Setup npm Proxy with DevGuard Dependency Proxy
Supply chain attacks through npm are a growing threat. In 2025, attackers published malicious packages impersonating the popular TanStack library, targeting developers who mistyped the package name or were misled by search results. Incidents like this — where a single npm install can silently compromise a developer machine or CI environment — highlight why every package download should be screened before it executes on your systems.
The DevGuard dependency proxy sits between your developers and the public npm registry. Every package request is checked against the OSV dataset before it reaches your machine, blocking known malicious packages automatically.
- Registry URL:
<your-devguard-url>/api/v1/dependency-proxy/npm
Configuration
Point npm at the DevGuard proxy by adding a registry entry to your .npmrc. This file can live at the project level (./.npmrc) to scope only that project, or at the user level (~/.npmrc) to apply globally.
Once set, all npm install and npm ci invocations route through DevGuard transparently. No changes to your package.json or CI scripts are required.
Testing
DevGuard ships a test package that is permanently flagged as malicious. Use it to verify the proxy is working before relying on it in production:
Run npm install. lodash installs successfully while fake-malicious-npm-package is rejected with a 403 Forbidden. If you see both results, your proxy is configured correctly.