Block policy

Use the Block policy to prevent specific packages or package versions from being added to a registry. This is done by creating a definition list per registry where the policy has been enabled.

Each block list is linked to a specific registry, allowing custom lists for different scenarios.

The policy does not prevent dependencies of blocked packages from being added to the registry (unless you have also explicitly added these to the block list).

Block policy settings

The Block settings allow users to define and store their specific composition of packages and versions that should be prevented from being added to a registry.

Block definitions can consist of either a package name, a specific package versions or ranges of package versions as well as optional wildcards.

Each type of registry has examples of valid syntax. Below is an example for npm and the react package.

Definitions are validated directly.

To store any changes and exit the settings, simply click on the Save settings button.

Use cases

Pin package versions in a registry to specific versions

In certain use-cases users may want to lock a package to a specific version, to disallow other versions of that package to be pulled from upstreams.

To block both older and new versions of a package, add a range to the definitions list, like:

react < 16.3.1 || > 16.3.1

This will allow only react@16.3.1, all other versions of the package will be blocked.

Users that want to lock ALL package versions in a registry should use Freeze policy instead.

Block a specific package

Block all versions of a package by adding a package name definition to the list without specifying any version. Useful when making sure certain packages (regardless of versions) are not added to the registry.

Block specific package versions or ranges

Block a specific package version or range of versions. Allowing users to make sure specific versions are not added to the registry.