Sentinel Package Manager integrates with established security providers to check packages against comprehensive vulnerability databases before installation.
- Why Providers? - Benefits of using providers
- Available Providers - OSV, GitHub, Snyk
- Configuration - How to configure providers
- Provider Priority - How providers are checked
- Troubleshooting - Common issues
Related: See Data Sources Guide for all data source types.
Quick Start: See Usage Guide for basic setup.
While the local blacklist covers known compromised packages (like Shai-Hulud), providers give you access to:
- ✅ Real-time vulnerability data from industry-leading sources
- ✅ CVE databases (Common Vulnerabilities and Exposures)
- ✅ Comprehensive coverage beyond custom blacklists
- ✅ Automatic updates as new vulnerabilities are discovered
Google's comprehensive vulnerability database
- ✅ Free - No API key required
- ✅ Comprehensive - Aggregates data from multiple sources
- ✅ Fast - Low latency API
- ✅ Real-time - Updated continuously
Configuration:
{
"providers": {
"osv": {
"enabled": true,
"timeout": 5000
}
}
}GitHub's security advisory database
- ✅ Free - Public API can be queried without token
⚠️ Token recommended - Unauthenticated requests may return incomplete results or be rate-limited (60 requests/hour)- ✅ Authenticated access - With token: 5000 requests/hour, complete results
- ✅ GitHub ecosystem - Covers npm packages on GitHub
⚠️ Token recommended - Unauthenticated API may have incomplete data or rate limits (60 req/hr)
Configuration:
{
"providers": {
"github": {
"enabled": true,
"timeout": 5000,
"token": null // Optional: GitHub token for higher rate limits
}
}
}API: https://docs.github.com/en/rest/security-advisories
To get a GitHub token:
- Go to https://github.com/settings/tokens
- Generate a new token (classic)
- Add
public_reposcope - Add token to config:
"token": "ghp_..."
Snyk's comprehensive vulnerability database
⚠️ REQUIRES API token - Cannot work without token⚠️ Disabled by default - Must be explicitly enabled with token- ✅ Enterprise-grade - Used by major companies
- ✅ Detailed reports - Severity, CVSS scores, remediation
- ✅ High rate limits - Suitable for enterprise use
Configuration:
{
"providers": {
"snyk": {
"enabled": true,
"token": "your-snyk-api-token"
}
}
}To get a Snyk token:
- Sign up at https://snyk.io
- Go to Account Settings → API Token
- Generate a new token
- Add token to config:
"token": "..."
API: https://snyk.io/api
{
"dataSourcePath": "./config/compromised-packages.json",
"skipNpmAudit": false,
"logMode": "normal",
"providers": {
"osv": {
"enabled": true,
"timeout": 5000
},
"github": {
"enabled": true,
"timeout": 5000,
"token": null
},
"snyk": {
"enabled": false,
"token": null
}
}
}{
"providers": {
"osv": { "enabled": false },
"github": { "enabled": false }
}
}{
"providers": {
"osv": { "enabled": true },
"github": { "enabled": false }
}
}1. Check local blacklist (Shai-Hulud, custom)
↓
2. Check providers (OSV, GitHub, Snyk) in parallel
↓
3. If vulnerability found → BLOCK installation
↓
4. Fallback to npm audit (if providers didn't find anything)
- OSV - Checked first (fastest, most comprehensive)
- GitHub - Checked second (npm ecosystem focus)
- Snyk - Checked third (if enabled, enterprise-grade)
Note: Providers run in parallel for speed. The first vulnerability found blocks installation.
Providers run automatically - no configuration needed!
npm install express
# ✅ Automatically checks OSV + GitHub Advisories (no config needed)What runs by default:
- ✅ OSV - Enabled, no token required
- ✅ GitHub Advisories - Enabled, no token required
- ❌ Snyk - Disabled (requires token)
# Disable a provider
sentinel scan package-name --enableOsv=false
# Enable Snyk with token
sentinel scan package-name --enableSnyk=true --snykToken="your-token"
# Add GitHub token for higher rate limits
sentinel scan package-name --githubToken="ghp_..."# Create config
sentinel init
# Edit sentinel.config.json
# Add provider configs
# Use normally
npm install express| Provider | Free | Token Required | Default | Rate Limit | Coverage | Speed |
|---|---|---|---|---|---|---|
| OSV | ✅ | ❌ No | ✅ Enabled | High | Comprehensive | Fast |
| GitHub | ✅ | ✅ Enabled | 60/hour (public) 5000/hour (with token) |
npm ecosystem | Fast | |
| Snyk | ✅ Required | ❌ Disabled | High | Enterprise | Fast |
If providers are slow, increase timeout:
{
"providers": {
"osv": { "timeout": 10000 },
"github": { "timeout": 10000 }
}
}GitHub: Add a token for higher limits (5000/hour)
{
"providers": {
"github": {
"token": "ghp_your_token_here"
}
}
}Snyk: Check your plan's rate limits
If a provider is down or times out, Sentinel:
- ✅ Fails gracefully (doesn't block installation) - fail-open behavior
- ✅ Continues with other sources (local blacklist, other providers, npm audit)
- ✅ Logs error in verbose mode only
⚠️ npm audit fallback - Only works when scanning projects with lockfiles, not standalone packages
To disable a problematic provider:
{
"providers": {
"github": { "enabled": false }
}
}- Enable OSV - Free, fast, comprehensive
- Enable GitHub - Good npm ecosystem coverage
- Enable Snyk - If you have enterprise needs
- Use tokens - For higher rate limits (GitHub, Snyk)
- Monitor logs - Use
--logMode=verboseto see provider activity
Providers give you:
- ✅ Real-time vulnerability data
- ✅ Industry-leading security databases
- ✅ Automatic updates
- ✅ Comprehensive coverage
Out of the box (default):
- ✅ OSV enabled - Free, no token, no config needed
- ✅ GitHub enabled - Works without token, but token recommended for complete results
- ❌ Snyk disabled - Requires token (must enable manually)
Token Requirements:
- OSV: ❌ No token needed
- GitHub:
⚠️ Token recommended (unauthenticated may have incomplete results, 60 req/hr limit) - Snyk: ✅ Token is required (cannot work without it)
Just install and use - OSV works automatically! GitHub works without a token but a token is recommended for complete results. 🎉
Sentinel uses a fail-open approach for providers:
| Failure Scenario | Behavior | Configurable? |
|---|---|---|
| Provider timeout | Warn (verbose mode) and continue with other sources | Yes (timeout config) |
| Provider API error | Warn (verbose mode) and continue | No |
| Provider rate limit | Warn (verbose mode) and continue | No |
| Network failure | Warn (verbose mode) and continue | No |
| Blacklist file missing | Warn and continue (does not block) | No |
Rationale: If a provider is down, Sentinel doesn't block legitimate installs. It continues checking other sources (local blacklist, other providers, npm audit).
📖 For complete priority and conflict resolution details, see Data Sources Guide which covers all data source types (local files, API endpoints, and providers).
Sentinel matches packages using:
- Package name: Exact match (case-sensitive)
- Version: Exact version match (e.g.,
1.2.3matches1.2.3) - Version ranges: Not supported - only exact versions in blacklist
- Scoped packages: Supported (e.g.,
@scope/package)
Example:
- Blacklist has
"express": ["4.18.2"]→ Blocksexpress@4.18.2only - Blacklist has
"express": []→ Blocks all versions ofexpress
Sentinel does not cache provider responses. Each validation checks providers in real-time to ensure up-to-date vulnerability data.
Sentinel sends zero telemetry and never uploads:
- Your dependency graph
- Package names or versions you're installing
- Any information to external services (except provider API calls for vulnerability checks)
CLI Arguments:
# Disable providers
--enableOsv=false
--enableGitHub=false
# Enable Snyk
--enableSnyk=true --snykToken="..."
# Add tokens
--githubToken="ghp_..." # Optional (recommended for complete results)
--snykToken="..." # Required- Unauthenticated requests may return incomplete results (60 requests/hour limit)
- Token recommended for production use (5000 requests/hour, complete data)
- API may have temporary issues during peak hours
- Only works when scanning directories/repositories with
package.json+ lockfile - Cannot check standalone packages (e.g.,
sentinel scan react@18.0.0) - Requires npm to be installed and accessible
- Only exact version matching supported (e.g.,
1.2.3matches1.2.3) - Semver ranges not supported in blacklist (e.g.,
>=1.2.0won't match) - Use empty array
[]in blacklist to block all versions of a package