Unlisted packages

[j3k0]

I would find it nice to be able to publish packages to a repository, but exclude them from search results. For private packages that one has no interest in promoting, that nobody except people in the organization will be able to install.

User-facing solution would be to add a field to package.json. "listed": false.

---

Some background.

I'm setting up a "private" apm repository for my company, it needs to be reachable from the internet for people working from home. Most packages will be private. I'd rather not allow random people to search our internal database of packages (even though they can't download).

---

Alternatively, it could be solved by allowing apm repositories to be password protected? We could add an apm auth token to all requests to the repo, like for github. The solution could be even more generic, allow to define per-domain authorization headers in .apm_config:

{
  "http_authorization": {
    "https://api.github.com/": "token ghp_myveryowngithubtoken",
    "https://private.domain.com/": "Basic YWxhZGRpbjpvcGVuc2VzYW1l",
  }
}

[marchbold]

Yeah I think this should be handled via authentication rather than making packages invisible.