Dependency Proxy with Malicious Package Firewall
DevGuard includes a built-in dependency proxy that acts as a protective layer between your development environment and public package registries. It helps prevent supply chain attacks by blocking malicious packages before they reach your systems.
How It Works
- Request Interception: When you install a package, the proxy intercepts the request
- Database Check: The package is checked against the OSV dataset, which includes GitHub malware advisories — kept current via the vulndb sync
- Blocking: If flagged as malicious, the request is blocked and logged
- Caching: Safe packages are cached with SHA256 integrity verification
- Metrics: All blocked attempts are recorded in Prometheus metrics
Supported Ecosystems
| Ecosystem | Registry URL |
|---|---|
| npm | /api/v1/dependency-proxy/npm |
| Go modules | /api/v1/dependency-proxy/go |
| PyPI | /api/v1/dependency-proxy/pypi/simple |
For setup instructions, see the ecosystem-specific guides:
Minimum Package Age
The proxy can be configured to refuse any package version published more recently than a specified number of days. This gives the security community time to detect and flag malicious releases before they reach your teams — a simple but effective defense against attacks that rely on packages being downloaded within hours of publication.
Cache & Security
The proxy enforces security at the caching layer — malicious packages are never cached, and the database must be fully loaded before any requests are served. See Cache Management for details.