Packagist is a polyglot dependency system. It's built to be language agnostic; where you fetch dependencies, Packagist may be able to:
- ⏩ Accelerate downloads of dependencies
- ✅ Verify authenticity of dependencies
- 🔒 Offer stronger transport security
- 🔥 Cache dependencies near your builds and CLI
- 🕵️ Report your dependency usage to you
Packagist is currently in beta.
It has some rough edges, but it's also free for unlimited usage. We're working all the time to improve!
|JVM||Maven Central, Gradle Plugins|
|Node*||Node JS download|
*Documentation pending, but behaves as any normal registry endpoint would
Packagist is engineered to be fast all over the world. Countries where Cloudflare ranks as fastest are in orange:
We've partnered with Cloudflare to serve Packagist assets from one of the largest and fastest networks on earth, now in over 300 cities around the world. Packagist uses prioritized routes and the latest optimizations.
If you live near any of those blue dots, there is probably a hot cache nearby, and it has an optimized route and hot connection directly into NPM, Maven, or other dependency indexes
Packagist supports HTTP/2, HTTP/3, end-to-end level 11 Brotli, and other advanced protocol technologies, thanks to Cloudflare's awesome systems. Packagist is equipped with NEL support and several other enhancements which progressively enhance the dependency download experience, whether source repos support it yet or not
We use extreme compression settings and extremely long cache lifetimes; Packagist is built with Workers, Argo, R2, Cache Tiering, and Cache Reserve, ensuring maximal cache hit rates for dependencies, which are supposed to be immutable anyway.
We're sensitive to the volumes of traffic that dependency indexes must deal with. As a result, we load balance across the best & fastest download mirrors for your location -- in CI, on your CLI, wherever.
Packagist is designed to enhance the security of your dependency downloads. We use end-to-end strict SSL with dependency endpoints. Read more here about modern TLS protocols from Cloudflare.
Packagist uses strict security settings up and down the stack to guarantee end-to-end security of your dependency downloads. Internet-facing TLS is tuned for a balance of speed and customizable security, and, facing upstream, Packgist will use only TLSv1.2+ algorithms with forward secrecy enabled.
What does this mean?
- All downloads are encrypted between you → Packagist
- All downloads are encrypted from Packagist ←→ external networks and indexes
- Leaked keys at the external network cannot compromise earlier traffic (forward secrecy)
- Leaked keys at Packagist cannot compromise earlier traffic (forward secrecy)
We are working on several exciting features which enhance the security offering provided by Packagist. Stay tuned for more information.
Check your speed to your nearest Cloudflare data center here.
Workers, Argo, R2, Cache Tiering, Cache Reserve, and Always Online are trademarks of Cloudflare, Inc., and used here with permission.
In a word, yes.
For polyglot applications which use multiple sources of dependencies, you can now reduce to one set of hot connections to Packagist. You no longer need to suffer the combined outages across NPM, PyPI, NPM, Maven, or NPM and Crates.
Packagist knows about several mirrors for each dependency index, so it can seamlessly fallback or use Always Online™ to make sure you're never left without download access.
Maven, NPM, and other indexes that shall go unnamed (RubyGems) have frequently experienced outages. These indexes are provided for free, and the maintainers should be thanked and paid. But you, as a developer, can't and shouldn't have to halt your work just because of a registry or index outage.
Updated 30 days ago