A firewall in front of every install.
Point your package manager at Upwarden once; it becomes your registry, analyzes every version, and serves only the safe ones. Because it controls resolution, it can quietly roll back to the last safe version instead of erroring — so your build never breaks.
Point your registry
One config line per ecosystem — npm, bun, yarn, pnpm via .npmrc; pip/uv via PIP_INDEX_URL; cargo via a sparse index; and Go, Maven, NuGet and RubyGems each via its standard registry/proxy setting. No per-developer CLI, no per-command prefix.
Upwarden analyzes
For every requested package it resolves a verdict per version — using advisory feeds, the similarity scanner, and any connected scanners. Most requests hit a warm verdict and return instantly.
You get only safe versions
Blocked and quarantined versions are stripped from the manifest; the range resolves to the last safe one; the build succeeds. No developer action, no broken pipeline.
Every version is SAFE, BLOCKED, or QUARANTINED
The verdict decides what ends up in your manifest. How those verdicts are reached — the scanner pipeline and detection layers — is covered on the security page.
Served
Included in manifests; artifacts are served normally.
Stripped
Known malicious or vulnerable. Removed from manifests; direct artifact requests are refused with a clear message.
Held & scanned
Newly seen, awaiting analysis. Stripped while the scanner runs, then promoted to SAFE or BLOCKED.
Fast by default. Verdicts resolve through a layered cache — hot cache → durable store → advisory range-match → default-safe for established versions — so most requests are answered without contacting the upstream registry. If the upstream goes down, Upwarden keeps serving cached manifests and your builds keep working.
Security that doesn't break CI
Because Upwarden controls resolution, a blocked version doesn't error your build — the range simply resolves around it to the last safe version.
$ npm install lodash # range ^4.17.0 resolves to… lodash@4.17.22 ← malicious release ✗ compromised code now in your tree
$ npm install lodash upwarden › 4.17.22 BLOCKED — rolling back lodash@4.17.21 ← last safe version ✓ build green, malware never fetched
Predictable, with no surprises
Floating ranges just work
^1.2.0, ~=1.2, cargo semver — all resolve around blocked versions automatically to the highest safe one.
Exact pins fail loudly
Pin an exact version that's blocked and you get an actionable [UPWARDEN] error naming a safe version to use instead — never a silent surprise.
Lockfiles keep working
A locked version installs as long as it stays safe. If it later becomes blocked, you get a clear error and a one-command fix.
Private packages untouched
Your existing tokens pass through to the upstream registry unchanged — Upwarden never mints, stores or rotates them. Scoped and private packages keep working.
One proxy hop
Manifests are cached and artifacts stream straight through, so the only added latency is a single hop. Most requests never touch the upstream registry.
Resilient to outages
If the upstream registry has an incident, Upwarden keeps serving cached manifests — your builds don't stop because npm did.
Why registry-replacement matters
Upwarden replaces the registry instead of wrapping a command. That one decision is the source of its advantages.
No new CLI
Anything that speaks the registry protocol is covered — including bun. No per-developer tool to install, no command to remember to prefix.
No cache blind spot
Upwarden is the registry, so cached artifacts can't bypass it — the structural gap that wrapper-based tools can't close.
Build-safe
Because it controls resolution, it can roll back to a safe version instead of erroring. Security that survives contact with CI.
Sovereign
It's your infrastructure — nothing about your dependencies needs to leave your network. No telemetry, every verdict explainable.
Transitive by nature
Every artifact fetch flows through the proxy, so malicious versions are blocked anywhere in the tree — including deep transitive dependencies.
Extensible
Bring your own scanner through a signed callback API; its verdicts fuse into Upwarden's. Detection is a platform, not a closed box.
Put a firewall in front of every install
Self-serve in a minute, or talk to us about an enterprise deployment.