Interopability with Verdaccio

[fraxken]

On the occasion of Tel Aviv (NodeTLV) I had the opportunity to meet the maintainer of the Verdaccio project.

We discussed around a lot of ideas and common interest for our tools.

Being able to use the NodeSecure interface within verdaccio could be quite nice for example. But I think it does not stop there, there are probably even requirements on the API side where verdaccio packages could exploit some of our API like vulnera.

Research on Verdaccio packages may be needed to better understand their needs. The idea here is to improve NodeSecure to allow a better use by third party tools and developers.

[juanpicado]

Hello my friend :)

I've been checking your latest features, I've see noticable changes since Israel that's great, once thing I have noticed but before I didn't know (or maybe didn't exist ) you don't need the lock file anymore, just like nsecure auto verdaccio which seem under the hood all you need is just fetch from a registry (that's what I understood from the source code) I see the UI just fetch the same file I see on the root the nsecure-result.json so I think this could happen between verdaccio server and verdaccio UI somehow.

I would like your point of view, how would you imagine this happen?

[fraxken]

Hello @juanpicado 👋

I didn't make as much progress as I would have liked 😞 (but I invested my time on new contributors so it will pay off 😊).

---

nsecure auto verdaccio use the Scanner from API which doesn't rely on package-lock.json or node_modules.

The content of nsecure-result.json is basically the API response of the following code

import * as scanner from "@nodesecure/scanner";

const payload = await scanner.from("verdaccio");
console.log(payload); // <- what we inject/use in the Web UI

---

My idea was to manage to separate our Web UI from the CLI to use it independently (it would be possible knowing that globally it is Vanilla.js).

And I thought that it would be potentially injectable in Verdaccio (like a plugin or something like that?).

Overall it would be:

1. Fetch payload with the Scanner
2. Store it on the system (to avoid fetching it 10x times).
3. Open it with the Web UI

What do you think?