Verdaccio complaining about secret key length
Verdaccio
6
Posts
2
Posters
196
Views
2
Watching
-
@philkunz is that a warning or does it refuse to start?
-
There seems to be a /app/data/.verdaccio-db.json which has a secret. Maybe change this to some 32 char value? This file is managed by verdaccio and not generated by the package.
-
ok, the information is here - https://github.com/verdaccio/verdaccio/blob/master/website/versioned_docs/version-6.x/config.md?plain=1#L46 . we updated the app to use node 22
For users who have been using Verdaccio for an extended period and the `.verdaccio-db` file already exist the secret may be **64 characters** long. However, for newer installations, the length will be generated as **32 characters** long. If the secret length is **64 characters** long: - For users running Verdaccio 5.x on **Node.js 22** or higher, **the application will fail to start** if the secret length **is not** 32 characters long. - For users running Verdaccio 5.x on **Node.js 21** or lower, the application will start, but it will display a deprecation warning at the console. #### How to upgrade the token secret at the storage? :warning: **If the secret is updated will invalidate all previous generated tokens.** ##### Option 1: Manually Go to the [storage location](cli.md) and edit manually the secret to be 32 characters long. ##### Option 2: Automatically (since v5.31.0) The `migrateToSecureLegacySignature` property is used to generate a new secret token if the length is 64 characters. security: api: migrateToSecureLegacySignature: true The token will be automatically updated to 32 characters long and the application will start without any issues. The property won't have any other effect on the application and could be removed after the secret is updated.
