Home/Quickstart
Quickstart

Protected in one config line.

Point your package manager at your Upwarden instance. Every install from then on flows through the firewall — malicious versions stripped, floating ranges rolled back to the last safe version, builds still green.

This is the self-hosted setup — you run Upwarden, nothing leaves your network. Don't want to run a server? Upwarden Cloud is the managed version we host for you (private beta).

Replace upwarden.example.com with your own instance URL. If your team runs a shared Upwarden, your platform admin has the address; to stand one up yourself, see the deployment docs.

npm protocol — npm, bun, yarn, pnpm

Anything that speaks the npm registry protocol is covered. Set the registry once and every install resolves through Upwarden.

npm — global
$ npm config set registry https://upwarden.example.com/
.npmrc — per project (npm, pnpm, yarn classic)
registry=https://upwarden.example.com/
bunfig.toml — bun
[install]
registry = "https://upwarden.example.com/"
.yarnrc.yml — yarn berry (v2+)
npmRegistryServer: "https://upwarden.example.com/"

bun is first-class. Because bun reads the standard registry config, it's covered exactly like npm — something wrapper-based tools don't offer. Private and scoped packages keep working: your existing tokens pass straight through to the upstream registry, untouched.

Python — pip, poetry, uv

Point the index URL at Upwarden's /simple/ endpoint.

pip — environment variable
$ export PIP_INDEX_URL=https://upwarden.example.com/simple/
pip.conf — persistent
[global]
index-url = https://upwarden.example.com/simple/
uv
$ export UV_INDEX_URL=https://upwarden.example.com/simple/
poetry
$ poetry source add --priority=primary upwarden https://upwarden.example.com/simple/

Rust — cargo

cargo uses a sparse index. Replace crates.io with your Upwarden sparse endpoint in .cargo/config.toml.

.cargo/config.toml
[source.crates-io]
replace-with = "upwarden"

[registries.upwarden]
index = "sparse+https://upwarden.example.com/cargo/"

Go, Maven, NuGet & RubyGems

These use the same pattern — point each ecosystem's standard registry setting at your Upwarden endpoint:

  • Go — set GOPROXY to your Upwarden Go endpoint.
  • Maven — add an Upwarden <mirror> in ~/.m2/settings.xml.
  • NuGet — add your Upwarden feed as a packageSource in nuget.config.
  • RubyGems — point Bundler's mirror at your Upwarden RubyGems endpoint.

All four get the same proxy, content scan, behavioral signals and silent rollback as npm and PyPI — Maven adds JVM bytecode analysis on top. Ask us for the exact per-ecosystem snippet for your setup.

Verify it works

Install anything. A normal, safe package installs as usual — the only added latency is a single proxy hop. To see the firewall act, request a version known to be blocked and watch it roll back:

terminal
$ npm install lodash
upwarden › lodash@4.17.22 — BLOCKED (malware signature match)
upwarden › resolving to last safe version → 4.17.21
added 1 package — lodash@4.17.21  ✓ build green

What happens on a block

  • Floating ranges (^1.2.0, ~=1.2, cargo semver) resolve around blocked versions automatically — silent rollback to the highest safe version.
  • Exact pins to a blocked version fail loudly with an actionable [UPWARDEN] message that names a safe version to use.
  • Lockfile installs keep working as long as the locked version stays safe. If it later becomes blocked, you get a clear error and a one-command fix.
  • Brand-new versions are quarantined and scanned. Requests are briefly held for a verdict; if none is reached, the request fails closed rather than letting an unscanned artifact through.
  • Registry downtime doesn't stop you — Upwarden keeps serving cached manifests, so builds keep working.
Get started

Keep your builds green and your malware out

Self-serve in a minute, or talk to us about an enterprise deployment.