Cloudsmith now provides official upstream proxying and caching support for Chainguard Libraries for Javascript in your npm repositories. This integration enables customers to use Cloudsmith as the primary, secure distribution platform for Chainguard’s malware-resistant, built-from-source JavaScript dependencies.

Key benefits

• Centralized distribution: Use Cloudsmith as the single source of truth for all npm dependencies, including Chainguard Libraries, ensuring reliability and high availability.
• End-to-end visibility: Gain detailed information and consumption metrics on all package requests and versions in use (including from Chainguard Libraries) through Cloudsmith.
• Advanced security & policy: Leverage Cloudsmith policies to govern what packages flow to users/pipelines, and utilize Cloudsmith’s built-in continuous security scanning for an always-up-to-date risk profile.
• SLSA provenance: Chainguard's dependencies are built using their hardened SLSA Level 2 build infrastructure, providing verifiable software provenance.

Getting started

The Chainguard Libraries for Javascript repository only includes libraries built by Chainguard from source. For full coverage, we recommend a dual-upstream configuration to allow for a fallback to the public registry.

1. Chainguard Libraries for Javascript Upstream (Priority 1)
   • Priority: 1 (Highest)
   • Upstream URL: https://libraries.cgr.dev/javascript/
   • Mode: Cache and Proxy
   • Authentication: Add the Username and Password value from your Chainguard Libraries access settings.
2. Public npm Registry Upstream (Priority 2 - Fallback)
   • Priority: 2 (Lower priority)
   • Upstream URL: https://registry.npmjs.org/
   • Mode: Cache and Proxy

This setup ensures Cloudsmith can fall back to the public npm registry for packages not available in Chainguard, ensuring the most secure and reliable consumption workflow possible.