核心要点内部 `@scope` 映射到私库且禁止公共回退;解析顺序严格固定。解析结果需与策略一致;异常阻断并审计。实现示例type ScopeMap = { [scope: string]: string } const privateOrigins = new Set<string>(['https://registry.example.com']) const publicOrigins = new Set<string>(['https://registry.npmjs.org']) function origin(u: string): string | null { try { const url = new URL(u); return url.origin } catch { return null } } function decideRegistry(name: string, map: ScopeMap): string | null { if (name.startsWith('@')) { const s = name.split('/')[0] const reg = map[s] return reg || null } return Array.from(publicOrigins)[0] } function enforce(name: string, resolved: string, map: ScopeMap): { ok: boolean; errors: string[] } { const errors: string[] = [] const o = origin(resolved) const expect = decideRegistry(name, map) if (!o || !expect) errors.push('resolve') else { const eo = origin(expect) if (!eo) errors.push('expect') else { const isPrivate = privateOrigins.has(eo) if (name.startsWith('@') && !isPrivate) errors.push('scope-private') if (eo !== o) errors.push('mismatch') } } return { ok: errors.length === 0, errors } } 审计与CI门禁审计记录包含包名、期望与实际来源;不一致阻断并输出证据。禁止内部作用域解析到公共注册表;变更需审批与复核。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复