Repkg [upd] May 2026

Those are enterprise binary repositories. RepKG is focused on verifiability and offline reproducibility first , not RBAC or promotion workflows (though we may add those later).

"name": "lodash", "version": "4.17.21", "algorithm": "sha256", "digest": "d8e...f3a", "source": "registry": "npm", "upstream_url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", "fetched_at": "2025-02-10T12:34:56Z" , "signatures": [ "key": "repkg-mirror-01", "sig": "MEU..." , "key": "sigstore", "sig": "MEY..." ], "merkle_proof": "root=... path=...", "timestamp": "rfc3161-timestamp.der" Those are enterprise binary repositories

We are tired of fixing builds because a package vanished, or chasing CVEs that could have been caught at install time. RepKG is the tool we wished existed five years ago. Run repkg mirror against upstream registries yourself

Yes. Run repkg mirror against upstream registries yourself. The receipts are generated locally. "source": "registry": "npm"

curl -sSL https://repkg.io/bootstrap.sh | bash repkg mirror npm react npm config set registry http://localhost:4873 npm install react repkg verify --report RepKG – because your dependencies shouldn’t be a liability.

Initial sync is large. Use --depth shallow to mirror only direct dependencies of projects you actually use. 12. Final Words The software supply chain will never be perfectly secure. But it can be detectably insecure — and RepKG makes that detection automatic, local, and actionable.

Follow us on social media

Sign up to the ArtReview newsletters

Country

© 2026 Pioneer Junction

We use cookies to understand how you use our site and to improve your experience. This includes personalizing content. By continuing to use our site, you accept our use of cookies, revised Privacy.

arrow-leftarrow-rightblueskyarrow-downfacebookfullscreen-offfullscreeninstagramlinkedinlistloupepauseplaysound-offsound-onthreadstwitterwechatx