Launching early Q3 2026

Introducing the next generation Dependency Firewall

We are rebuilding Bytesafe Dependency Firewall as a standalone control point that sits in front of your existing repository. The next generation Dependency Firewall is where new customers are being onboarded. The current firewall will reach end of life, and existing customers will receive a migration path before that happens.

See how it worksBook a demo
bytesafe.dev / Firewall
47
Blocked today
1,284
Requests today
12
Active rules
Package
Rule
Status
malicious-pkg@2.1.0
Malware scan
BLOCKED
lodash@4.17.20
CVSS ≥ 7.0
BLOCKED
react@19.1.1
Allowlist
APPROVED
new-release@0.0.1
Age < 7 days
DELAYED
axios@1.7.9
Allowlist
APPROVED
Blocked
malicious-pkg@2.1.0
Malware
By Exception
lodash@4.17.21
Exception
Delayed
new-release@0.0.1
Age < 7d
Approved
react@19.1.1
Allowlist

Why a new dependency firewall?

The way teams consume open source has changed. Dependencies enter through developers, CI/CD pipelines, automation, AI coding tools and internal repository flows. The current firewall was built around a hosted registry and proxy model that predates this picture.

The next generation Dependency Firewall is designed as a standalone control point. It intercepts package requests from all of these sources, evaluates them against policy and passes decisions to your existing repository. Think of it like a network firewall, but applied to open source dependencies instead of network traffic.

The policy engine is new from the ground up: more granular rules, live decision logs, malware scanning, provenance checks and exception management that the current firewall does not have.

What the next generation Dependency Firewall adds

Capabilities not available in the current firewall.

Redesigned policy engine

Rules based on package name, version range, age, license, vulnerability severity (CVSS and EPSS), ecosystem metadata, provenance and organization-specific criteria. More granular than the current firewall's plugin-based controls.

Malware scanning

Catch known malicious packages before they are installed, cached or promoted internally. Uses dedicated malware databases, not just vulnerability feeds.

Provenance and trust signals

Verify package origin using Sigstore and SLSA attestations. Detect version swaps and pipeline tampering before packages reach your environment.

Decision transparency

See exactly why a package was approved, blocked or approved by exception. Live logs show the package, version, rule, requester and timestamp. Developers and security teams read from the same log.

Time-limited exceptions

Grant a time-limited exception for a package that would otherwise be blocked. The exception is logged with the reason and expiry. Exceptions expire automatically without manual follow-up.

Policy as code

Manage firewall configuration and rules as code. Review changes in version control, roll back safely and deploy through existing automation.

Publish scanning

Packages are scanned for malware, secrets and sensitive data before they are published to an upstream registry.

Standalone. No package manager included.

The next generation Dependency Firewall is a control point only. It sits in front of JFrog Artifactory, Sonatype Nexus, GitLab, Azure DevOps and other repository managers. It does not replace them.

npm, PyPI, Maven, NuGet, Go, Containers

Support for the most popular ecosystems from day one, with a model designed for broader coverage over time.

Works with the repositories you already use

JFrog Artifactory
Sonatype Nexus
GitLab
GitHub Packages
Azure Artifacts
AWS CodeArtifact

How the next generation Dependency Firewall differs from the current one

The two products share a name and a purpose. The architecture, policy model and capabilities are different.

Next gen
Current
What it is
Standalone Dependency Firewall. Sits in front of your existing package registry manager and does not replace it.
Package registry manager and Dependency Firewall combined. The current firewall stores and serves packages.
Package management
No package manager. Designed for teams that already run JFrog Artifactory, Sonatype Nexus, GitLab, Azure DevOps or similar.
Built-in package registry. Teams without a dedicated repository manager used it for storage and serving.
Policy engine
Redesigned rule engine: package name, version range, age, license, CVSS, EPSS, provenance and custom rules. More granular and more composable.
Plugin-based controls: vulnerability scanner, license compliance, quarantine, delay upstream, block install scripts and others.
Package state
Stateless: packages are approved, blocked or approved by exception. Observations track which packages have passed through and when.
Quarantine state: packages can be held pending review or attestation.
Decision visibility
Live logs showing the package, version, requester, rule and outcome. Developers see exactly why an install failed and who triggered it.
Basic activity logging.
Exceptions
Time-limited exceptions with an approval trail. Exceptions expire automatically and are logged with the reason.
Not available.
Vulnerability blocking
Define exact CVSS and EPSS score thresholds per rule. Block on numeric score, not just severity label.
Vulnerability scanner plugin with severity levels (Low, Moderate, High, Critical).
Malware scanning
Built-in scanning against dedicated malware databases. Separate from vulnerability feeds.
Not available. Vulnerability feeds only.
Provenance
Sigstore and SLSA attestation support.
Not included.
Publish scanning
Packages are scanned before upload to your upstream registry.
Not included.
Operations
API-driven. Policy as code. Designed for automation and GitOps workflows.
Managed through the current product UI.
Ecosystems
npm, PyPI, Maven, NuGet, Go, Containers. Broader coverage planned.
npm, NuGet, Maven, PyPI.
Status
Active. New customer onboarding focuses on the next generation Dependency Firewall.
Will reach end of life. Existing customers will receive advance notice with a migration path.

Per firewall pricing.
Not per seat, package or download.

Pricing scales with the number of firewall endpoints you run. Developers, package requests and bandwidth are unlimited on every plan.

At hundreds or thousands of developers, per-seat and consumption-based pricing from competitors becomes difficult to forecast and expensive to justify. Most enterprise dependency firewalls charge per developer or per package volume. Adding a team or scaling headcount raises the invoice.

Bytesafe keeps the base model tied to the number of firewalls you control, with optional Cloud add-ons for SSO/OIDC, premium support and container image firewall. Growing headcount does not change your cost. Enterprise plans are available with custom firewall footprints and volume pricing.

See full pricing

Supported ecosystems

npmnpm
MavenMaven
PyPIPyPI
NuGetNuGet
GoGo
OCIOCI
DockerDocker

Migration and end of life

The current firewall will reach end of life. The timeline has not been set. Existing customers will receive advance notice with a migration path before any action is required.

New customers

New customer onboarding focuses on the next generation Dependency Firewall. We are not onboarding new customers to the current firewall.

Book a demo to see it in action or get a walkthrough of how it fits your setup.

Book a demo

Existing customers

You will continue on the current firewall until a migration path is agreed. We will contact you with a timeline and work through the migration together based on your setup, ecosystems and repository architecture.

If you used the current firewall as a package registry, migration will include moving that storage to a dedicated repository. We can discuss the options with you as part of the migration process.

Common questions

Questions from prospects, existing customers and teams evaluating the transition.

Can existing customers use the next generation Dependency Firewall today?
Not by default. Existing customers are currently on the current firewall. Contact us to discuss early access or to start planning your migration.
When will the current firewall reach end of life?
The end-of-life date has not been set yet. Existing customers will receive advance notice with a clear migration path and timeline before any changes are required.
Are new customers onboarded to the current firewall?
No. New customer onboarding focuses entirely on the next generation Dependency Firewall.
Will migration be automatic?
No. We will work with each customer to determine the right migration approach based on their setup, ecosystems and repository architecture. Migration paths will differ depending on whether you used the current firewall as a registry or only as a proxy.
Does the next generation Dependency Firewall replace our existing repository manager?
No. The next generation Dependency Firewall is a standalone control point designed to work in front of your existing repository. It does not store or serve packages.
The current firewall also stored our packages. What happens to that?
The new Dependency Firewall is a standalone enforcement layer with no package storage. If you relied on the current firewall for package storage, you will need to migrate to a private package repository such as JFrog Artifactory, Sonatype Nexus or a similar solution. if you would like to discuss a migration path.
Which ecosystems are supported?
npm, PyPI, Maven, NuGet, Go and Containers are supported. Additional ecosystem support is planned. Contact us if you need a specific ecosystem that is not listed.
How does pricing work?
Pricing is per dependency firewall endpoint. Developers, package requests and bandwidth are unlimited on every plan. Adding headcount does not change your invoice. See the pricing page for current plans.

Prepare for the next generation Dependency Firewall

Talk to us about access, migration or how the new firewall fits with your repository architecture.

See how it worksBook a demo