Configuration
nproxy configuration has two parts: client-side (your package manager pointing to the proxy) and server-side (security rules and org settings in the dashboard).
Package manager configuration
All package managers need one thing: the registry URL pointing to your nproxy endpoint.
npm (.npmrc)
Create or edit .npmrc in your project root for project-scoped config, or ~/.npmrc for global config:
registry=https://your-org.nproxy.app/
//your-org.nproxy.app/:_authToken=nproxy_your_token_here
The _authToken line is optional on the Free plan (public reads are allowed by default). Pro and Enterprise plans can require tokens for all requests.
pnpm (.npmrc)
pnpm reads the same .npmrc format as npm:
registry=https://your-org.nproxy.app/
//your-org.nproxy.app/:_authToken=nproxy_your_token_here
Yarn Berry (.yarnrc.yml)
npmRegistryServer: "https://your-org.nproxy.app/"
npmAuthToken: "nproxy_your_token_here"
Yarn Classic (.npmrc)
Yarn 1.x reads .npmrc the same as npm:
registry=https://your-org.nproxy.app/
//your-org.nproxy.app/:_authToken=nproxy_your_token_here
pip (pip.conf)
Create or edit pip.conf (usually at ~/.config/pip/pip.conf on Linux/macOS or %APPDATA%\pip\pip.ini on Windows):
[global]
index-url = https://your-org.nproxy.app/pypi/simple/
To include authentication:
[global]
index-url = https://nproxy:nproxy_your_token_here@your-org.nproxy.app/pypi/simple/
uv
uv reads pip.conf by default, or you can set environment variables:
export UV_INDEX_URL=https://your-org.nproxy.app/pypi/simple/
Or pass it directly:
uv pip install --index-url https://your-org.nproxy.app/pypi/simple/ requests
For pyproject.toml-based projects using uv:
[tool.uv]
index-url = "https://your-org.nproxy.app/pypi/simple/"
CI/CD configuration
GitHub Actions
Use the actions/setup-node action with your nproxy registry URL:
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
registry-url: "https://your-org.nproxy.app/"
- run: npm ci
env:
NODE_AUTH_TOKEN: ${{ secrets.NPROXY_TOKEN }}
Store your nproxy API token as a repository secret named NPROXY_TOKEN.
GitLab CI
install:
script:
- echo "registry=https://your-org.nproxy.app/" > .npmrc
- echo "//your-org.nproxy.app/:_authToken=${NPROXY_TOKEN}" >> .npmrc
- npm ci
Add NPROXY_TOKEN as a CI/CD variable in your project settings.
Generic CI
For any CI system, configure the registry before running npm install:
npm config set registry https://your-org.nproxy.app/
npm config set //your-org.nproxy.app/:_authToken $NPROXY_TOKEN
npm ci
Using the CLI for setup
The nproxy CLI can write the .npmrc configuration for you:
# Project-level .npmrc
npx nproxy setup your-org
# Global ~/.npmrc
npx nproxy setup your-org --global
# Include auth token
npx nproxy setup your-org --token nproxy_your_token_here
The CLI creates a timestamped backup of your existing .npmrc before making changes.
Security rules configuration
Security rules are configured per-organization in the nproxy dashboard. Each of the seven rules can be set to one of three modes:
| Mode | Behavior |
|---|---|
| block | Blocked versions are stripped from package metadata. Your package manager resolves to the latest safe version. If all versions are blocked, the install fails with a 403 error. |
| warn | The package installs normally but a warning is logged in the audit trail. |
| off | The rule is not evaluated. |
Changes to rules take effect immediately for all members of your organization.
Default rules by plan
Free plan -- The malware and vulnerability rules are active (block). All other rules are off.
Pro plan -- All seven rules are active with these defaults:
| Rule | Default level |
|---|---|
| malware | block |
| vulnerability | block (severities: CRITICAL, HIGH) |
| first_seen | block (7 days) |
| unexpected_deps | warn |
| publisher_change | warn |
| install_scripts | warn |
| score | warn (threshold 0.4) |
Enterprise plan -- Same defaults as Pro, fully customizable.
Rule parameters
Some rules have configurable parameters:
- first_seen --
days: Number of days a package must exist before it is allowed. Default: 7. - score --
threshold: Minimum acceptable score (0 to 1). Packages scoring below this are flagged. Default: 0.4. - vulnerability --
severities: Array of severity levels to block. Default:["CRITICAL", "HIGH"].
Organization settings
These settings are available in the dashboard under Settings:
| Setting | Description | Default |
|---|---|---|
requireToken | Require an API token for all requests | false |
allowPublicReads | Allow unauthenticated GET requests when requireToken is true | true |
mtlsRequired | Require a valid client certificate (Enterprise only) | false |
allowedCAFingerprints | List of allowed CA certificate SHA-256 fingerprints (Enterprise only) | [] |
internalScopes | npm scopes for internal packages, e.g. ["@acme"] (Enterprise only) | [] |
signingPolicy | Code signing enforcement: off, warn, internal, or all | "off" |
Token authentication
nproxy supports two types of bearer tokens:
nproxy tokens
API tokens generated in the dashboard authenticate requests to the proxy. They start with the nproxy_ prefix and are stored as SHA-256 hashes for security.
Tokens have scopes that control what they can do:
| Scope | Permission |
|---|---|
proxy | Read packages through the proxy (default) |
publish | Publish and unpublish internal packages |
cicd | Bypass mTLS requirement (for CI/CD pipelines) |
Tokens can optionally have an expiration date. Expired tokens are rejected automatically.
npm tokens
If you need to use npm CLI commands that write to the public npm registry (like npm publish, npm deprecate, npm star, or npm owner), you can authenticate with npm directly:
npm login --registry=https://your-org.nproxy.app/
This authenticates with npm through the proxy and saves your npm token. The proxy forwards npm tokens to the upstream registry and strips nproxy tokens (which npm would not accept).
Note: npm only supports one _authToken per registry host. If you need both an nproxy token (for proxy authentication) and an npm token (for publish operations), you can configure the nproxy token at the project level (.npmrc in your project root) and use npm publish --registry=https://registry.npmjs.org/ to publish directly.