# Takumi Guard: npm Lockfile Behavior Change for npm v11.15.0+ Compatibility

Takumi Guard now rewrites tarball download URLs for npm v11.15.0 and later, keeping installs working with **npm's new supply chain protections**. Users on these npm versions will see Takumi Guard's registry URL in their `package-lock.json` files.

## Background

npm v11.15.0 introduced enforcement of the `--allow-remote` supply chain control. With this check, a dependency whose tarball download URL points to a host different from the configured registry is classified as a "remote" dependency, and downloads of such transitive dependencies are rejected.

Previously, Takumi Guard served upstream `registry.npmjs.org` tarball URLs to npm clients verbatim. Under the new check, npm sees a mismatch between the configured registry (`npm.flatt.tech`) and the tarball host, so installs through Takumi Guard could fail with `EALLOWREMOTE` errors on npm v11.15.0 and later.

Takumi Guard now rewrites tarball URLs to its own host for npm v11.15.0+ clients, which restores the correct "registry" classification. Upcoming npm releases are set to tighten these checks further — for example, by also requiring tarball URLs to live under the configured registry's path — so this change is a necessary step to keep Takumi Guard compatible with current and future npm versions.

## What Changes

### npm v11.15.0 and later

Lockfile (`package-lock.json`) entries that are added or updated will record Takumi Guard's registry URL (`https://npm.flatt.tech/...`) in their `resolved` fields instead of the upstream `registry.npmjs.org` URL. **This is expected behavior** and is necessary for installs to work under npm's supply chain checks.

Package integrity is unaffected — `integrity` hashes are unchanged, and `npm audit signatures` continues to verify registry signatures and attestations as before.

### npm versions before v11.15.0

No change. Older npm clients continue to receive upstream tarball URLs, and their lockfiles are unaffected.

### pnpm, Yarn, and Bun

No change in this release. pnpm does not record full tarball URLs in `pnpm-lock.yaml`, so its lockfile never contains registry hosts. Yarn v1 already records Takumi Guard's URL in `yarn.lock` as described in a [previous release note](/docs/r/202604-takumi-guard-yarn-v1-lockfile); Yarn v2–v4 (Berry) and Bun are unaffected.

## Recommendation

If you prefer to keep registry URLs out of your lockfile entirely, consider migrating to **pnpm**. pnpm does not embed tarball URLs in its lockfile, works seamlessly with Takumi Guard, and offers strong supply chain security features out of the box.