Open-source package firewall

Install-time enforcement for npm, PyPI, Cargo, and Go modules.

Herot is an HTTP proxy that sits between package managers and public registries. It checks each requested version against a signed policy bundle and rejects blocked versions before the tarball is downloaded.

View on GitHub Accepting testers

Pre-1.0, active development

alex@acme: npm install

$ npm install [email protected]
npm error code E403
npm error 403 Forbidden - GET https://registry.acme.com/eslint-scope/-/eslint-scope-3.7.2.tgz
npm error 403 {"decision":"block","reason":"compromised release; exfiltrates npm credentials","remediation":{"request_exception_url":"https://dashboard.acme.com/exceptions/new?package=eslint-scope&version=3.7.2&ecosystem=npm"}}
npm error 403 In most cases, you or one of your dependencies are requesting
npm error 403 a package version that is forbidden by your registry.
npm error A complete log of this run can be found in:
npm error /home/alex/.npm/_logs/2026-05-17T08_47_31_104Z-debug-0.log

Block evaluation

Herot does not produce vulnerability verdicts. Verdicts come from the OSV mirror, the OSSF malicious-packages feed, and in-house analysis submitted to the control plane. They are compiled into a signed policy bundle.

The proxy reads the policy bundle from disk. On each install request it matches the requested ecosystem, package, and version against the bundle. A match returns an HTTP 403 with the decision, reason, and a remediation URL. The tarball is not fetched.

The same evaluation runs for all four ecosystems. npm appears in most examples because install-time scripts make the problem easiest to demonstrate.

Dry-run mode

You can evaluate impact without routing production installs through the proxy. Dry-run mode reads existing CI logs, package-manager output, or dependency snapshots.

The output is a report. It shows which versions would be allowed, blocked, or held for review. It lists the packages that run install scripts. It names the repos and jobs that enforcement would affect.

Supporting controls

Blocking is the core. The controls below cover rollout and operations.

Centralised block list

A single decision propagates to every proxy on the next bundle pull. The default pull interval is 60 seconds.

Verdict ingestion

OSV.dev and the OSSF malicious-packages feed mirror on a loop. In-house verdicts can be submitted to the control plane. All sources compile into the next signed bundle.

Install-script policy

The proxy inspects install scripts. The policy can block the version, or strip the scripts before the download completes.

Quarantine state

The policy can hold a version in quarantine. Installs fail until an operator approves the version or updates the policy.

Decision metadata

Block responses include the package, the version, the matched policy, the evidence, the decision timestamp, and a remediation URL for requesting an exception.

Local enforcement

The proxy reads the signed bundle from local disk. Control-plane outages do not stop installs. The last known-good bundle stays in effect.