N

NPM mirror

Mirror

Due to ongoing supply chain attacks in the NPM ecosystem, packages required to run semantic-release are audited and mirrored into this project.

Process

Setup .npmrc

//gitlab.arm.com/api/v4/projects/semantic-release%2fmirror/packages/npm/:_authToken="${GITLAB_TOKEN}"
registry=https://gitlab.arm.com/api/v4/projects/semantic-release%2fmirror/packages/npm/

Mirror the packages:

GITLAB_TOKEN="<token-with-api-scope>" for PKG in $(cat package-lock.json | jq '.packages[].resolved | select( . != null )' | sort -V | uniq); do npm publish --no-provenance --tag mirror "$PKG"; done

Validate the packages have been mirrored:

npm i --cache=/tmp/cache --no-package-lock-json