Automatically Rewrite External Dependencies

JFrog Artifactory Documentation

Products
JFrog Artifactory
Content Type
User Guide
ft:sourceType
Paligo

Packages requested by the Bower client frequently use external dependencies as defined in the packages' bower.json file. These dependencies may, in turn, need additional dependencies. Therefore, when downloading a Bower package, you may not have full visibility into the full set of dependencies that your original package needs (whether directly or transitively). As a result, you are at risk of downloading malicious dependencies from unknown external resources. To manage this risk, and maintain the best practice of consuming external packages through Artifactory, you may specify a "safe" whitelist from which dependencies may be downloaded, cached in Artifactory and configure to rewrite the dependencies so that the Bower client accesses dependencies through a virtual repository as follows:

  • Check Enable Dependency Rewrite in the Bower virtual repository advanced configuration.

  • Specify a whitelist patterns of external resources from which dependencies may be downloaded.

  • Specify the remote repository in which those dependencies should be cached.

    It is preferable to configure a dedicated remote repository for that purpose so it is easier to maintain.

In the example below the external dependencies will be cached in "bower" remote repository and only package from https://github.com/jfrogdev are allowed to be cached.

Bower virtual rep example.jpg

Rewriting Workflow

  1. When downloading a Bower package, Artifactory analyzes the list of dependencies needed by the package.

  2. If any of the dependencies are hosted on external resources (e.g. on github.com), and those resources are specified in the white list,

    1. Artifactory will download the dependency from the external resource.

    2. Artifactory will cache the dependency in the remote repository configured to cache the external dependency.

    3. Artifactory will then modify the dependency's entry in the package's package .json file indicating its new location in the Artifactory remote repository cache before returning it to the Bower client.

  3. Consequently, every time the Bower client needs to access the dependency, it will be provisioned from its new location in the Artifactory remote repository cache.

Using the Bower Shorthand Resolver

When running bower install on a bower.json file that is hosted on your local machine, you need to define a custom template in .bowerrc file by adding the following line.

shorthand-resolver": "art://{{owner}}/{{package}}"

From version v4.11, for bower packages downloaded from remote repositories, Artifactory supports resolving dependencies that are specified using the Bower shorthand resolver for dependencies hosted on GitHub. Use of the shorthand resolver is reflected in the Bower install output, in the shorthand resolver dependencies, which are prefixed with $$$art-shorthand-resolver$$$. For example:

bower mypackagetest#$$$art-shorthand-resolver$$$-<username>-mypackagetest-master.tar.gz       not-cachedart://<username>/mypackagetest#$$$art-shorthand-resolver$$$-<username>-mypackagetest-master.tar.gz
bower mypackagetest#$$$art-shorthand-resolver$$$-<username>-mypackagetest-master.tar.gz       resolveart://<username>/mypackagetest#$$$art-shorthand-resolver$$$-<username>-mypackagetest-master.tar.gz
bower mypackagetest#$$$art-shorthand-resolver$$$-<username>-mypackagetest-master.tar.gz       resolvedart://<username>/mypackagetest#$$$art-shorthand-resolver$$$-<username>-mypackagetest-master.tar.gz