11 KiB
stage | group | info |
---|---|---|
Package | Package Registry | To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments |
Supported package functionality
The GitLab Package Registry supports different functionalities for each package type. This support includes publishing and pulling packages, request forwarding, managing duplicates, and authentication.
Publishing packages (FREE)
Packages can be published to your project, group, or instance.
Package type | Project | Group | Instance |
---|---|---|---|
Maven | Y | N | N |
npm | Y | N | N |
NuGet | Y | N | N |
PyPI | Y | N | N |
Generic packages | Y | N | N |
Terraform | Y | N | N |
Composer | N | Y | N |
Conan | Y | N | N |
Helm | Y | N | N |
Debian | Y | N | N |
Go | Y | N | Y |
Ruby gems | Y | N | N |
Pulling packages (FREE)
Packages can be pulled from your project, group, or instance.
Package type | Project | Group | Instance |
---|---|---|---|
Maven | Y | Y | Y |
npm | Y | Y | Y |
NuGet | Y | Y | N |
PyPI | Y | Y | N |
Generic packages | Y | N | N |
Terraform | N | Y | N |
Composer | Y | Y | N |
Conan | Y | N | Y |
Helm | Y | N | N |
Debian | Y | N | N |
Go | Y | N | Y |
Ruby gems | Y | N | N |
Forwarding requests (PREMIUM)
Requests for packages not found in your GitLab project are forwarded to the public registry. For example, Maven Central, npmjs, or PyPI.
Package type | Supports request forwarding |
---|---|
Maven | Yes (disabled by default) |
npm | Yes |
NuGet | N |
PyPI | Yes |
Generic packages | N |
Terraform | N |
Composer | N |
Conan | N |
Helm | N |
Debian | N |
Go | N |
Ruby gems | N |
Deleting packages
When package requests are forwarded to a public registry, deleting packages can be a dependency confusion vulnerability.
If a system tries to pull a deleted package, the request is forwarded to the public registry. If a package with the same name and version is found in the public registry, that package is pulled instead. There is a risk that the package pulled from the registry might not be what is expected, and could even be malicious.
To reduce the associated security risks, before deleting a package you can:
- Verify the package is not being actively used.
- Disable request forwarding:
- Instance administrators can disable forwarding in the Continuous Integration section of the Admin Area.
- Group owners can disable forwarding in the Packages and Registries section of the group settings.
Allow or prevent duplicates (FREE)
By default, the GitLab package registry either allows or prevents duplicates based on the default of that specific package manager format.
Package type | Duplicates allowed? |
---|---|
Maven | Y (configurable) |
npm | N |
NuGet | Y |
PyPI | N |
Generic packages | Y (configurable) |
Terraform | N |
Composer | N |
Conan | N |
Helm | Y |
Debian | Y |
Go | N |
Ruby gems | Y |
Authentication tokens (FREE)
GitLab tokens are used to authenticate with the GitLab Package Registry.
The following tokens are supported:
Package type | Supported tokens |
---|---|
Maven | Personal access, job tokens, deploy (project or group), project access |
npm | Personal access, job tokens, deploy (project or group), project access |
NuGet | Personal access, job tokens, deploy (project or group), project access |
PyPI | Personal access, job tokens, deploy (project or group), project access |
Generic packages | Personal access, job tokens, deploy (project or group), project access |
Terraform | Personal access, job tokens, deploy (project or group), project access |
Composer | Personal access, job tokens, deploy (project or group), project access |
Conan | Personal access, job tokens, project access |
Helm | Personal access, job tokens, deploy (project or group) |
Debian | Personal access, job tokens, deploy (project or group) |
Go | Personal access, job tokens, project access |
Ruby gems | Personal access, job tokens, deploy (project or group) |
Authentication protocols (FREE)
The following authentication protocols are supported:
Package type | Supported auth protocols |
---|---|
Maven | Headers |
npm | OAuth |
NuGet | Basic auth |
PyPI | Basic auth |
Generic packages | Basic auth |
Terraform | Token |
Composer | OAuth |
Conan | OAuth, Basic auth |
Helm | Basic auth |
Debian | Basic auth |
Go | Basic auth |
Ruby gems | Token |
Supported hash types (FREE)
Hash values are used to ensure you are using the correct package. You can view these values in the user interface or with the API.
The Package Registry supports the following hash types:
Package type | Supported hashes |
---|---|
Maven | MD5, SHA1 |
npm | SHA1 |
NuGet | not applicable |
PyPI | MD5, SHA256 |
Generic packages | SHA256 |
Composer | not applicable |
Conan | MD5, SHA1 |
Helm | not applicable |
Debian | MD5, SHA1, SHA256 |
Go | MD5, SHA1, SHA256 |
Ruby gems | MD5, SHA1, SHA256 (gemspec only) |