Home/How it works
How it works

A firewall in front of every install.

Point your package manager at Upwarden once; it becomes your registry, analyzes every version, and serves only the safe ones. Because it controls resolution, it can quietly roll back to the last safe version instead of erroring — so your build never breaks.

package manager ──▶ 🛡 Upwarden ──▶ public registry
01

Point your registry

One config line per ecosystem — npm, bun, yarn, pnpm via .npmrc; pip/uv via PIP_INDEX_URL; cargo via a sparse index; and Go, Maven, NuGet and RubyGems each via its standard registry/proxy setting. No per-developer CLI, no per-command prefix.

02

Upwarden analyzes

For every requested package it resolves a verdict per version — using advisory feeds, the similarity scanner, and any connected scanners. Most requests hit a warm verdict and return instantly.

03

You get only safe versions

Blocked and quarantined versions are stripped from the manifest; the range resolves to the last safe one; the build succeeds. No developer action, no broken pipeline.

The verdict state machine

Every version is SAFE, BLOCKED, or QUARANTINED

The verdict decides what ends up in your manifest. How those verdicts are reached — the scanner pipeline and detection layers — is covered on the security page.

SAFE

Served

Included in manifests; artifacts are served normally.

BLOCKED

Stripped

Known malicious or vulnerable. Removed from manifests; direct artifact requests are refused with a clear message.

QUARANTINED

Held & scanned

Newly seen, awaiting analysis. Stripped while the scanner runs, then promoted to SAFE or BLOCKED.

Fast by default. Verdicts resolve through a layered cache — hot cache → durable store → advisory range-match → default-safe for established versions — so most requests are answered without contacting the upstream registry. If the upstream goes down, Upwarden keeps serving cached manifests and your builds keep working.

Silent rollback

Security that doesn't break CI

Because Upwarden controls resolution, a blocked version doesn't error your build — the range simply resolves around it to the last safe version.

Without a firewall
install
$ npm install lodash
# range ^4.17.0 resolves to…
lodash@4.17.22  ← malicious release
✗ compromised code now in your tree
With Upwarden
install
$ npm install lodash
upwarden › 4.17.22 BLOCKED — rolling back
lodash@4.17.21  ← last safe version
✓ build green, malware never fetched
Developer experience

Predictable, with no surprises

Floating ranges just work

^1.2.0, ~=1.2, cargo semver — all resolve around blocked versions automatically to the highest safe one.

Exact pins fail loudly

Pin an exact version that's blocked and you get an actionable [UPWARDEN] error naming a safe version to use instead — never a silent surprise.

Lockfiles keep working

A locked version installs as long as it stays safe. If it later becomes blocked, you get a clear error and a one-command fix.

Private packages untouched

Your existing tokens pass through to the upstream registry unchanged — Upwarden never mints, stores or rotates them. Scoped and private packages keep working.

One proxy hop

Manifests are cached and artifacts stream straight through, so the only added latency is a single hop. Most requests never touch the upstream registry.

Resilient to outages

If the upstream registry has an incident, Upwarden keeps serving cached manifests — your builds don't stop because npm did.

The defining choice

Why registry-replacement matters

Upwarden replaces the registry instead of wrapping a command. That one decision is the source of its advantages.

No new CLI

Anything that speaks the registry protocol is covered — including bun. No per-developer tool to install, no command to remember to prefix.

No cache blind spot

Upwarden is the registry, so cached artifacts can't bypass it — the structural gap that wrapper-based tools can't close.

Build-safe

Because it controls resolution, it can roll back to a safe version instead of erroring. Security that survives contact with CI.

Sovereign

It's your infrastructure — nothing about your dependencies needs to leave your network. No telemetry, every verdict explainable.

Transitive by nature

Every artifact fetch flows through the proxy, so malicious versions are blocked anywhere in the tree — including deep transitive dependencies.

Extensible

Bring your own scanner through a signed callback API; its verdicts fuse into Upwarden's. Detection is a platform, not a closed box.

Get started

Put a firewall in front of every install

Self-serve in a minute, or talk to us about an enterprise deployment.