NOW OPEN: BAM Rose Cinemas at BAM KBH! Our new state-of-the-art screens are located at 10 Lafayette Ave, just steps away from the Peter Jay Sharp Building.

Repkg May 2026

Initial sync is large. Use --depth shallow to mirror only direct dependencies of projects you actually use. 12. Final Words The software supply chain will never be perfectly secure. But it can be detectably insecure — and RepKG makes that detection automatic, local, and actionable.

curl -sSL https://repkg.io/bootstrap.sh | bash repkg mirror npm react npm config set registry http://localhost:4873 npm install react repkg verify --report RepKG – because your dependencies shouldn’t be a liability. Initial sync is large

"name": "lodash", "version": "4.17.21", "algorithm": "sha256", "digest": "d8e...f3a", "source": "registry": "npm", "upstream_url": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", "fetched_at": "2025-02-10T12:34:56Z" , "signatures": [ "key": "repkg-mirror-01", "sig": "MEU..." , "key": "sigstore", "sig": "MEY..." ], "merkle_proof": "root=... path=...", "timestamp": "rfc3161-timestamp.der" Final Words The software supply chain will never

Yes. Run repkg mirror against upstream registries yourself. The receipts are generated locally. "name": "lodash", "version": "4

We are tired of fixing builds because a package vanished, or chasing CVEs that could have been caught at install time. RepKG is the tool we wished existed five years ago.

Those are enterprise binary repositories. RepKG is focused on verifiability and offline reproducibility first , not RBAC or promotion workflows (though we may add those later).