Let operators configure a list of package-name patterns per ecosystem that the proxy will refuse to serve, returning 404 before any upstream request is made.
The main use case is dependency-confusion defence: if your internal packages live under @mycompany/* or com.mycompany.**, you don't want a request for those names to ever reach the public registry. It also works as a kill switch for packages you've decided nobody should install.
filter:
exclude:
npm: ["@internal/*"]
maven: ["com/mycompany/**"]This is the same idea as Artifactory's exclude patterns and Nexus routing rules. It's independent of advisory-based blocking and doesn't need any database lookups.
Let operators configure a list of package-name patterns per ecosystem that the proxy will refuse to serve, returning 404 before any upstream request is made.
The main use case is dependency-confusion defence: if your internal packages live under
@mycompany/*orcom.mycompany.**, you don't want a request for those names to ever reach the public registry. It also works as a kill switch for packages you've decided nobody should install.This is the same idea as Artifactory's exclude patterns and Nexus routing rules. It's independent of advisory-based blocking and doesn't need any database lookups.