Skip to content

Verify it's working

Three checks, in order: the server is up, your installs route through it, and it actually blocks an unsafe version.

GET /healthz returns {"ok":true} with HTTP 200 on both the engine and dashboard:

Terminal window
curl -fsS https://npm.pkg.<your-domain>/healthz
# {"ok":true}

/-/ping is the canonical liveness probe; /healthz is the k8s-convention alias — identical shape.

EcosystemConfirm commandExpect
npm/Bun/pnpm/Yarnnpm config get registryyour proxy host
pippip install -v <pkg> 2>&1 | grep -i "looking in indexes"proxy host
cargocargo install -v <crate> 2>&1 | grep -i upwardenproxy source

A SAFE install behaves identically to a direct-to-registry install — same output, same lockfile.

3. It blocks an unsafe version (the real test)

Section titled “3. It blocks an unsafe version (the real test)”

The decisive proof is watching a block. Install a version Upwarden treats as non-safe (your operator will designate a canonical tripwire fixture for this purpose) and you should see an HTTP 403 with a [UPWARDEN]-prefixed body:

npm error code E403
npm error 403 {"error":"[UPWARDEN] Package 'demo-malware@1.2.3' is BLOCKED. Downgrade to known-safe version: 'demo-malware@1.2.2'."}

What each verdict looks like on the wire:

VerdictHTTPWhat you see
SAFE200normal install
QUARANTINED403 (after up to FAST_PASS_TIMEOUT_MS, default 3s)[UPWARDEN] Package '…' is currently QUARANTINED. Analysis in progress.
BLOCKED403[UPWARDEN] Package '…' is BLOCKED. Downgrade to known-safe version: '…'.

Silent rollback: a floating range (^1.2.0, ~=1.2) never sees a non-safe version — it’s stripped from the manifest and resolves to the highest safe version, so your build stays green. You only get a 403 when you pin exactly to a non-safe version.

Every install and every block writes an audit_log row scoped to your project, stamped with the apiKeyId. That row is the canonical “why did my install (not) go through” record. See Querying the audit log for the query patterns.