Forge safer npm installs
Anvil Registry is an open source npm registry gateway, paired with Anvil Node Base, that puts policy, analysis, and audit trails before dependency installs.
Two tools, one install path
Use the registry gateway for enforcement and the Node base image when you need a safer local harness.
Anvil Registry
A drop-in npm registry gateway that evaluates packages before install traffic reaches developers or CI.
- Policy decisions before tarballs
- Metadata and tarball proxying
- Analysis cached by immutable identity
- Clear block and quarantine reasons
Anvil Node Base
A hardened Node devcontainer base image for safer installs when you need to inspect unknown repos.
- Non-root by default
- ignore-scripts safe mode
- Observed install mode with reports
- Strict mode for high-confidence IOCs
Architecture that fits the toolchain
Anvil Registry sits between package managers and upstream registries, then pushes expensive work out to the analysis worker.
Step 1
Developer / CI
- npm
- pnpm
- yarn
- build agents
Step 2
Anvil Registry
- policy engine
- analysis queue
- tarball cache
- audit log
Step 3
Upstream npm
- metadata
- tarballs
- audit APIs
Step 4
Data store
- decisions
- reports
- overrides
CLI in your workflow
Fast, deterministic, and scriptable enough for local review, CI, and release gates.
$ anvil explain left-pad@1.3.0
Decision: allow
Policy: default@2026-05
Provenance: verified
Signals: no high-confidence findings
Cache identity: sha512-Qw8...Yjm
JSON decision output
Decisions are useful in terminals, but they also need to be boringly machine-readable.
{
"package": "left-pad@1.3.0",
"decision": "allow",
"policy": "default",
"provenance": { "verified": true },
"signals": [],
"cacheIdentity": "sha512-Qw8..."
}Policy and analysis with receipts
Reviewers get the why, the evidence, and the override trail. Decorative security can stay outside.
Deterministic policy
Package age, provenance, low adoption, static findings, typo-squatting, and overrides feed one auditable decision.
Static package analysis
Manifest diffs, lifecycle scripts, dependency shifts, binary files, encoded blobs, and install-path code patterns.
Reviewer context
Optional LLM review adds structured risk context without becoming the authority that allows a package.
Install-path telemetry
Node Base can capture lifecycle scripts, process execution, network activity, and sensitive file access.
Policy decision timeline
Metadata fetched
Package metadata is cached and normalized.
Static analysis queued
Unknown tarball identity gets a worker job.
Policy signal found
Lifecycle script changed in a patch release.
Audited override
Reviewer approves with reason and expiry.
left-pad
- Age
- 8 years
- Downloads
- 1.2M weekly
- Integrity
- sha512-Qw8...
- Decision
- allow
All policy checks passed for this immutable tarball identity.
Start with the docs that match the job
Each guide is written for a concrete moment: trying the gateway, understanding policy, inspecting unknown repos, or preparing a deployment.
Quickstart
Run the gateway locally, route npm-compatible clients through it, and try Node Base safe mode.
CLI
Install the published CLI, configure endpoints and admin tokens, scan lockfiles, warm caches, and manage review workflows.
Anvil Registry
Understand metadata proxying, tarball rewriting, scoped upstreams, caching, analysis, and explain output.
Anvil Node Base
Use the hardened Node image for safe installs, observed installs, lifecycle reports, and strict-mode gates.
CI usage
Wire Registry decisions and Node Base reports into pull request and main branch dependency checks.