build(deps-dev): bump verdaccio from 6.3.2 to 6.4.0

[dependabot]

Bumps verdaccio from 6.3.2 to 6.4.0.

Release notes

Sourced from verdaccio's releases.

v6.4.0

Features

Package Filter Plugins (#5786, verdaccio/verdaccio#5548) by @​vsugrob, @​pyhp2017 @​juanpicado

⚠️ Please help us to test this feature (it is pretty new and might be not perfect) ref https://github.com/orgs/verdaccio/discussions/5796 The @verdaccio/package-filter package is bundled by default but must be enabled by the user.

@verdaccio/package-filter is a built-in plugin that intercepts package metadata from uplinks and removes versions matching configurable rules. With no rules configured, it acts as a no-op passthrough.

Block a compromised package version

filters:
  '@verdaccio/package-filter':
    block:
      - package: 'event-stream'
        versions: '3.3.6'

Block an entire malicious scope

filters:
  '@verdaccio/package-filter':
    block:
      - scope: '@malicious'

Quarantine recently published versions

Hide versions published less than 7 days ago, giving time for review before adoption:

filters:
  '@verdaccio/package-filter':
    minAgeDays: 7

Freeze registry to a point in time

Only serve versions published before a specific date:

filters:
  '@verdaccio/package-filter':
    dateThreshold: '2025-01-01'

Whitelist trusted packages within blocked rules

... (truncated)

Changelog

Sourced from verdaccio's changelog.

6.4.0 (2026-04-06)

Features

• add package filter (#5786) (458a9f2)

Bug Fixes

• deps: update core verdaccio dependencies (#5674) (4d65507)
• deps: update core verdaccio dependencies (#5780) (b58287b)
• deps: update dependency lodash to v4.18.1 (#5777) (797ae53)

Commits

• eac494d chore(release): 6.4.0
• 7d66ae1 chore: test release (#5788)
• 9216747 chore: restore ci
• 404363f chore: test release
• 4baff54 chore: test canary
• 07fc978 chore: test release (#5787)
• aaf8baa chore: enable canary release
• 458a9f2 feat: add package filter (#5786)
• b58287b fix(deps): update core verdaccio dependencies (#5780)
• 797ae53 fix(deps): update dependency lodash to v4.18.1 (#5777)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)