Teams want to block newly published (potentially malicious) packages but building custom quarantine policies across npm, PyPI, Maven, Go, etc. requires stitching together multiple tools or paying for expensive enterprise solutions.
A lightweight, self-hosted proxy that enforces a configurable maturity window (e.g., block packages younger than N days) with automatic fallback to the closest compliant version. Works as a drop-in registry mirror for all major ecosystems. Open-source core with a paid dashboard for policy management, audit logs, and alerting.
Freemium — open-source proxy with paid team/enterprise tier ($500-$5K/month) for centralized policy management, SBOM export, compliance reporting, and SSO.
Real pain confirmed by the Reddit thread and high-profile attacks (xz-utils, ua-parser-js, colors.js). However, many teams tolerate the risk or use partial workarounds (pinning versions, Renovate delays). Pain is acute during/after incidents but dulls between them. The 7 upvotes / 14 comments signal genuine interest but not a screaming emergency for most teams.
TAM for supply chain security is $2-3B growing to $8-12B. The addressable slice for a quarantine-only tool is smaller — maybe $200-500M for the proxy/gate sub-segment. But the open-core model can land-and-expand into broader supply chain features. Mid-market and SMB engineering teams (10-500 devs) are the sweet spot — tens of thousands of potential customers globally.
Teams already paying $50K+/year for JFrog/Sonatype validate that budget exists. But DepQuarantine targets teams who explicitly DON'T want to pay enterprise pricing — they want free or cheap. The $500-$5K/month pricing requires proving clear ROI. Open-core model means many users will stay on free tier. WTP is moderate — security tools have budget but the 'simple proxy' framing may feel commoditizable.
A registry proxy with age-checking is architecturally straightforward. Core MVP: HTTP proxy that intercepts install requests, checks package publish-date against registry API metadata, blocks or resolves to compliant version. Registries expose publish timestamps via public APIs. A strong solo dev with Go/Rust could build a working single-registry proxy (npm or PyPI) in 2-3 weeks. Multi-registry support adds weeks but is well-scoped. No ML, no proprietary data needed.
Clear, validated gap. No existing tool offers simple age-based quarantine as a standalone, affordable, self-hosted proxy. JFrog/Sonatype could add it as a checkbox but are incentivized to sell $50K+ platforms. Socket/Snyk don't do enforcement. Bytesafe is npm-only. The gap is real and structural — incumbents won't cannibalize their enterprise pricing to fill it.
Strong subscription fit. Quarantine proxy runs continuously in CI/CD — it's infrastructure, not a one-time scan. Teams that adopt it cannot easily remove it (security regression). Paid tiers for dashboard, audit logs, compliance reporting, and multi-registry are natural upsells. Policy management is inherently ongoing. SBOM/compliance reporting creates sticky recurring value.
- +Clear, validated gap — no affordable age-based quarantine proxy exists across registries
- +Technically simple MVP with high defensibility through multi-registry coverage and policy UX
- +Open-core model aligns perfectly with DevOps buying patterns (try free, upgrade for team features)
- +Massive tailwinds from xz-utils, regulatory mandates, and growing supply chain attack frequency
- +Low CAC potential — open-source proxy can spread virally through DevOps communities and blog posts
- !JFrog or Sonatype could ship an 'age gate' policy toggle in one sprint, eliminating the core differentiator
- !Free tier cannibalization — the proxy alone may be 'enough' for most teams, making conversion to paid difficult
- !Package age is a blunt heuristic: it blocks ALL new packages including legitimate urgent security patches, creating friction that teams may abandon rather than manage
- !Multi-registry support is a long tail — each ecosystem (npm, PyPI, Maven, Go, NuGet, RubyGems, Cargo) has different metadata APIs and resolution semantics
- !Small initial market signal (7 upvotes) — need to validate demand beyond one Reddit thread before building
Enterprise artifact management platform with a Curation add-on that blocks packages pre-ingestion based on CVE, license, and malicious-package intelligence. Supports all major registries.
Supply chain firewall that auto-quarantines components flagged by Sonatype's proprietary intelligence database. Closest existing 'quarantine' concept — but intelligence-driven, not age-driven.
Detects malicious and risky packages through deep behavioral analysis
Developer security platform that scans dependencies for known vulnerabilities and license issues. Snyk Advisor provides package health scores including age/maturity signals.
Dependency firewall and private registry with policy-based blocking. Positioned explicitly as a 'dependency security' tool with some freshness/trust signals. Primarily npm-focused.
Single-binary Go proxy that handles npm and PyPI. Config file sets quarantine window (e.g., 72 hours). Intercepts install requests, checks publish date via registry API, blocks or auto-resolves to nearest compliant version. Docker image for easy CI/CD runner deployment. No dashboard, no auth — just a proxy config and a JSON log file. Ship in 3-4 weeks.
Free open-source proxy (npm + PyPI) → Paid Team tier at $49/month adds dashboard, policy editor, Slack alerts, allowlists/exceptions → Business tier at $199/month adds all registries, audit logs, SBOM export, SSO → Enterprise at $500-2K/month adds on-prem support, SLA, custom policies, compliance reporting. Target first paid conversion at 100-200 OSS users.
MVP in 4-6 weeks. First 50-100 GitHub stars in weeks 6-10 via Hacker News / Reddit / DevOps communities. First paying customer in months 3-4 once dashboard and multi-registry ship. $1K MRR by month 6 is achievable with focused developer marketing.
- “We block any package younger than 6 days, and with Compliant Version Selection enabled, the closest compliant version is resolved automatically”
- “forcing an aging of packages before use. Not perfect, and still looking for other options”
- “Much simpler to stop using open-ended versions in your dependency declarations”