explaingit

fenkohq/foxymirror

Analysis updated 2026-05-18

2TypeScriptAudience · developerComplexity · 3/5Setup · moderate

TLDR

A self-hosted Cloudflare Worker that quarantines newly published npm and PyPI package versions for a set number of days to block supply-chain attacks.

Mindmap

mindmap
  root((foxymirror))
    What it does
      Quarantines new releases
      Blocks with HTTP 451
      Stops supply chain attacks
    Tech stack
      TypeScript
      Cloudflare Workers
      Wrangler
    Use cases
      npm proxy
      PyPI proxy
      CI CD protection
    Audience
      Developers
      Security teams

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Quarantine newly published npm or PyPI releases for a configurable number of days before your team can install them

USE CASE 2

Protect a CI/CD pipeline from a malicious package version published minutes ago

USE CASE 3

Route npm, pip, uv, Yarn, or Poetry installs through a self-hosted safety proxy on Cloudflare's edge

What is it built with?

TypeScriptCloudflare WorkersWrangler

How does it compare?

fenkohq/foxymirrorarashthr/hugo-flowargeneau12e/kairos-tx
Stars222
LanguageTypeScriptTypeScriptTypeScript
Setup difficultymoderatemoderatehard
Complexity3/53/54/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

You deploy your own Cloudflare Worker via Wrangler before it works.

In plain English

foxymirror is a security-focused proxy for the npm and PyPI package registries that protects developers from supply-chain attacks by holding back newly published releases for a quarantine period. When someone installs a package through foxymirror, any release younger than 7 days (configurable) is hidden and returns an HTTP 451 response. The idea is that if an attacker slips a malicious version into a popular package, the developer community has a week to notice and flag it before your installs would pick it up. The proxy runs as a single Cloudflare Worker, serverless code on Cloudflare's edge network. For npm packages, it filters the list of available versions and rewrites the "latest" tag to the newest release that has cleared the quarantine window. For PyPI (the Python package registry), it supports both the modern PEP 691 JSON index and the older HTML simple index. File downloads stream through unchanged, but the proxy re-checks quarantine status on every file request, so guessing a direct URL for a quarantined version still returns HTTP 451. Upstream integrity hashes, the checksums publishers attach to their releases, are passed through unmodified, so your package manager still verifies downloads against the original publisher's hash. You deploy foxymirror yourself on your own Cloudflare account using Wrangler, Cloudflare's deployment tool. The free tier covers 100k requests per day, enough for a solo developer or small team. You then point your package managers, npm, pip, uv, Yarn, Poetry, and others, at your worker URL to route installs through the quarantine. The full README is longer than what was provided.

Copy-paste prompts

Prompt 1
Help me deploy foxymirror to my own Cloudflare account using Wrangler.
Prompt 2
Show me how to point npm and pip at a foxymirror worker URL to quarantine new releases.
Prompt 3
Explain how foxymirror blocks a package release younger than 7 days with an HTTP 451 response.
Prompt 4
Walk me through configuring the quarantine window length in foxymirror.

Frequently asked questions

What is foxymirror?

A self-hosted Cloudflare Worker that quarantines newly published npm and PyPI package versions for a set number of days to block supply-chain attacks.

What language is foxymirror written in?

Mainly TypeScript. The stack also includes TypeScript, Cloudflare Workers, Wrangler.

How hard is foxymirror to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is foxymirror for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.