What Is a Dependency Firewall?
A Dependency Firewall intercepts every package request before installation, evaluates it against security policy, and blocks or delays packages that violate that policy. It is a preventive control, not a detective one.
The core idea
Like a network firewall that controls which traffic enters a system, a Dependency Firewall controls which packages enter your development environment and build system.
It sits between package consumers and package sources: between developer workstations and public registries, between CI/CD systems and npm, PyPI, Maven Central, NuGet, Go module proxies, or container registries.
Because it operates at the proxy layer, it requires no changes to developer tooling, build scripts, or CI/CD configuration. Developers continue using npm, pip, mvn, or dotnet as normal.
Each request is evaluated in real time. The result is one of three outcomes: the package passes through, it is blocked, or it is held in a delay window before being allowed.
Preventive, not detective
Most supply chain security tools find problems after packages are installed. A Dependency Firewall stops them before installation occurs.
Detective tools (SCA, scanners)
- •Scan what is already installed or built
- •Require a known CVE or signature to flag a package
- •Generate reports and pull requests
- •Cannot block at install time
Dependency Firewall (preventive)
- •Blocks before the package reaches the developer or pipeline
- •Uses malware databases, behavioral indicators, and custom policy
- •Blocks at the network layer, not through reports or pull requests
- •No install, no execution, no remediation window
Both categories are useful and complement rather than replace each other.
How Bytesafe addresses zero-day and malicious packages
Advisory databases track vulnerabilities in legitimate software. Malicious packages and compromised releases often fall outside CVE-based tracking entirely. Standalone malware generally does not receive a CVE.
Bytesafe addresses this with controls that don't rely on CVE coverage:
- •Package maturity delay: Holds newly published versions for a configurable period. Reduces exposure before attacks surface in malware feeds or CVE databases.
- •Malware scanning: Scans packages against known malware signatures. Blocks malicious packages even when no CVE exists.
- •Install-script controls: Blocks or restricts packages that execute code during installation, a common vector for malicious payloads.
- •Dependency confusion protection: Prevents public packages from overriding internal package names.
- •Trust downgrades: Blocks packages published by a less trusted source than previous versions of the same package.
How it differs from SCA
Software Composition Analysis tools (Snyk, Dependabot, OWASP Dependency-Check) scan codebases, manifests, and container images to identify packages with known CVEs. They operate after packages are installed.
- SCA identifies issues in packages already present. A Dependency Firewall blocks before install.
- Most SCA tools flag packages by matching known CVE databases. Malicious packages without a CVE assignment are most often not caught.
- SCA generates reports and opens pull requests. A Dependency Firewall breaks the build at install time.
- A Dependency Firewall enforces rules at install time that most SCA tools do not: package age, namespace, and provenance.
How it differs from repository managers
Repository managers (Artifactory, Nexus, GitHub Packages, Azure Artifacts) were built for artifact management: storing, caching, and proxying packages. Security policy evaluation was not part of that design.
When a package request passes through a repository manager, it is fetched and served. The package is not checked against malware databases, CVE feeds, license lists, or age thresholds. A malicious package reaches the developer the same way a clean one does.
Bytesafe sits in front of the repository manager and evaluates every request before any package reaches the developer or build pipeline. The two work together: Bytesafe enforces policy, the repository manager handles storage and proxying.
How Bytesafe implements it
Bytesafe is a managed Dependency Firewall. Route all package installs through Bytesafe. It evaluates every request against policy across npm, PyPI, Maven, NuGet, Go, and OCI.
- Malware blocking
- Blocks packages flagged in malware databases before they install.
- Vulnerability thresholds
- Blocks packages with CVEs above a CVSS or EPSS score you configure. Advisory data refreshed hourly from NVD, GitHub Security Advisories, and major Linux distribution and vendor feeds.
- Safety delay
- Holds newly published versions for a configurable period, giving the ecosystem time to surface zero-day issues.
- Dependency confusion protection
- Internal packages always resolve from your private registry. Public packages cannot override internal names.
- Install-script controls
- Blocks or restricts packages that execute code during installation.
- Trust downgrades
- Blocks packages published by a less trusted source than previous versions of the same package.
- License enforcement
- Blocks packages with disallowed licenses before they reach a build.
- Provenance verification
- Verifies package origin using Sigstore and SLSA attestations. Detects version swaps and pipeline tampering.
- Audit log
- Every allow, block, and exception is recorded with the rule, requester, and timestamp. Exportable to SIEM.
- Policy as code
- Firewall configurations are JSON files managed in Git. Apply different rules per team or project.
See it in your environment
No agent installs. No workflow changes. Works with your existing registries.