Allow-only settings allow users to define and store their specific composition of packages and versions that should be allowed, while preventing all others.

Allow-only definitions can consist of either a package name, a specific package versions or ranges of package versions as well as optional wildcards.

Each type of registry has examples of valid syntax. Below is an example for npm and the react package.

Syntax	Example
<PACKAGE_NAME>	`react`
<PACKAGE_NAME>WILDCARD	`react*`
<PACKAGE_NAME>@<VERSION>	`react@0.0.1`
<PACKAGE_NAME><VERSION_RANGE>	`react 0.0.1 - 0.0.3 \|\| > 2.0.1`

The definitions are validated directly. To store any changes and exit the settings, simply click on the Save settings button.

Allow-only settings

Use cases

Allow only - specific packages

Allow all versions of a package by adding package name definition to the definition list without specifying any version. Useful when making sure certain packages (regardless of versions) are allowed to be added to the registry. All other are blocked.

Allow only - specific package versions

Allow a specific package version or range of versions. Allows strict control over versions added to the registry.