Analysis updated 2026-05-18
Quarantine newly published npm or PyPI releases for a configurable number of days before your team can install them
Protect a CI/CD pipeline from a malicious package version published minutes ago
Route npm, pip, uv, Yarn, or Poetry installs through a self-hosted safety proxy on Cloudflare's edge
| fenkohq/foxymirror | arashthr/hugo-flow | argeneau12e/kairos-tx | |
|---|---|---|---|
| Stars | 2 | 2 | 2 |
| Language | TypeScript | TypeScript | TypeScript |
| Setup difficulty | moderate | moderate | hard |
| Complexity | 3/5 | 3/5 | 4/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
You deploy your own Cloudflare Worker via Wrangler before it works.
foxymirror is a security-focused proxy for the npm and PyPI package registries that protects developers from supply-chain attacks by holding back newly published releases for a quarantine period. When someone installs a package through foxymirror, any release younger than 7 days (configurable) is hidden and returns an HTTP 451 response. The idea is that if an attacker slips a malicious version into a popular package, the developer community has a week to notice and flag it before your installs would pick it up. The proxy runs as a single Cloudflare Worker, serverless code on Cloudflare's edge network. For npm packages, it filters the list of available versions and rewrites the "latest" tag to the newest release that has cleared the quarantine window. For PyPI (the Python package registry), it supports both the modern PEP 691 JSON index and the older HTML simple index. File downloads stream through unchanged, but the proxy re-checks quarantine status on every file request, so guessing a direct URL for a quarantined version still returns HTTP 451. Upstream integrity hashes, the checksums publishers attach to their releases, are passed through unmodified, so your package manager still verifies downloads against the original publisher's hash. You deploy foxymirror yourself on your own Cloudflare account using Wrangler, Cloudflare's deployment tool. The free tier covers 100k requests per day, enough for a solo developer or small team. You then point your package managers, npm, pip, uv, Yarn, Poetry, and others, at your worker URL to route installs through the quarantine. The full README is longer than what was provided.
A self-hosted Cloudflare Worker that quarantines newly published npm and PyPI package versions for a set number of days to block supply-chain attacks.
Mainly TypeScript. The stack also includes TypeScript, Cloudflare Workers, Wrangler.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.