Skip to content

Languages & package managers

Veln supports two enforcement surfaces: a real-time transparent registry proxy (gate) for install-time blocking, and a lockfile analysis pipeline (veln verify) for pre-commit and local gating. The proxy covers npm, PyPI, Go, Cargo, RubyGems, NuGet, and Maven/Gradle; the verify pipeline covers all eight ecosystems (those plus Composer).

Real-time gate (install interception)

JavaScript

npm, pnpm, yarn, and bun all flow through the local gate proxy when you set NPM_CONFIG_REGISTRY. Lockfiles: package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, yarn.lock, bun.lock.

Python

pip, pip3, uv, and pipx route through the gate when you set PIP_INDEX_URL and UV_INDEX_URL. (poetry uses its own resolver and ignores those env vars, so it's gated at the lockfile via veln verify, not the wire.) Lockfiles: requirements.txt (with --hash pinning), uv.lock, poetry.lock.

Go, Rust, Ruby, .NET, JVM

go (GOPROXY), cargo (CARGO_HOME source-replace through a dual-origin gate), bundle (bundler mirror), dotnet (a generated nuget.config with the V3 index rewritten), and mvn / gradle (MAVEN_ARGS mirror / a GRADLE_USER_HOME init-script through a dual-origin gate that also routes the Gradle Plugin Portal) all flow through the same install-time gate. gem ignores the bundler mirror env, so use veln safe bundle or veln verify for Ruby.

Pre-commit / local lockfile verify

veln verify analyses lockfiles for all of the above plus six more ecosystems. Each gets the same treatment: OSV vulnerability lookup, threat-feed match, cooling-window enforcement, license-policy enforcement, dormant-revival detection, and an archive-deep scan (artifact download + obfuscation + binary detection + install-script detection).

  • Go modulesgo.sum. Resolves through proxy.golang.org.
  • Rust / CargoCargo.lock. Crate metadata from crates.io, artifact scan via the .crate tarball.
  • PHP / Composercomposer.lock. Package metadata from Packagist; artifact scan via the dist zipball.
  • Ruby / BundlerGemfile.lock. Gem metadata from rubygems.org; archive scan walks the outer .gem TAR and extracts the inner data.tar.gz for source-level scanning.
  • .NET / NuGetpackages.lock.json. Registration index via api.nuget.org/v3; archive scan walks the .nupkg ZIP for bundled assemblies and install.ps1 hooks.
  • JVM / Maven & Gradlegradle.lockfile (Maven coords). POM metadata from repo1.maven.org, publish times from Maven Central Solr search; archive scan walks the JAR for native shims.

Per-ecosystem cooling tuning

Release cadences differ across ecosystems — enterprise NuGet patches ship hourly, Cargo 1.x releases are deliberate. Set a global cooling window in [cooling] and override per ecosystem via [cooling.per_ecosystem]:

[cooling]
min_version_age = "24h"

[cooling.per_ecosystem]
"crates.io" = { min_version_age = "12h" }
"NuGet" = { min_version_age = "1h" }   # enterprise: ship fast
"Go" = { min_version_age = "0s" }      # disable cooling for Go modules

Ecosystem keys accept both CLI tokens (cargo, nuget) and canonical registry names (crates.io, NuGet). Setting a duration to "0s" disables cooling for that ecosystem; unset values fall back to the global [cooling] windows.

What runs where

veln package, veln fix, veln explain, veln license, and veln diff all work across the full eight ecosystems. SBOM output emits canonical PURLs (pkg:cargo, pkg:gem, pkg:maven/group/artifact, etc.) that round-trip through OpenVEX statements.

← Documentation overview