Skip to content

dependably/dependably-community

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
.config
.config
 
 
.github/workflows
.github/workflows
 
 
.husky
.husky
 
 
.zap
.zap
 
 
brand
brand
 
 
build
build
 
 
i18n
i18n
 
 
skills
skills
 
 
src/Dependably
src/Dependably
 
 
tests
tests
 
 
web
web
 
 
.dockerignore
.dockerignore
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
.snyk
.snyk
 
 
.trufflehog-exclude
.trufflehog-exclude
 
 
CLAUDE.md
CLAUDE.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
DESIGN.md
DESIGN.md
 
 
Dependably.sln
Dependably.sln
 
 
Directory.Build.props
Directory.Build.props
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
coverlet.runsettings
coverlet.runsettings
 
 
docker-compose.yml
docker-compose.yml
 
 
nuget.config
nuget.config
 
 
renovate.json
renovate.json
 
 

Repository files navigation

Dependably

Self-hosted private artifact repository for npm, PyPI, and NuGet.

Every package your team pulls from the internet is a supply chain risk. Dependably sits between your developers and the public registries, caching what they pull, verifying checksums, blocking packages that don't belong, and giving you a full audit trail — without requiring a cloud account or a per-seat licence.

Features

  • Proxy cache — pull-through cache for npm, PyPI, and NuGet; verified by SHA-256 before storage, served locally on every subsequent request
  • Supply chain tracking — first-fetch detection, per-version checksum verification, CycloneDX 1.5 SBOM generation
  • Allowlisting — per-org PURL pattern allowlists to restrict which packages can be fetched or pushed
  • Multitenancy — multiple orgs, scoped tokens, role-based access, full org isolation
  • Retention policies — configurable keep-versions and keep-days per org
  • Single binary — self-contained Alpine Docker image; SQLite metadata; local, S3, or Azure blob storage

Quick start

docker run -d \
  --name dependably \
  -p 8080:8080 \
  -v dependably-data:/data \
  -e BASE_URL=http://localhost:8080 \
  ghcr.io/dependably/dependably:latest

On first boot, Dependably prints the admin credentials to stdout:

============================================================
  DEPENDABLY FIRST BOOT — SAVE THESE CREDENTIALS
============================================================
  Email   : admin@dependably.local
  Password: <generated>
============================================================

Log in at http://localhost:8080 to change the password and create your first org.

docker-compose

services:
  dependably:
    image: ghcr.io/dependably/dependably:latest
    ports:
      - "8080:8080"
    volumes:
      - dependably-data:/data
    environment:
      BASE_URL: https://dependably.example.com
      DEFAULT_ORG_SLUG: default

volumes:
  dependably-data:

Configuring package managers

All registry URLs follow the pattern /o/{org-slug}/{ecosystem}/. The short aliases /simple/, /npm/, and /nuget/ redirect to the default org.

Generate a service token or user token from the web UI, then point your tools at Dependably.

More setup recipes: see skills/ for copy-pasteable project-level and global config recipes for npm, PyPI (pip / Poetry / uv), and NuGet — including the gotchas for plain-HTTP self-hosted deployments.

pip / pip.conf

[global]
index-url = https://user:<token>@dependably.example.com/o/my-org/simple/

Publishing with twine:

twine upload \
  --repository-url https://dependably.example.com/o/my-org/pypi/legacy/ \
  -u user -p <token> \
  dist/*

npm / .npmrc

registry=https://dependably.example.com/o/my-org/npm/
//dependably.example.com/o/my-org/npm/:_authToken=<token>
npm publish --registry https://dependably.example.com/o/my-org/npm/

Verify connectivity and credentials before installing anything:

npm ping     # exits 0 when Dependably is reachable
npm whoami   # prints the token owner's email (or `service:<name>` for service tokens)

NuGet / nuget.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="dependably" value="https://dependably.example.com/o/my-org/nuget/v3/index.json" />
  </packageSources>
  <packageSourceCredentials>
    <dependably>
      <add key="Username" value="user" />
      <add key="ClearTextPassword" value="<token>" />
    </dependably>
  </packageSourceCredentials>
</configuration>
dotnet nuget push MyPackage.1.0.0.nupkg \
  --source https://dependably.example.com/o/my-org/nuget/v3/index.json \
  --api-key <token>

Health probes

GET /health             → 200 OK (process is running)
GET /ready              → 200 OK when database is reachable, 503 otherwise
GET /api/v1/licenses    → third-party attribution data (CycloneDX subset)

Architecture

API

  • API surface — full listing of every HTTP route, generated from controller route attributes (CI-guarded)

Deployment

  • High-availability — multi-replica topologies, SQLite vs Postgres trade-offs, per-write-path leader requirements
  • Transparent intercept — pretending to be registry.npmjs.org/pypi.org/api.nuget.org so stock clients pass through Dependably without config changes

Contributing

See CONTRIBUTING.md for build instructions, environment variable reference, architecture notes, and the security model.

See SECURITY.md for vulnerability reporting.

License

Licensed under the Apache License, Version 2.0.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

12 tags

Packages

 
 
 

Contributors

Languages