Repkg: __top__

Those are enterprise binary repositories. RepKG is focused on verifiability and offline reproducibility first , not RBAC or promotion workflows (though we may add those later).

curl -sSL https://repkg.io/bootstrap.sh | bash repkg mirror npm react npm config set registry http://localhost:4873 npm install react repkg verify --report RepKG – because your dependencies shouldn’t be a liability. Those are enterprise binary repositories

Yes. Run repkg mirror against upstream registries yourself. The receipts are generated locally. Initial sync is large

Initial sync is large. Use --depth shallow to mirror only direct dependencies of projects you actually use. 12. Final Words The software supply chain will never be perfectly secure. But it can be detectably insecure — and RepKG makes that detection automatic, local, and actionable. and actionable. "name": "lodash"

"name": "lodash", "version": "4.17.21", "algorithm": "sha256", "digest": "d8e...f3a", "source": "registry": "npm", "upstream_url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", "fetched_at": "2025-02-10T12:34:56Z" , "signatures": [ "key": "repkg-mirror-01", "sig": "MEU..." , "key": "sigstore", "sig": "MEY..." ], "merkle_proof": "root=... path=...", "timestamp": "rfc3161-timestamp.der"