pkg-proxy/config.example.yaml

# Proxy server configuration
# Copy to config.yaml and modify as needed

# Server listen address
listen: ":8080"

# Public URL where this proxy is accessible
# Used for rewriting package metadata URLs
base_url: "http://localhost:8080"

# Artifact storage configuration
storage:
  # Storage backend URL
  # Supported schemes:
  #   - file:///path/to/dir - Local filesystem (default)
  #   - s3://bucket-name - Amazon S3
  #   - s3://bucket?endpoint=http://localhost:9000 - S3-compatible (MinIO)
  #
  # For S3, configure credentials via environment variables:
  #   AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION
  url: ""

  # Local filesystem path (used when url is empty)
  # Deprecated: Use url with file:// scheme instead
  path: "./cache/artifacts"

  # Maximum cache size (e.g., "10GB", "500MB")
  # When exceeded, least recently used artifacts are evicted
  # Empty or "0" means unlimited
  max_size: ""

# Database configuration
database:
  # Database driver: "sqlite" (default) or "postgres"
  driver: "sqlite"

  # SQLite database file path (used when driver is "sqlite")
  path: "./cache/proxy.db"

  # PostgreSQL connection URL (used when driver is "postgres")
  # Example: "postgres://user:password@localhost:5432/proxy?sslmode=disable"
  url: ""

# Logging configuration
log:
  # Minimum log level: "debug", "info", "warn", "error"
  level: "info"

  # Log format: "text" or "json"
  format: "text"

# Upstream registry URLs and authentication
upstream:
  # npm registry URL
  npm: "https://registry.npmjs.org"

  # Cargo sparse index URL
  cargo: "https://index.crates.io"

  # Cargo crate download URL
  cargo_download: "https://static.crates.io/crates"

  # Authentication for upstream registries
  # Keys are URL prefixes matched against request URLs.
  # Values can reference environment variables using ${VAR_NAME} syntax.
  #
  # Supported auth types:
  #   - bearer: Authorization header with Bearer token
  #   - basic: Authorization header with Basic auth (username:password)
  #   - header: Custom header name and value
  auth:
    # Example: npm with bearer token
    # "https://registry.npmjs.org":
    #   type: bearer
    #   token: "${NPM_TOKEN}"

    # Example: GitHub npm registry
    # "https://npm.pkg.github.com":
    #   type: bearer
    #   token: "${GITHUB_TOKEN}"

    # Example: PyPI with basic auth
    # "https://pypi.org":
    #   type: basic
    #   username: "__token__"
    #   password: "${PYPI_TOKEN}"

    # Example: Custom header for private registry
    # "https://maven.mycompany.com":
    #   type: header
    #   header_name: "X-Auth-Token"
    #   header_value: "${MAVEN_TOKEN}"

# Version cooldown configuration
# Hides package versions published too recently, giving the community time
# to spot malicious releases before they're pulled into projects.
# Supported durations: "7d" (days), "48h" (hours), "30m" (minutes), "0" (disabled)
cooldown:
  # Global default cooldown for all ecosystems
  # default: "3d"

  # Per-ecosystem overrides
  # ecosystems:
  #   npm: "7d"
  #   cargo: "0"

  # Per-package overrides (keyed by PURL)
  # packages:
  #   "pkg:npm/lodash": "0"
  #   "pkg:npm/@babel/core": "14d"
Add sqlx with SQLite default and PostgreSQL option Replace raw database/sql with jmoiron/sqlx for cleaner query handling. Support both SQLite (default) and PostgreSQL as configurable backends. Configuration via: - CLI flags: -database-driver, -database-path, -database-url - Environment: PROXY_DATABASE_DRIVER, PROXY_DATABASE_PATH, PROXY_DATABASE_URL - Config file: database.driver, database.path, database.url Tests run against both databases when PROXY_DATABASE_URL is set. 2026-01-29 16:06:56 +00:00			`# Proxy server configuration`
			`# Copy to config.yaml and modify as needed`

			`# Server listen address`
			`listen: ":8080"`

			`# Public URL where this proxy is accessible`
			`# Used for rewriting package metadata URLs`
			`base_url: "http://localhost:8080"`

			`# Artifact storage configuration`
			`storage:`
Add gocloud.dev/blob for S3 and filesystem storage Replace custom filesystem storage with gocloud.dev/blob for unified storage backend support. Supported backends: - file:///path/to/dir - Local filesystem (default) - s3://bucket-name - Amazon S3 - s3://bucket?endpoint=http://localhost:9000 - S3-compatible (MinIO) Configuration via: - CLI flag: -storage-url - Environment: PROXY_STORAGE_URL - Config file: storage.url The old storage.path config is deprecated but still supported. 2026-01-29 16:13:16 +00:00			`# Storage backend URL`
			`# Supported schemes:`
			`# - file:///path/to/dir - Local filesystem (default)`
			`# - s3://bucket-name - Amazon S3`
			`# - s3://bucket?endpoint=http://localhost:9000 - S3-compatible (MinIO)`
			`#`
			`# For S3, configure credentials via environment variables:`
			`# AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION`
			`url: ""`

			`# Local filesystem path (used when url is empty)`
			`# Deprecated: Use url with file:// scheme instead`
Add sqlx with SQLite default and PostgreSQL option Replace raw database/sql with jmoiron/sqlx for cleaner query handling. Support both SQLite (default) and PostgreSQL as configurable backends. Configuration via: - CLI flags: -database-driver, -database-path, -database-url - Environment: PROXY_DATABASE_DRIVER, PROXY_DATABASE_PATH, PROXY_DATABASE_URL - Config file: database.driver, database.path, database.url Tests run against both databases when PROXY_DATABASE_URL is set. 2026-01-29 16:06:56 +00:00			`path: "./cache/artifacts"`

			`# Maximum cache size (e.g., "10GB", "500MB")`
			`# When exceeded, least recently used artifacts are evicted`
			`# Empty or "0" means unlimited`
			`max_size: ""`

			`# Database configuration`
			`database:`
			`# Database driver: "sqlite" (default) or "postgres"`
			`driver: "sqlite"`

			`# SQLite database file path (used when driver is "sqlite")`
			`path: "./cache/proxy.db"`

			`# PostgreSQL connection URL (used when driver is "postgres")`
			`# Example: "postgres://user:password@localhost:5432/proxy?sslmode=disable"`
			`url: ""`

			`# Logging configuration`
			`log:`
			`# Minimum log level: "debug", "info", "warn", "error"`
			`level: "info"`

			`# Log format: "text" or "json"`
			`format: "text"`

Add auth pass-through for upstream registries Configure authentication per URL prefix in config: upstream: auth: "https://registry.npmjs.org": type: bearer token: "${NPM_TOKEN}" Supports bearer tokens, basic auth, and custom headers. Credentials can reference environment variables with ${VAR_NAME} syntax. The longest matching URL prefix wins when multiple patterns match. 2026-01-29 16:33:09 +00:00			`# Upstream registry URLs and authentication`
Add sqlx with SQLite default and PostgreSQL option Replace raw database/sql with jmoiron/sqlx for cleaner query handling. Support both SQLite (default) and PostgreSQL as configurable backends. Configuration via: - CLI flags: -database-driver, -database-path, -database-url - Environment: PROXY_DATABASE_DRIVER, PROXY_DATABASE_PATH, PROXY_DATABASE_URL - Config file: database.driver, database.path, database.url Tests run against both databases when PROXY_DATABASE_URL is set. 2026-01-29 16:06:56 +00:00			`upstream:`
			`# npm registry URL`
			`npm: "https://registry.npmjs.org"`

			`# Cargo sparse index URL`
			`cargo: "https://index.crates.io"`

			`# Cargo crate download URL`
			`cargo_download: "https://static.crates.io/crates"`
Add auth pass-through for upstream registries Configure authentication per URL prefix in config: upstream: auth: "https://registry.npmjs.org": type: bearer token: "${NPM_TOKEN}" Supports bearer tokens, basic auth, and custom headers. Credentials can reference environment variables with ${VAR_NAME} syntax. The longest matching URL prefix wins when multiple patterns match. 2026-01-29 16:33:09 +00:00
			`# Authentication for upstream registries`
			`# Keys are URL prefixes matched against request URLs.`
			`# Values can reference environment variables using ${VAR_NAME} syntax.`
			`#`
			`# Supported auth types:`
			`# - bearer: Authorization header with Bearer token`
			`# - basic: Authorization header with Basic auth (username:password)`
			`# - header: Custom header name and value`
			`auth:`
			`# Example: npm with bearer token`
			`# "https://registry.npmjs.org":`
			`# type: bearer`
			`# token: "${NPM_TOKEN}"`

			`# Example: GitHub npm registry`
			`# "https://npm.pkg.github.com":`
			`# type: bearer`
			`# token: "${GITHUB_TOKEN}"`

			`# Example: PyPI with basic auth`
			`# "https://pypi.org":`
			`# type: basic`
			`# username: "__token__"`
			`# password: "${PYPI_TOKEN}"`

			`# Example: Custom header for private registry`
			`# "https://maven.mycompany.com":`
			`# type: header`
			`# header_name: "X-Auth-Token"`
			`# header_value: "${MAVEN_TOKEN}"`
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer. 2026-03-04 19:00:31 +00:00
			`# Version cooldown configuration`
			`# Hides package versions published too recently, giving the community time`
			`# to spot malicious releases before they're pulled into projects.`
			`# Supported durations: "7d" (days), "48h" (hours), "30m" (minutes), "0" (disabled)`
			`cooldown:`
			`# Global default cooldown for all ecosystems`
			`# default: "3d"`

			`# Per-ecosystem overrides`
			`# ecosystems:`
			`# npm: "7d"`
			`# cargo: "0"`

			`# Per-package overrides (keyed by PURL)`
			`# packages:`
			`# "pkg:npm/lodash": "0"`
			`# "pkg:npm/@babel/core": "14d"`