dpndncY

Configure your package manager

The firewall runs as a registry proxy. Point each package manager at it once — in the project or CI config — and every install is evaluated against policy before it resolves. No agent on the developer machine; it is pure registry configuration.

How it works

Each ecosystem’s client is told to use the dpndncY firewall as its registry/mirror. The firewall evaluates the requested package@version against policy, records a signed verdict, and (in enforce) returns 403 for a block — otherwise it transparently forwards to the upstream registry.

Per-ecosystem configuration

npm — .npmrc
registry=https://firewall.dpndncy.example.com/npm/
//firewall.dpndncy.example.com/npm/:_authToken=${DPNDNCY_TOKEN}
PyPI — pip.conf
[global]
index-url = https://firewall.dpndncy.example.com/pypi/simple/
Maven — settings.xml
<mirror>
  <id>dpndncy</id>
  <mirrorOf>*</mirrorOf>
  <url>https://firewall.dpndncy.example.com/maven/</url>
</mirror>
NuGet — NuGet.Config
<packageSources>
  <clear />
  <add key="dpndncy" value="https://firewall.dpndncy.example.com/nuget/v3/index.json" />
</packageSources>
Go / Cargo / RubyGems
# Go
export GOPROXY=https://firewall.dpndncy.example.com/go/

# Cargo (.cargo/config.toml) — set a [source] replacement to the dpndncy registry
# RubyGems
gem sources --add https://firewall.dpndncy.example.com/rubygems/ --remove https://rubygems.org/
Configure CI, not laptops
The highest-leverage place to point at the firewall is your CI/build config — that’s where installs become artifacts. Developer machines are optional.

Air-gapped

In air-gapped environments the firewall fronts an internal mirror and serves from its local cache, so installs work with no outbound access. See Air-gapped install.

See also