Skip to main content

Takumi Guard: npm Lockfile Behavior Change for npm v11.15.0+ Compatibility

· 2 min read
Deividas Turskis
Deividas Turskis
Software Engineer @ GMO Flatt Security Inc.

Takumi Guard now rewrites tarball download URLs for npm v11.15.0 and later, keeping installs working with npm's new supply chain protections. Users on these npm versions will see Takumi Guard's registry URL in their package-lock.json files.

Background

npm v11.15.0 introduced enforcement of the --allow-remote supply chain control. With this check, a dependency whose tarball download URL points to a host different from the configured registry is classified as a "remote" dependency, and downloads of such transitive dependencies are rejected.

Previously, Takumi Guard served upstream registry.npmjs.org tarball URLs to npm clients verbatim. Under the new check, npm sees a mismatch between the configured registry (npm.flatt.tech) and the tarball host, so installs through Takumi Guard could fail with EALLOWREMOTE errors on npm v11.15.0 and later.

Takumi Guard now rewrites tarball URLs to its own host for npm v11.15.0+ clients, which restores the correct "registry" classification. Upcoming npm releases are set to tighten these checks further — for example, by also requiring tarball URLs to live under the configured registry's path — so this change is a necessary step to keep Takumi Guard compatible with current and future npm versions.

What Changes

npm v11.15.0 and later

Lockfile (package-lock.json) entries that are added or updated will record Takumi Guard's registry URL (https://npm.flatt.tech/...) in their resolved fields instead of the upstream registry.npmjs.org URL. This is expected behavior and is necessary for installs to work under npm's supply chain checks.

Package integrity is unaffected — integrity hashes are unchanged, and npm audit signatures continues to verify registry signatures and attestations as before.

npm versions before v11.15.0

No change. Older npm clients continue to receive upstream tarball URLs, and their lockfiles are unaffected.

pnpm, Yarn, and Bun

No change in this release. pnpm does not record full tarball URLs in pnpm-lock.yaml, so its lockfile never contains registry hosts. Yarn v1 already records Takumi Guard's URL in yarn.lock as described in a previous release note; Yarn v2–v4 (Berry) and Bun are unaffected.

Recommendation

If you prefer to keep registry URLs out of your lockfile entirely, consider migrating to pnpm. pnpm does not embed tarball URLs in its lockfile, works seamlessly with Takumi Guard, and offers strong supply chain security features out of the box.