Private packages,
Public simplicity
An npm-compatible registry for development, automated tests, and CI—private packages and granular access with minimal setup, right next to your editor and your pipelines.
~ Registry
$vlx@vltpkg/vsr
~VSR ready onhttp://localhost:1337
$npmconfig set registryhttp://localhost:1337
$npmpublish
+@acme/ui@1.2.0
$
Private, secure, and controlled by you
Built for local dev, shared sandboxes, test fixtures, and CI.
- Secure
- Store and manage dependencies for dev and CI workflows without exposing internal packages to the public registry.
- Controlled
- Decide who can publish, read, or update packages—useful for team sandboxes, CI bots, and licensed or proprietary artifacts.
- Local
- Run beside your laptop or in CI: private packages, scoped installs, and reproducible pipelines with a small footprint.
- Reliable
- Fewer surprises in pipelines when installs are not pinned to a flaky or changing public mirror for every run.
- Stable
- Pin versions across dev machines, test jobs, and CI so everyone resolves the same tarballs before code ships.
- Fast & Efficient
- Caches and proximity matter most in tight dev/CI loops—faster installs when your registry sits next to your runners instead of across the internet.
Granular access tokens
Precise control over who can interact with what, and how.
- subscriber tokensRead Only
- Read-only tokens offer secure, controlled, and revokable access to proprietary packages, enabling businesses to manage third-party access while protecting intellectual property.
- Read and Download packages they've been granted access to
- Rotate and Remove associated tokens & profile information for their accounts
- maintainer tokensRead & Write
- Create read-only and read & write maintainer tokens to provide comprehensive and flexible access control for managing packages within an organization, allowing for collaborative and secure package management.
- Permission to publish, update, and delete packages
- Controlled access based on specific team roles or environments
How VSR compares
The baseline both VSR and Verdaccio support today.
Fair Source: Functional Source License (FSL)
VSR is released under the Functional Source License (FSL) - a Fair Source license. You get source access and broad use rights while the license protects sustainable product development; under FSL, each version typically becomes permissive open source (Apache 2.0 or MIT) after two years. Our managed registry, mirror, and related hosted services are primarily closed source and sold separately - see our open source page for the libraries and tools we publish under permissive licenses.