Protected in one config line.
Point your package manager at your Upwarden instance. Every install from then on flows through the firewall — malicious versions stripped, floating ranges rolled back to the last safe version, builds still green.
This is the self-hosted setup — you run Upwarden, nothing leaves your network. Don't want to run a server? Upwarden Cloud is the managed version we host for you (private beta).
Replace upwarden.example.com with your own instance URL. If your team runs a shared Upwarden, your platform admin has the address; to stand one up yourself, see the deployment docs.
npm protocol — npm, bun, yarn, pnpm
Anything that speaks the npm registry protocol is covered. Set the registry once and every install resolves through Upwarden.
$ npm config set registry https://upwarden.example.com/
registry=https://upwarden.example.com/
[install] registry = "https://upwarden.example.com/"
npmRegistryServer: "https://upwarden.example.com/"
bun is first-class. Because bun reads the standard registry config, it's covered exactly like npm — something wrapper-based tools don't offer. Private and scoped packages keep working: your existing tokens pass straight through to the upstream registry, untouched.
Python — pip, poetry, uv
Point the index URL at Upwarden's /simple/ endpoint.
$ export PIP_INDEX_URL=https://upwarden.example.com/simple/
[global] index-url = https://upwarden.example.com/simple/
$ export UV_INDEX_URL=https://upwarden.example.com/simple/
$ poetry source add --priority=primary upwarden https://upwarden.example.com/simple/
Rust — cargo
cargo uses a sparse index. Replace crates.io with your Upwarden sparse endpoint in .cargo/config.toml.
[source.crates-io] replace-with = "upwarden" [registries.upwarden] index = "sparse+https://upwarden.example.com/cargo/"
Go, Maven, NuGet & RubyGems
These use the same pattern — point each ecosystem's standard registry setting at your Upwarden endpoint:
- Go — set
GOPROXYto your Upwarden Go endpoint. - Maven — add an Upwarden
<mirror>in~/.m2/settings.xml. - NuGet — add your Upwarden feed as a
packageSourceinnuget.config. - RubyGems — point Bundler's mirror at your Upwarden RubyGems endpoint.
All four get the same proxy, content scan, behavioral signals and silent rollback as npm and PyPI — Maven adds JVM bytecode analysis on top. Ask us for the exact per-ecosystem snippet for your setup.
Verify it works
Install anything. A normal, safe package installs as usual — the only added latency is a single proxy hop. To see the firewall act, request a version known to be blocked and watch it roll back:
$ npm install lodash upwarden › lodash@4.17.22 — BLOCKED (malware signature match) upwarden › resolving to last safe version → 4.17.21 added 1 package — lodash@4.17.21 ✓ build green
What happens on a block
- Floating ranges (
^1.2.0,~=1.2, cargo semver) resolve around blocked versions automatically — silent rollback to the highest safe version. - Exact pins to a blocked version fail loudly with an actionable
[UPWARDEN]message that names a safe version to use. - Lockfile installs keep working as long as the locked version stays safe. If it later becomes blocked, you get a clear error and a one-command fix.
- Brand-new versions are quarantined and scanned. Requests are briefly held for a verdict; if none is reached, the request fails closed rather than letting an unscanned artifact through.
- Registry downtime doesn't stop you — Upwarden keeps serving cached manifests, so builds keep working.
Keep your builds green and your malware out
Self-serve in a minute, or talk to us about an enterprise deployment.