Pkgst: CDN for your Dependencies

Faster dependency downloads with Packagist

What is Pkgst?

Packagist is a polyglot dependency system. It's built to be language agnostic; where you fetch dependencies, Packagist may be able to:

  • Accelerate downloads of dependencies
  • Verify authenticity of dependencies
  • 🔒 Offer stronger transport security
  • 🔥 Cache dependencies near your builds and CLI
  • 🕵️ Report your dependency usage to you

🚧

Packagist is currently in beta.

It has some rough edges, but it's also free for unlimited usage. We're working all the time to improve!

Supported ecosystems

Packagist currently supports JVM, JavaScript, Golang, and other ecosystems of package registries, with more to come:

EcosystemRepositoryEndpoint
JavaScriptNPMhttps://npm.pkg.st/
JVMMaven Central, Gradle Pluginshttps://maven.pkg.st/ and https://gradle.pkg.st/
Golangproxy.golang.orghttps://go.pkg.st/
Bazel*Bazel BCRhttps://bcr.pkg.st/
Deno*Denolandhttps://deno.pkg.st/
Rust*Crateshttps://crates.pkg.st/
Node*Node JS downloadhttps://node.pkg.st/
PyPI*pypi.orghttps://pypi.pkg.st/

*Documentation pending, but behaves as any normal registry endpoint would


Is it fast?

Packagist is engineered to be fast all over the world. Countries where Cloudflare ranks as fastest are in orange:

Powered by Cloudflare

We've partnered with Cloudflare to serve Packagist assets from one of the largest and fastest networks on earth, now in over 300 cities around the world. Packagist uses prioritized routes and the latest optimizations.

If you live near any of those blue dots, there is probably a hot cache nearby, and it has an optimized route and hot connection directly into NPM, Maven, or other dependency indexes

Modern protocol support

Packagist supports HTTP/2, HTTP/3, end-to-end level 11 Brotli, and other advanced protocol technologies, thanks to Cloudflare's awesome systems. Packagist is equipped with NEL support and several other enhancements which progressively enhance the dependency download experience, whether source repos support it yet or not 😄

Caching and compression

We use extreme compression settings and extremely long cache lifetimes; Packagist is built with Workers, Argo, R2, Cache Tiering, and Cache Reserve, ensuring maximal cache hit rates for dependencies, which are supposed to be immutable anyway.

Latency-based routing

We're sensitive to the volumes of traffic that dependency indexes must deal with. As a result, we load balance across the best & fastest download mirrors for your location -- in CI, on your CLI, wherever.

Is it secure?

Packagist is designed to enhance the security of your dependency downloads. We use end-to-end strict SSL with dependency endpoints. Read more here about modern TLS protocols from Cloudflare.

Strong transport security

Qualys SSL Server test run against Pkgst. See the results or run the test yourself [here](https://www.ssllabs.com/ssltest/analyze.html?d=maven.pkg.st).

Qualys SSL Server test run against Pkgst. See the results or run the test yourself here.

Packagist uses strict security settings up and down the stack to guarantee end-to-end security of your dependency downloads. Internet-facing TLS is tuned for a balance of speed and customizable security, and, facing upstream, Packgist will use only TLSv1.2+ algorithms with forward secrecy enabled.

What does this mean?

  • All downloads are encrypted between you → Packagist
  • All downloads are encrypted from Packagist ←→ external networks and indexes
  • Leaked keys at the external network cannot compromise earlier traffic (forward secrecy)
  • Leaked keys at Packagist cannot compromise earlier traffic (forward secrecy)

Future security features

We are working on several exciting features which enhance the security offering provided by Packagist. Stay tuned for more information.

Test your speed

Check your speed to your nearest Cloudflare data center here.

Legalese

Workers, Argo, R2, Cache Tiering, Cache Reserve, and Always Online are trademarks of Cloudflare, Inc., and used here with permission.

Is it reliable?

In a word, yes.

Fewer moving parts

For polyglot applications which use multiple sources of dependencies, you can now reduce to one set of hot connections to Packagist. You no longer need to suffer the combined outages across NPM, PyPI, NPM, Maven, or NPM and Crates.

Always Online™

Packagist knows about several mirrors for each dependency index, so it can seamlessly fallback or use Always Online™ to make sure you're never left without download access.

Automatic mirror fallback

Maven, NPM, and other indexes that shall go unnamed (RubyGems) have frequently experienced outages. These indexes are provided for free, and the maintainers should be thanked and paid. But you, as a developer, can't and shouldn't have to halt your work just because of a registry or index outage.