Today's Deep-Dive: Verdaccio

Have you ever felt like you're building

this awesome thing with software,

but all your tools are just kinda scattered

all over the place?

Yeah, I know exactly what you mean.

You're like pulling bits and pieces from here and there.

It's a mess.

It gets confusing really fast.

For sure.

Well today, we're diving into something

that can help you organize all that chaos.

Ooh, that sounds good.

And keep your software building blocks

right where you need them.

I like that, like Legos all organized nice and neat.

Exactly.

Yeah.

We're talking about Verdaccio.

Think of it as your own little software package warehouse.

Ah, that's a great analogy.

A place to keep and manage all those digital tools

you need for your projects.

Before we get into it though,

big thanks to Safe Server for supporting this deep dive.

They provide hosting for Verdaccio

and offer digital transformation consulting.

I didn't know that.

You can find more about them at www.safeserver.de.

Cool.

So back to Verdaccio.

Our mission today is pretty straightforward.

Okay.

So you explain what Verdaccio is in simple terms

and why it might be super useful for you.

Makes sense.

Especially if you're new to software development

or working on projects

that use multiple different pieces of software.

Yeah, those dependencies can be a real headache.

Exactly.

To get to the bottom of it,

we'll be looking at Verdaccio's own documentation

and their GitHub page.

Great resources.

Let's jump in.

All right, so first things first.

What exactly is Verdaccio?

Well, technically it's described as a lightweight

node.js private proxy registry.

Okay, so a lot of technical terms

all smashed together there.

Can we break that down a little?

Absolutely, let's start with lightweight.

Basically it means it's easy to get up and running.

I like easy.

Doesn't require a big complex database setup

right out of the gate.

Think of it like starting small and simple.

Perfect for beginners.

Nobody wants to be overwhelmed with configuration

before they even get started.

Exactly.

Then we have Node.js.

That's a technology that lets developers use JavaScript

for backend stuff.

Right, JavaScript, the language of the web.

Exactly.

And because so many modern web tools

rely on JavaScript and this thing called NPM

to manage their different parts.

NPM, as in the package manager.

Yes, that one.

So Rodaccio being built with Node.js

fits right into that ecosystem.

It speaks the same language.

Exactly.

OK.

And private, I'm guessing that's about keeping things

for ourselves, right?

Precisely.

Private means you can store your own software packages,

like code you've written specifically

for your company or a project.

And you keep all that in your own Rodaccio warehouse

separate from the public internet.

So it's like having your own little private library just

for your team's books.

I like that analogy.

Yes.

And then finally, we have proxy registry.

All right, that one sounds a bit more complicated.

It's not too bad.

Think of a registry in the software world

as a giant catalog.

Where all sorts of software packages are listed.

You can find what you need there.

The biggest public one for JavaScript is called npmjs.org.

Right, I've definitely seen that name floating around.

Yeah, so Rodaccio acts as a proxy,

which means it sits between you and these public registries.

Kind of like a middleman.

Exactly.

When you need a software package, you ask Rodaccio first.

Like a personal shopper?

It checks if you have that package stored

in your own private warehouse.

And if not, it goes out to that public registry.

The big public library.

Gets the package for you and brings it back.

Oh, I see.

That's pretty clever.

So it can help me find stuff, whether it's my own tools

or those public ones.

Exactly.

One stop shop.

That makes a lot of sense.

The documentation also mentions something

called zero config required.

Is that as amazing as it sounds?

Oh, yeah.

That's a big plus.

Rodaccio is designed to be super easy to get started with.

It comes with its own small, built-in storage.

That's awesome.

So as soon as you install it, you

don't need to worry about setting up any additional databases

or complex systems.

That's a huge time saver.

You can just start using it right away.

Precisely.

And speaking of getting things quickly,

since Rodaccio is acting as this proxy registry,

how does it handle actually getting those public packages?

So imagine this.

When Rodaccio goes out to a public registry like npmjs.org

and fetches a package you need, it also makes a copy of it.

And stores that copy locally in your warehouse,

this is called caching.

So basically it's like holding onto a spare just in case.

Exactly.

So the next time you need that same package,

Rodaccio doesn't have to go out to the internet again.

It can just hand you that local copy it already has.

And that speeds things up.

Significantly.

Especially if you or your team frequently

use the same packages over and over again.

So it's like having the most popular books

from the library already on your shelf at home.

Exactly.

No need to go all the way to the library every time.

Love it.

But there's also another really useful aspect

to this caching thing.

Great.

Oh, yeah.

The GitHub page actually talks about how sometimes packages

on public registries can just disappear.

Like poof, gone.

Or they might have issues.

So things break.

Things can break.

But if Rodaccio already has a cached copy, you're protected.

Your project won't suddenly stop working because a package

vanished from the internet.

That's a huge relief.

It's like having a backup plan for your software tools.

Exactly.

Peace of mind. I like that.

So just to recap, we've got private packages.

It acts as a go-between for other registries

and keeps copies of things just in case.

Those are the main things Rodaccio does right.

That's a great summary.

So why would someone actually use Rodaccio?

Well, there are a few really compelling reasons.

The first, as we already discussed,

is for private packages.

If you're working on code that's specific to your company

or a project and you want to keep it under wraps.

Makes sense.

Rodaccio lets you use familiar tools like NPM

to manage and share that code privately.

Only within your team.

Exactly.

It's like having your own app store just

for your internal tools.

Yeah.

I could see how that'd be really useful for keeping

sensitive work secure.

Absolutely.

And you also mentioned earlier that it can connect

to other registries too.

Right.

Why is that helpful?

So sometimes organizations might be

using different sources for their software packages.

Maybe they have some internal private registries in addition

to those big public ones.

Verdaccio can act like a single entry point

to all of these different places.

So I don't have to go hunting around for stuff.

Exactly.

Instead of your developers having

to configure their systems to look in multiple locations,

they can just point everything to Verdaccio.

And it takes care of the rest.

It simplifies things dramatically.

One central hub for everything.

Much easier to manage.

For sure.

We also talked about caching and how it speeds things up

and provides that extra safety net.

Right.

Any other reasons to use Verdaccio?

Yes.

Actually, there's one more pretty neat use case.

Imagine you find a small bug in a public software package.

Or you want to tweak it slightly before the original creators

release an update.

OK.

With Verdaccio, you can actually download that package,

make your change, and then publish your modified version

locally.

Wow.

That's pretty powerful.

You're in control.

You have the power.

You don't have to wait for someone else to fix it for you.

Exactly.

So it seems like Verdaccio gives you a lot more control

over your software dependencies.

It does.

But who actually uses Verdaccio?

Is this just a tool for big companies,

or can anyone benefit from it?

Definitely not just for big companies.

It's used by a really diverse range of people and projects,

because it supports all the popular JavaScript package

managers, like NPM Yarn and PMPM.

So pretty much anyone working with JavaScript.

Yeah, it fits right in.

And for teams that use tools like Docker for packaging

applications and Kubernetes for managing them,

more advanced stuff.

Ferdatio has special support that

makes integration a breeze.

So it can scale with you as your projects grow.

Absolutely.

Now, I was looking at the documentation,

and there was a really long list of well-known projects

and companies that use Ferdatio.

I was really surprised by some of the names on there.

It is quite a list.

It includes projects like Inksp and PMPM itself, Vendor

Create React app.

That's a popular one.

It is.

A lot of people use that to get started with web development.

Also, Angular CLI Storybook, Grafana, Gatsby, Babel, DOT,

JS, DocuSource, Vue, CLI, UPI, and many others.

It's a really wide range.

Big names, small names, everything in between.

It really shows that Ferdatio is a trusted and reliable tool

used across different areas of software development.

And it's not just for building software.

It also mentions some projects use Ferdatio

for testing their software.

Oh, yeah.

That's another great use case, because Ferdatio

is so lightweight and can be set up quickly.

It's perfect for creating these isolated testing environments.

Precisely.

Projects like Create React App, Mozilla Neutrino, PNPM,

Storybook, Babel Dot, JS, Angular, Clive, DocuSaurus.

They all use it to check how their software interacts

with different package versions without messing

with their main development setup.

Right.

You don't want to break things while you're testing.

Exactly.

And it helps them ensure their testing

is consistent and reliable.

So Ferdatio helps guarantee that their software will work

correctly no matter what.

In a controlled environment, yes.

Very cool.

So let's say someone listening to this is intrigued

and wants to give Ferdatio a try.

How do they actually get started?

Well, the first thing you need is

to have Node.js version 18 or newer installed

on your computer.

OK.

Node.js version 18 or newer.

Got it.

What's next?

You can install Ferdatio using the same tool

you use for managing other JavaScript packages.

Usually, this would be npm.

Makes sense.

The command is npm install dachio-ferdatio at next 8.

OK.

npm install dachio-ferdatio at next 8.

The dashi indicates you're installing it globally,

so you can run it from anywhere on your system.

OK.

And at next 8 ensures you're getting the latest

and greatest version.

Now, if you prefer yarn, the command

would be yarn global add-ferdatio at next 8.

And for pnpm, it's pnpm i-g-ferdatio at next 8.

So you've got options.

Exactly.

Choose your weapon.

What if I'm a Docker person?

For Docker enthusiasts, there's an official image

readily available.

The command to pull it down is docker pull

verdatio verdatio.nightly-master.

This lets you run Verdatio neatly within a container.

Which is super convenient for certain setups.

It is.

And for those operating at an even larger scale

with Kubernetes, there's a Helm chart available as well.

So Verdatio's got you covered no matter how you like to work.

Pretty much.

But once I've got it installed, how do I actually

get Verdatio running?

Oh, it's incredibly straightforward.

You just open up your terminal or command prompt

and type in verdatio.

That's it.

That's it.

Hit Enter, and you're off to the races.

That is surprisingly easy.

So it's running in the background now.

But how do I actually use it with my projects?

By default, Verdatio runs on a specific web

address on your computer.

It's http.localhost.4873.

OK, I'm writing that down.

To tell your NPM projects to use your local Verdatio instead

of the public NPM registry, you can run a command

in your terminal.

It's npm setregistry, http.localhost.4873.

So I'm basically saying, hey, NPM, when I need a package

or I want to share one, look at this address on my computer

first.

Precisely.

And if you want to use Verdatio just for a specific command

without changing your default settings,

you can also do it like this.

npm cm figregistry, http.localhost.4873,

npm install package name.

This instructs NPM to use your local registry just

for that one particular installation.

Handy for testing things out.

Exactly.

You also mentioned a web interface earlier.

How do I see that?

If you open up your web browser and navigate

to http.localhost.4873, you'll be greeted by a simple web page.

OK.

It displays all the packages currently residing

in your local Virdatio registry.

You can even search for specific packages right there.

So it's a nice visual way to manage my software warehouse.

Exactly.

Drag and drop.

I like it.

All right, so we've covered what Virdatio is,

why you'd want to use it, who's using it,

and how to get started.

What are some of the key things you can actually

do with it once it's up and running?

Well, you can do all the essential things you would

expect from a package registry.

You can install packages into your projects

using commands like npm install package name.

And you can publish your own custom packages

to your private registry using npm publish.

So the fundamental actions are covered.

What about more fine-grained control?

Virdatio also offers a variety of advanced features.

You can unpublish packages if you need to.

Be careful with that one.

Yes, definitely use caution.

Rewind button doesn't always work.

Not in this case.

But you can also add tags to specific versions

of your packages using npm distag.

And you can even mark older packages as deprecated

to let users know they should probably avoid using them.

So like a little warning sign?

Precisely.

Proceed with caution.

I like it.

It's good to know you have that level of control

over your packages.

But what about keeping things secure

and managing who can access what?

So Verdaccio has you covered there as well.

For user management, you can register new users,

allow them to change their passwords,

and manage the special tokens they use for secure login.

It also integrates with security tools like npm audit and yarn

audit.

These tools can help you find and address potential security

vulnerabilities hiding within the packages

that your project depends on.

Very important.

You don't want any nasty surprises sneaking in.

Exactly.

Better safe than sorry.

Security is always top of mind.

Are there any other handy features

that we haven't talked about yet?

Yeah, there are a couple other things.

It has built-in search functionality,

so you can easily find packages within your registry,

either through the command line or that web

interface we talked about.

Love a good search bar.

Of course.

It also has a very simple ping command you can use.

Ping.

Yeah, you can ping the server just

to check that your Verdaccio server is up and running

and responding correctly.

Just make sure it's alive.

Exactly.

And while it might be less relevant for a private

registry, it even supports starring and unstarring

packages.

Just like on GitHub.

I like it.

So it sounds like it covers pretty much all the bases,

the essentials, and then some nice extras on top.

I'd say so.

Now, we should mention that Verdaccio is open source, right?

Yes, it is.

So what about getting help or contributing to the project?

Well, it's a community-driven project

run entirely by volunteers.

They gladly welcome donations to support their efforts.

That's awesome.

They have a really comprehensive set of documentation

available online.

Always helpful.

They also have a blog, a community forum,

where you can ask questions and get help.

And they even have recordings of past talks and presentations

about Verdaccio.

Nice.

So plenty of resources available if you get stuck

or want to learn more.

Absolutely.

And if you happen to stumble upon any security

vulnerabilities, they have a very clear process

for reporting them.

Responsible disclosure.

Good.

Exactly.

And it's worth mentioning that several companies

like JetBrains, Crowdon Browser Stack, Netlify, Algolia,

and Docker provide free licenses for their tools and services

to the Verdaccio team.

Wow, so they're getting some good support.

Yes, they are, which is fantastic.

It helps keep the project running smoothly.

That's great to see.

It really highlights that spirit of collaboration

in the open source community.

So to wrap things up, what's the one key takeaway

someone listening should remember about Verdaccio?

I'd say the main takeaway is that Verdaccio offers

this really straightforward way to set up

your own local software package warehouse.

This lets you manage your private code securely,

which is super important.

It also speeds up your development workflow

by caching public packages.

You don't have to go download them every time.

Exactly.

You get more control, more reliability

without the complexity of a full-blown enterprise

grade registry system.

It's like that perfect sweet spot.

It is.

And it's especially useful for anyone working with JavaScript,

from those just starting out to seasoned veterans leading

larger teams.

Absolutely.

It sounds like a fantastic tool for anyone

who wants to bring a bit more organization speed and control

to their software development process

without needing to become a server expert.

Couldn't have said it better myself.

Well, listeners, we hope this deep dive has

shed some light on Verdaccio and how it can help you streamline

your development workflow.

Think about how having your own personalized software toolkit

right at your fingertips could simplify your projects

and boost your confidence in your development process.

And potentially save you a lot of headaches down the road.

Big thanks again to Safe Server for supporting this deep dive.

For all your software hosting needs and expert advice

on digital transformation, be sure to check them out

at www.safeserver.de.

They know their stuff.

Keep those dependencies organized.

Keep those dependencies organized.