核心要点内部 `@scope` 映射到私库且禁止公共回退;解析顺序严格固定。解析结果需与策略一致;异常阻断并审计。实现示例type ScopeMap = { [scope: string]: string }
const privateOrigins = new Set<string>(['https://registry.example.com'])
const publicOrigins = new Set<string>(['https://registry.npmjs.org'])
function origin(u: string): string | null {
try { const url = new URL(u); return url.origin } catch { return null }
}
function decideRegistry(name: string, map: ScopeMap): string | null {
if (name.startsWith('@')) {
const s = name.split('/')[0]
const reg = map[s]
return reg || null
}
return Array.from(publicOrigins)[0]
}
function enforce(name: string, resolved: string, map: ScopeMap): { ok: boolean; errors: string[] } {
const errors: string[] = []
const o = origin(resolved)
const expect = decideRegistry(name, map)
if (!o || !expect) errors.push('resolve')
else {
const eo = origin(expect)
if (!eo) errors.push('expect')
else {
const isPrivate = privateOrigins.has(eo)
if (name.startsWith('@') && !isPrivate) errors.push('scope-private')
if (eo !== o) errors.push('mismatch')
}
}
return { ok: errors.length === 0, errors }
}
审计与CI门禁审计记录包含包名、期望与实际来源;不一致阻断并输出证据。禁止内部作用域解析到公共注册表;变更需审批与复核。
发表评论 取消回复