Private approved npm registry

Stop installing npm packages you haven't approved.

Securistry is the private, approved npm supply for your team — mirror, bake, review, install.

Start free Install the CLI

Signed binary · no npm required · open-core source

bash

$ curl -fsSL https://install.securistry.com | sh

→ installed securistry 0.4.0

$ securistry init

→ mirrored 247 package versions

→ 245 approved, 2 baking, 0 blocked

$ npm install

added 247 packages in 6s

npm install is a trust call you make hundreds of times a day.

New versions appear minutes after publish. Lockfiles pin hashes but don't gate updates. Most teams have no buffer between an upstream maintainer being compromised and a build pulling the new version.

The compromise pattern is well-documented — and the blast radius is your entire dependency tree.

Direct from npm

npm registrynpm install

No gate. Any published version installs immediately.

Through Securistry

mirror

bake

review

approve

install

Your supply. Your policy. Your storage.

How it works

Four commands. Your first repo protected.

Install the CLI without npm.

Signed standalone binary. No npm, no PyPI, no chicken-and-egg.

curl -fsSL https://install.securistry.com | sh

Log in.

securistry login

Device-code OAuth in your browser. The CLI stores a short-lived credential in your user keychain — no tokens in repo files.

Initialize your repo.

securistry init

Detects npm, pnpm, Yarn, or Bun. Reads the lockfile, mirrors every locked version into Securistry storage, runs integrity and policy checks, writes .npmrc and .securistry.yml.

Install from your approved supply.

npm install

Resolves against https://npm.securistry.com/<your-org>/. New upstream versions don't reach this endpoint until they pass your bake window and policy.

Same flow for pnpm, Yarn, and Bun. CI uses a read-only token from securistry tokens create ci --read-only.

What changes

Four primitives. One approved supply.

Mirror. Approved tarballs live in storage you control — Securistry-hosted R2 or your own S3/R2 bucket. Installs don't depend on the public registry being healthy.

Bake. New upstream versions wait a configurable window — 24h default, 7d for critical packages — before becoming installable. The bake window is your buffer.

Approve. Deterministic checks run automatically — integrity, lifecycle scripts, maintainer changes, advisories, license. Anything ambiguous lands in a focused review queue, not a giant SCA dashboard.

Install. npm install works exactly the way it does today. The only thing that changed is what versions can resolve. Your team doesn't need to learn a new command.

For whom

Built for teams that ship from npm.

For developers

Same npm install. Same lockfile. Same package managers. The CLI installs outside the npm chain so it still works during an incident. Four commands to set up, nothing to change after.

npm, pnpm, Yarn, and Bun — all supported

Lockfile workflow unchanged

CLI is a signed binary, not a package

For security and engineering leads

A review queue scoped to versions your team actually uses — not the whole npm ecosystem. Audit log of every approval. Quarantine in one click when a package version turns malicious upstream.

Policy enforcement at the registry layer

Bake window as a configurable blast radius control

Audit log of every approval decision

Pricing

Billed by package versions, not installs.

Starter

$300/month

One team, one registry, npm.

10 users
npm ecosystem
2,500 approved versions
250 GB delivery
100 GB storage
Securistry-hosted storage
Email support

Start free

GrowthPopular

$800/month

Larger teams, customer-owned storage, second ecosystem when available.

50 users
npm + second ecosystem
10,000 approved versions
2 TB delivery
Customer-owned storage (R2/S3)
Slack & Jira integration
Priority support

Start free

Enterprise

Talk to us

Dedicated tenant, SSO, SIEM, custom retention.

Unlimited users
SSO / SAML
SIEM export
Dedicated tenant
Custom retention policy
Security review package

Talk to us

Billed by approved package versions and ecosystems, not by install count. No surprise bandwidth bills. See full pricing →

FAQ

Common questions.

Do I have to change my package manager?

No. npm, pnpm, Yarn, and Bun all keep working. We change the registry URL, not the tool. Your CI, your scripts, your muscle memory — all unchanged.

What if Securistry goes down?

Approved tarballs live in storage you control. You can switch your registry back to public npm in one config change. The CLI is a signed binary and doesn't depend on us being reachable to run local commands.

How is this different from Socket or Sonatype Firewall?

Those are install-time scanners. Securistry adds artifact custody and bake windows — your team installs from a mirror you own, not from a live upstream you don't.

What does “approved” mean — are you on the hook if something slips through?

Approved means it passed your org’s policy. We make it easier to set and enforce that policy and to roll back fast. We don’t make a security guarantee on your behalf.

What ecosystems are supported?

npm today. PyPI next. RubyGems, Maven, NuGet, and Go follow based on demand. We lead with npm because it’s where the blast radius is widest.

Can I self-host?

Securistry is hosted SaaS. The CLI and registry-compat slice are open-source so you can run smoke tests locally and verify behavior. A local gateway is on the roadmap if design partners ask for it.

Get started

Protect your first repo in under ten minutes.

Start free Read the docs