nproxy Documentation
nproxy is a production supply-chain enforcement layer. It blocks risky packages before they reach your build, gates CI and production deploys against policy, and makes runtime configuration typed and auditable. One policy layer covers npm, PyPI, Go, Cargo, Maven, and RubyGems.
How it works
- You point your package manager at
https://your-org.nproxy.app/ - nproxy fetches package metadata from the upstream registry
- Eight security rules evaluate every version of every package
- Blocked versions are stripped from the response before they reach your package manager
- CI and deploy gates re-run the same policy on Team plans, so production stays clean
There is no agent to install, no binary to manage, and no workflow change for developers. One line in .npmrc and your team is protected.
Get started
- Quick Start -- Set up nproxy in under five minutes
- Configuration -- Configure your package manager and CI/CD
- Deployment Validation Checklist -- Verify links, forms, analytics, and performance before launch
Security Rules
nproxy ships with eight configurable security rules. Each can be set to block, warn, or off.
| Rule | Default (Pro) | What it catches |
|---|---|---|
| Malware | block | Trojans, cryptominers, credential stealers |
| First Seen | block | Zero-day supply chain attacks, typosquats |
| Unexpected Dependencies | warn | Dependency injection attacks (event-stream) |
| Publisher Change | warn | Account takeovers, social engineering |
| Install Scripts | warn | Arbitrary code execution during install |
| Package Score | warn | Low-quality, abandoned, or suspicious packages |
| Vulnerability | block | Known CVEs from OSV.dev, version-specific |
| License | off | Copyleft, restrictive, or missing licenses |
Read the Security Rules overview for details on how rules work together.
CLI
The nproxy CLI helps you configure and verify your setup:
npx nproxy setup acme
npx nproxy status
npx nproxy inspect contract
Enterprise
The Enterprise plan adds:
- SCIM provisioning -- Auto-provision users and tokens from Okta or Azure AD
- mTLS device auth -- Only company-managed devices can access the proxy
- Internal packages -- Host private packages alongside public ones
Architecture
Learn more about the architecture and how nproxy evaluates packages in real time.