RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://docs.gitlab.com/user/packages/package_registry/supported_functionality/ below:

Supported package managers and functionality

The GitLab package registry supports different functionalities for each package type. This support includes publishing and pulling packages, request forwarding, managing duplicates, and authentication.

Supported package managers

Tier: Free, Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

Not all package manager formats are ready for production use.

The package registry supports the following package manager types:

View what each status means.

You can also use the API to administer the package registry.

Publishing packages

Tier: Free, Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

Packages can be published to your project, group, or instance.

Pulling packages

Tier: Free, Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

Packages can be pulled from your project, group, or instance.

Forwarding requests

Tier: Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

When a package is not found in your project’s package registry, GitLab can forward the request to the corresponding public registry. For example, Maven Central, npmjs, or PyPI.

The default forwarding behavior varies by package type and can introduce a dependency confusion vulnerability.

To reduce the associated security risks:

Verify the package is not being actively used.
Disable request forwarding:
- Instance administrators can disable forwarding in the Continuous Integration section of the Admin area.
- Group owners can disable forwarding in the Packages and Registries section of the group settings.
Implement a version control tool, like Git, to track changes to packages.

Deleting packages

When package requests are forwarded to a public registry, deleting packages can be a dependency confusion vulnerability.

If a system tries to pull a deleted package, the request is forwarded to the public registry. If a package with the same name and version is found in the public registry, that package is pulled instead. There is a risk that the package pulled from the registry might not be what is expected, and could even be malicious.

To reduce the associated security risks, before deleting a package you can:

Verify the package is not being actively used.
Disable request forwarding:
- Instance administrators can disable forwarding in the Continuous Integration section of the Admin area.
- Group owners can disable forwarding in the Packages and Registries section of the group settings.

Importing packages from other repositories

You can use GitLab pipelines to import packages from other repositories, such as Maven Central or Artifactory with the package importer tool.

Allow or prevent duplicates

Tier: Free, Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

By default, the GitLab package registry either allows or prevents duplicates based on the default of that specific package manager format.

Authenticate with the registry

Tier: Free, Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

Authentication depends on the package manager you’re using. To learn what authentication protocols are supported for a specific package type, see Authentication protocols.

For most package types, the following authentication tokens are valid:

The following table lists which authentication tokens are supported for a given package manager:

Package type Supported tokens Maven (with mvn) Personal access, job tokens, deploy (project or group), project access Maven (with gradle) Personal access, job tokens, deploy (project or group), project access Maven (with sbt) Personal access, job tokens, deploy (project or group), project access npm Personal access, job tokens, deploy (project or group), project access NuGet Personal access, job tokens, deploy (project or group), project access PyPI Personal access, job tokens, deploy (project or group), project access Generic packages Personal access, job tokens, deploy (project or group), project access Terraform Personal access, job tokens, deploy (project or group), project access Composer Personal access, job tokens, deploy (project or group), project access Conan 1 Personal access, job tokens, project access Conan 2 Personal access, job tokens, project access Helm Personal access, job tokens, deploy (project or group) Debian Personal access, job tokens, deploy (project or group) Go Personal access, job tokens, project access Ruby gems Personal access, job tokens, deploy (project or group)

When you configure authentication to the package registry:

If the Package registry project setting is turned off, you receive a 403 Forbidden error when you interact with the package registry, even if you have the Owner role.
If external authorization is turned on, you can’t access the package registry with a deploy token.
If your organization uses two-factor authentication (2FA), you must use a personal access token with the scope set to api.
If you are publishing a package by using CI/CD pipelines, you must use a CI/CD job token.

Authentication protocols

Tier: Free, Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

History

Basic authentication for Maven packages introduced in GitLab 16.0.

The following authentication protocols are supported:

Supported hash types

Tier: Free, Premium, Ultimate
Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

Hash values are used to ensure you are using the correct package. You can view these values in the user interface or with the API.

The package registry supports the following hash types:

Package type Supported hashes Maven (with mvn) MD5, SHA1 Maven (with gradle) MD5, SHA1 Maven (with sbt) MD5, SHA1 npm SHA1 NuGet not applicable PyPI MD5, SHA256 Generic packages SHA256 Composer not applicable Conan 1 MD5, SHA1 Conan 2 MD5, SHA1 Helm not applicable Debian MD5, SHA1, SHA256 Go MD5, SHA1, SHA256 Ruby gems MD5, SHA1, SHA256 (gemspec only)

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4