Dependency proxy

[timbastin]

No description provided.

[Copilot]

Pull request overview

This PR implements a multi-protocol dependency proxy with malicious package detection capabilities. The proxy acts as a firewall that checks package requests against the OSSF malicious packages database and blocks flagged packages before they can be installed.

Key Changes:

• Added a caching proxy server supporting npm, Go, and OCI/Docker registries with malicious package blocking
• Integrated OSSF malicious-packages database as a git submodule for detecting known malicious packages
• Created comprehensive test suite covering malicious package detection, proxy blocking, and path parsing

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
main.go	Core proxy implementation with malicious package checker, multi-protocol routing, and caching logic
main_test.go	Test suite for malicious package detection, proxy blocking behavior, and package path parsing
test-npm-project/setup-fake-malicious.sh	Shell script to create fake malicious package entries for safe testing
test-npm-project/package.json	Test npm project configuration that includes a fake malicious package dependency
test-npm-project/.npmrc	npm configuration to point to the local proxy server
.gitmodules	Added malicious-packages submodule reference
go.mod	Promoted go-securesystemslib from indirect to direct dependency
.gitignore	Added cache directory to gitignore
.vscode/settings.json	Added "pypi" to spell checker dictionary

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.