:registry.givo.dev

Your registry.
All of npm.

GIVO replaces npmjs as your registry. Your packages are hosted and sealed with tamper-proof stamps. Everything else is federated from npmjs: cached, integrity-checked, kill-switchable, and safe for AI agents to read.

$ curl -fsSL givo.dev/install | sh

npm, with proof.

Same packages, same workflow, and a supply chain you can actually account for.

  The usual registry GIVO
Registry npmjs only Yours + npmjs, federated
Integrity Trust on publish Sealed write-once stamp
Bad version Unpublish / deprecate Tombstone: installs get 410
Publishing Publish is final Draft → release, test first
npmjs outage Installs break The cache keeps serving
AI agents Docs served raw AGENTS.md injection-wrapped
Engine One package manager npm + pnpm, one command

One registry to front them all.

Point npm at GIVO once with givo setup --global and every install flows through it: your packages from the source, the rest proxied from npmjs with receipts.

Hosted wins the cascade

Your names resolve from GIVO itself, full lifecycle attached. A name that also exists on npmjs? Yours wins, and the shadowing is flagged loudly at publish.

Cached and verified

Every tarball is checked against the manifest checksum before it is ever cached, so corrupted or tampered upstream bytes never stick. Packuments revalidate with etags.

Outage-proof

npmjs down? Everything that ever resolved through GIVO keeps installing from the cache, marked stale. Cold names fail loud, never silent.

request hosted· federated npmjs verify + cache

Sealed, not trusted.

A release is not a promise. It is a receipt. GIVO stamps every version and can pull a bad one without rewriting history.

Write-once stamp

On release, the registry seals the version: name, integrity, shasum, size and a reproducible digest. Immutable from there on.

Tombstone kill-switch

A malicious or corrupted release is replaced by a gravestone: installs get a hard 410, and the record stays permanent.

Draft → release

Publish lands as a mutable draft you can re-push and test via pkg@draft. Releasing seals it and moves latest.

publish draft release deprecate· tombstone

Built for agents.

Half the installs are driven by an AI now. A package's docs are untrusted input, and GIVO treats them that way.

Injection-wrapped docs

On install, givo wraps each AGENTS.md in a safety notice, before and after the content, so a doc can't quietly steer the agent reading it.

No trust by source

A trusted publisher with a hijacked chain is still a threat. The warning is unconditional, never "this one's fine."

On the disk, not the screen

The notice is written into the file itself, so it holds even when stdout is piped to /dev/null.

One line to start.

$ curl -fsSL givo.dev/install | sh

Then make GIVO the registry for everything:

$ givo setup --global

Needs Node ≥ 22.