curl -sSL https://repkg.io/bootstrap.sh | bash repkg mirror npm react npm config set registry http://localhost:4873 npm install react repkg verify --report RepKG – because your dependencies shouldn’t be a liability.
We are tired of fixing builds because a package vanished, or chasing CVEs that could have been caught at install time. RepKG is the tool we wished existed five years ago. curl -sSL https://repkg
Those are enterprise binary repositories. RepKG is focused on verifiability and offline reproducibility first , not RBAC or promotion workflows (though we may add those later). Those are enterprise binary repositories
Yes. Run repkg mirror against upstream registries yourself. The receipts are generated locally. Run repkg mirror against upstream registries yourself
"name": "lodash", "version": "4.17.21", "algorithm": "sha256", "digest": "d8e...f3a", "source": "registry": "npm", "upstream_url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", "fetched_at": "2025-02-10T12:34:56Z" , "signatures": [ "key": "repkg-mirror-01", "sig": "MEU..." , "key": "sigstore", "sig": "MEY..." ], "merkle_proof": "root=... path=...", "timestamp": "rfc3161-timestamp.der"
Initial sync is large. Use --depth shallow to mirror only direct dependencies of projects you actually use. 12. Final Words The software supply chain will never be perfectly secure. But it can be detectably insecure — and RepKG makes that detection automatic, local, and actionable.
