Security Rules
nproxy ships with seven security rules that protect your supply chain from different threat vectors. Each rule can be independently set to block, warn, or off per organization.
Available rules
| Rule | Default (Pro) | What it catches |
|---|---|---|
| Malware | block | Trojans, cryptominers, credential stealers, typosquats, protestware |
| First Seen | block | Brand-new packages published in the last 7 days |
| Unexpected Dependencies | warn | Dependency injection attacks (like event-stream) |
| Publisher Change | warn | Account takeovers, social engineering transfers |
| Install Scripts | warn | Arbitrary code execution via preinstall/postinstall scripts |
| Package Score | warn | Low-quality, abandoned, or suspicious packages |
| Vulnerability | block | Known CVEs from the OSV.dev database, version-specific |
How rules work
When a developer installs a package, their package manager sends a request to https://your-org.nproxy.app/ for the package metadata. nproxy fetches the metadata from the upstream registry, then runs each enabled rule against it.
Block mode
When a rule triggers in block mode, the flagged versions are removed from the packument before it is returned to the package manager. The package manager then resolves to the latest remaining (safe) version automatically. Developers do not see an error -- they get a slightly older version.
If all versions of a package are blocked, nproxy returns a 403 error with details about which rules triggered.
Warn mode
When a rule triggers in warn mode, all versions are left in the packument. The package installs normally, but nproxy logs a warning to the audit trail. Use warn mode to gain visibility before enforcing stricter policies.
Off mode
The rule is skipped entirely and has no performance cost.
Rule evaluation order
All enabled rules run in parallel against the packument. Each rule returns a list of flagged versions. The proxy collects all results, merges the blocked version lists, and strips them from the response in a single pass.
Response headers indicate what happened:
| Header | Description |
|---|---|
x-nproxy-tenant | Your organization slug |
x-nproxy-blocked | Number of versions removed |
x-nproxy-warned | Number of warn-level rule triggers |
x-nproxy-traffic-source | Traffic source classification (human, agent, ci, unknown) |
x-nproxy-packument-cache | Packument cache status (hit, stale, miss, bypass) |
Defaults by plan
Free plan
The malware and vulnerability rules are active (block mode). All other rules are off. This is a hard restriction of the Free plan -- even if you configure other rules in the dashboard, they will not run.
| Rule | Level |
|---|---|
| malware | block |
| vulnerability | block |
| first_seen | off |
| unexpected_deps | off |
| publisher_change | off |
| install_scripts | off |
| score | off |
Pro plan
All seven rules are active:
| Rule | Level | Parameters |
|---|---|---|
| malware | block | -- |
| vulnerability | block | severities: ["CRITICAL", "HIGH"] |
| first_seen | block | 7 days |
| unexpected_deps | warn | -- |
| publisher_change | warn | -- |
| install_scripts | warn | -- |
| score | warn | threshold: 0.4 |
Enterprise plan
Same defaults as Pro, fully customizable. Enterprise customers can also create custom rule configurations.
Data sources
Rules use three data sources:
- Package metadata — The
time,versions,_npmUser,scripts, anddependenciesfields from the registry response. Used by the first_seen, unexpected_deps, publisher_change, and install_scripts rules. - Threat intelligence — Malware alerts and package risk scores from socket.dev. Used by the malware and score rules. Data is cached for 24 hours. If the threat intelligence service is unreachable, rules that depend on it fail open (the package is allowed through).
- Vulnerability data — Known CVEs and security advisories from OSV.dev. Used by the vulnerability rule. Data is queried per-version via the OSV batch API and cached for 24 hours. If the OSV service is unreachable, the rule fails open.
Configuring rules
Rules are configured per-organization in the nproxy dashboard under Rules. Changes take effect immediately.