Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
Configure authentication per URL prefix in config: upstream: auth: "https://registry.npmjs.org": type: bearer token: "${NPM_TOKEN}" Supports bearer tokens, basic auth, and custom headers. Credentials can reference environment variables with ${VAR_NAME} syntax. The longest matching URL prefix wins when multiple patterns match.