Package Registries
First-class package hosting for npm, PyPI, Cargo, Docker, Maven, and NuGet — integrated into the platform.
Drok includes native package registries for every major ecosystem. Packages are hosted alongside your source code, versioned alongside your releases, and secured by the same access controls that govern your repositories.
This is not a third-party integration. These registries are built into Drok's infrastructure, served from the same data centers, and managed through the same CLI and web interface you use for everything else.
Supported Registries
| Registry | Ecosystem | Format |
|---|---|---|
| npm | JavaScript / TypeScript | CommonJS, ESM |
| PyPI | Python | sdist, wheel |
| Cargo | Rust | crate |
| Docker | Containers | OCI images |
| Maven | Java / Kotlin / Scala | JAR, POM |
| NuGet | .NET | nupkg |
Registry URLs
Each organization gets a dedicated registry namespace:
npm: https://drok.us/api/v1/packages/npm/{org}/
pypi: https://drok.us/api/v1/packages/pypi/{org}/
cargo: https://drok.us/api/v1/packages/cargo/{org}/
docker: drok.us/{org}/{image}
maven: https://drok.us/api/v1/packages/maven/{org}/
nuget: https://drok.us/api/v1/packages/nuget/{org}/Authentication
All registries authenticate using Drok personal access tokens:
drok token create --name "registry-access" --scopes package:read,package:writeThe token is used with each ecosystem's native authentication mechanism. See individual registry pages for configuration details.
Visibility
Package visibility follows repository visibility:
- Private packages are accessible only to repository members
- Internal packages are accessible to all organization members
- Public packages are accessible to everyone
Versioning
All registries enforce semantic versioning where applicable. Immutability is enforced by default — once a version is published, it cannot be overwritten. This prevents supply-chain attacks where a published version is silently replaced with malicious content.
To yank (deprecate) a published version without deleting it:
drok package yank my-package@1.2.3Yanked versions are still downloadable by clients that explicitly request them but are excluded from version resolution for new installations.
Storage and Bandwidth
| Plan | Package Storage | Bandwidth |
|---|---|---|
| Free | 500 MB | 5 GB/month |
| Pro | 10 GB | 100 GB/month |
| Organization | 50 GB | 500 GB/month |
| Enterprise | Custom | Custom |
Security Scanning
Published packages are scanned for known vulnerabilities using an integrated advisory database. Vulnerable packages are flagged in the registry UI and optionally blocked from installation:
drok org edit my-org --block-vulnerable-packagesWebhooks
Registry events emit webhooks for integration with external systems:
drok webhook create my-project \
--url https://your-service.com/webhook \
--events package:published,package:yankedAPI Access
All registry operations are available via the REST API:
# List packages in a repository
curl https://drok.us/api/v1/repos/org/repo/packages \
-H "Authorization: Bearer $Drok_TOKEN"
# Get package details
curl https://drok.us/api/v1/packages/npm/org/my-package \
-H "Authorization: Bearer $Drok_TOKEN"
# Delete a package version
curl -X DELETE https://drok.us/api/v1/packages/npm/org/my-package/1.2.3 \
-H "Authorization: Bearer $Drok_TOKEN"