Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Category Vision - Dependency Proxy

Dependency Proxy

Many projects depend on a growing number of packages that must be fetched from external sources with each build. This slows down build times and introduces availability issues into the supply chain. In addition, many of these external sources come from unknown and unverified providers, introducing potential security vulnerabilities.

​​For organizations, this presents a critical problem. By providing a mechanism for storing and accessing external packages, we enable faster and more reliable builds. By empowering SecOps to set security policies and remediate known vulnerabilities, we will limit exposure to security issues. By providing a transparent, performant supply chain, we will improve collaboration and drive conversational development for our users.

This page is maintained by the Product Manager for Package, Tim Rizzi (E-mail)

Target audience and experience

​​This feature impacts five types of users:

  1. Provide a single method of reaching upstream package management utilities, in the event they are not otherwise reachable. This is commonly due to network restrictions.
  2. Let proxy packages act as a cache for increased pipeline build speeds.
  3. Verify package integrity from one single place. See what has been changed and test them for security vulnerabilities (part of black duck model).
  4. Filter the available upstream packages to include only approved, whitelisted packages.
  5. Track which dependencies are utilized by which projects when pulled through the proxy. (Perhaps when authenticated with a CI_JOB_TOKEN.
  6. Audit logs in order to find out exactly what happened and with what code.
  7. Operate when fully cut off from the internet with local dependencies.
  8. Enforce policies at the proxy layer (e.g. scan packages for licenses and only allow packages with compatible licenses).

What's next & why

We have launched the MVC of the dependency proxy with limited availability. gitlab-#78 will update gitlab.com to use Puma, making the Dependency Proxy available for all public projects.

gitlab-#11582, will focus on adding authentication to enable use of the dependency proxy with private projects. gitlab-#11631, will add the ability to delete items from the Dependency Proxy.

Maturity Plan

This category is currently at the "Minimal" maturity level, and our next maturity target is Viable (see our definitions of maturity levels). Key deliverables to achieve this are:

Competitive landscape

JFrog is the leader in this category. They offer 'remote repositories' which serve as a caching repository for various package manager integrations. Utilizing the command line, API or a user interface, a user may create policies and control caching and proxying behavior. A Docker image may be requested from a remote repository on demand and if no content is available it will be fetched and cached according to the user's policies. In addition, they offer support for many of major packaging formats in use today. For storage optimization, they offer check-sum based storage, deduplication, copying, moving and deletion of files.

​​However, since they have focused on solving all possible usecases, there is room for simplification and design improvements. We believe this will allow GitLab to provide a more accessible and easier-to-navigate solution. In addition, we provide added value by combining this with our own CI/CD services, improving speed and having everything on-premise. ​​

Top Customer Success/Sales issue(s)

The top customer success issue is gitlab-#11582, which will introduce authentication and allow users to leverage the Dependency Proxy with private projects.

Top user issue(s)

To improve capabilities for our existing users, we want to deliver gitlab-#9164 (npm) and gitlab-#9163 (Maven), which will add support for the dependency proxy to the npm and Maven repository.

Top internal customer issue(s)

Our top internal customer is the Distribution team, which would like to avoid relying on external sources for downloading dependencies. gitlab-distribution#496 will deploy Puma to gitlab.com and allow them to begin using the Dependency Proxy for images sourced from DockerHub.

Top Vision Item(s)

Our top vision item is gitlab-#11680, which will introduce search and make items in the Dependency Proxy easier to discover.