Added Internal flag for packages and registries

Prevent internal packages from being fetched from external upstreams by mistake. Packages flagged as internal will automatically be protected from dependency confusion.

  • Registries are by default flagged as internal
  • Package versions published, pushed or uploaded to an internal registry will automatically be flagged as internal
  • Fetching new versions of internal packages from upstream sources, will only consider upstreams containing internal versions of the same package


Packages without the internal flag will function as they always have, with full access to public upstreams.

Users can continue to use Bytesafe registries for both public and private packages, enjoying the benefits of a single source of truth for all package dependencies. While simultaneously being fully protected from dependency confusion.

See Internal packages on for detailed information and use cases.

Dependency confusion occurs when a user or system is tricked into pulling a package version from a public registry, instead of the intended package of the same name from a private registry.

Read more about the concept and our secure by default solution on the blog.