13 ecosystems · Self-hosted · MIT License · Open source

One cache for all your
dependencies

pip, apt, npm, cargo, Go, Maven, Docker and more — Depsilo proxies and caches them all with built-in security scanning. Deploy once on your LAN, and every machine on your team gets local-disk speed installs.

Get started free View on GitHub
$ docker run -p 8080:8080 depsilo/depsilo
< 10 min
to deploy
> 80%
typical cache hit rate
40–70%
CI build time reduction
~50 MB
memory footprint
ECOSYSTEMS

All the package managers your team uses

All 13 package managers are production-ready today. pip, apt, npm, cargo, Go, Maven, RubyGems, Composer, NuGet, Conda, CRAN, Helm, and Docker — unified config, one binary, one dashboard.

pip
Python packages
Live
apt
Ubuntu / Debian
Live
npm
Node.js packages
Live
Go modules
Go packages
Live
cargo
Rust crates
Live
Maven
Java / Kotlin
Live
RubyGems
Ruby packages
Live
Composer
PHP packages
Live
NuGet
.NET packages
Live
Conda
Data science
Live
CRAN
R packages
Live
Helm
Kubernetes charts
Live
Docker
Container images
Live

All ecosystems share the same cache engine, storage backend, and web UI. Adding a new one is a plugin, not a rewrite.

FEATURES

Built for how teams actually work

Singleflight cache — zero duplicate fetches

100 concurrent CI jobs requesting the same package? Only one upstream fetch happens. Everyone else waits and gets served the moment it lands in cache. No thundering herd, no wasted bandwidth.

Multi-upstream with per-source proxy

Configure tuna, aliyun, and pypi.org in priority order. Automatic health checks and latency-based fallback. Need a proxy for one upstream but not others? Set it per-source, not globally.

Local disk or S3 — switch with one line

Start with local filesystem, zero config. When your cache outgrows a single machine or you want shared storage across nodes, switch to any S3-compatible backend with one line in config.toml. No data migration needed.

Web UI + Prometheus built in

Hit rate, top packages, upstream latency, storage usage — visible without any extra setup. Prometheus endpoint at /metrics plugs into your existing Grafana dashboards in minutes.

Security intelligence — know before you install

Every cached package is automatically checked against OSV.dev for known CVEs. See vulnerability reports in your dashboard, get suggested block rules, and auto-block packages exceeding your CVSS threshold. Pro feature.

SBOM generation — SPDX & CycloneDX

Create projects, track which packages each project uses, and export a standards-compliant Software Bill of Materials. SPDX 2.3 and CycloneDX 1.5 formats, ready for compliance reviews and audits. Pro feature.

WHY DEPSILO

Why not just configure Nginx caching?

We get asked this a lot. Here's the honest answer.

DIY Nginx cache Depsilo Recommended
PyPI URL rewriting Manual regex rewriting required — easy to get wrong, breaks on edge cases Automatic. pip always downloads through your cache, zero config per client beyond index-url
APT GPG signatures Must MITM the connection or signatures break, security risk Full passthrough. apt verify works exactly as before, no extra keys needed
Ecosystem support One config per package manager, N separate tools to maintain, update, and monitor 13 ecosystems — pip, apt, npm, Go, cargo, Maven, RubyGems, Composer, NuGet, Conda, CRAN, Helm, Docker. One binary, one config, one dashboard.
Cache visibility Access logs only, no hit rate, no package analytics Dashboard with hit rate, top packages, upstream health, latency percentiles
Multi-upstream failover Manual upstream_hash or ip_hash, no health checks Automatic health checks, latency-based selection, instant failover
Concurrent deduplication Multiple clients trigger multiple upstream fetches Singleflight: N concurrent requests = 1 upstream fetch
Maintenance You own every edge case, every package manager update We handle protocol changes, you just docker pull
Security scanning Not included — need separate tools like Snyk or Trivy Built-in CVE scanning via OSV.dev. Auto-block vulnerable packages above your CVSS threshold.
Still want to DIY? We wrote a guide on what to watch out for. →
QUICK DEMO

From first install to desktop app — it just works.

Depsilo runs as a Docker container, a standalone binary, or a desktop app with native window. Your tools don't even know it's there, they just feel faster.

  • One setup command per machine, then transparent forever
  • Works with pip, Poetry, uv, apt, npm, Docker, and CI/CD pipelines
  • Built-in CVE scanning keeps your team safe
terminal
# setup (once)
$ pip config set global.index-url http://depsilo:8080/pip/
$ echo 'deb http://depsilo:8080/apt/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/depsilo.list
# first install → cache miss
$ pip install torch==2.1.0
MISS torch-2.1.0+cu121 243ms 892MB cached
# any other machine → cache hit
$ pip install torch==2.1.0
HIT torch-2.1.0+cu121 8ms served from cache
# works for every ecosystem
HIT build-essential_12.9 4ms apt
HIT gin@v1.9.1 3ms go
HIT serde-1.0.193 4ms cargo
HIT spring-core:6.1.0 12ms maven
HIT nginx-ingress-4.8.3.tgz 6ms helm
USE CASES

Built for teams in every environment

From startup offices to air-gapped labs — one tool, many contexts.

CI/CD pipelines

50 concurrent jobs all need the same packages. Without Depsilo, that's 50 upstream fetches and 50x the bandwidth. With Depsilo, it's one fetch and a fast LAN stream to everyone else.

Key benefit CI build time reduced 40–70%

Slow or metered office networks

Your office bandwidth is shared and limited. Depsilo sits on a local machine and absorbs all package traffic. Once a package is cached, the internet is no longer in the critical path.

Key benefit Bandwidth usage reduced >80%

Air-gapped & regulated environments

No internet access in your build environment? Pre-populate Depsilo's cache from an external machine, then run fully offline. All cached packages remain available indefinitely.

Key benefit Full offline operation after initial sync

Full-stack teams

Your team uses Python, Node.js, Go, and Java all at once. Instead of configuring four separate caches, Depsilo handles all of them from a single endpoint. One deployment, one dashboard, one place to check hit rates.

Key benefit 13 ecosystems, one deployment

Security & compliance teams

Every package your team downloads is checked for known CVEs automatically. Set CVSS thresholds per ecosystem, auto-block vulnerable versions, and export audit reports for compliance reviews.

Key benefit Automated CVE scanning on every download
PRICING

Simple, honest pricing

Depsilo is self-hosted. Your data stays on your servers. Pay only for the features that matter at scale.

Community
For individuals and small teams
Free · forever
  • All 13 ecosystems (pip, apt, npm, Docker, …)
  • Multi-upstream + per-source proxy
  • Automatic health checks & failover
  • Web UI dashboard
  • Prometheus /metrics endpoint
  • Local filesystem storage
  • SQLite database
  • Single node
  • Persistent audit logs
  • Package allow / deny rules
  • S3 storage backend
  • PostgreSQL database
  • Multi-node shared cache
  • Priority support
Download free

Self-hosted · MIT License · no license key required

Most popular
Pro
For teams that need visibility and control
$9 / month
or $89 / year · save 17%
  • Everything in Community
  • Persistent audit logs
    Who pulled what version, when, from which IP
  • Package allow / deny rules
    Block vulnerable versions, enforce approved packages, generate per-project SBOM
  • S3-compatible storage backend
  • PostgreSQL database
  • Data export (CSV / JSON)
  • Priority email support (48h response)
  • Early access to new ecosystems
  • Vulnerability scanning (OSV.dev)
    Auto-scan cached packages, block by CVSS threshold
  • SBOM generation (SPDX & CycloneDX)
    Per-project dependency tracking, export for compliance
  • Multi-node shared cache
  • LDAP / OIDC SSO
Start 14-day free trial

14-day free trial · no credit card required · cancel anytime · your data stays on your servers

Team
For larger teams and regulated environments
$29 / month
or $290 / year · save 17%
  • Everything in Pro
  • Multi-node shared cache
    Multiple Depsilo instances share one S3 backend
  • LDAP / OIDC SSO
  • Version locking
    Force minimum package versions across your org
  • Forced routing rules
    Certain packages must come from internal sources
  • Dedicated support (Slack / email · 24h response)
  • Custom SLA
Contact us

Ideal for 20+ developers or compliance-sensitive environments

All plans are self-hosted. We never see your packages, your code, or your network traffic. · Enterprise? Let's talk → hi@depsilo.com

FROM DEVELOPERS

Teams that stopped fighting slow installs

"Our CI dropped from 8 minutes to under 2. torch and numpy were the culprits — now cached, every job flies. docker run and 15 minutes of config. That's it."

ZW
Zhang Wei
Platform Engineer · 40-person AI startup

"Flaky office internet was making everyone miserable. Depsilo on a local NUC fixed it completely. apt install now feels like it's reading from disk."

SK
Sarah Kim
DevOps Lead · embedded systems team

"I evaluated self-configuring Nginx for this. The PyPI URL rewriting alone would have taken days to get right. Depsilo just handled it."

MR
Marcus R.
Senior SRE · fintech company

"We work in an air-gapped lab. Depsilo lets us pre-populate a cache from outside, then work at full speed with zero internet. Audit logs help us prove compliance."

AL
Aisha L.
Security Engineer · biotech lab
FAQ

Questions we get asked before people deploy

Will APT package verification (GPG) still work?
Yes. Depsilo passes through the original Release/InRelease files completely untouched. apt's GPG verification chain is identical to connecting directly to the upstream mirror. No extra keys, no trust configuration needed.
What happens if Depsilo goes down?
Clients fall back to their original upstream automatically — pip and apt both have built-in fallback behavior. Cached packages are always available as long as Depsilo is running. We recommend running Depsilo with restart: always in Docker Compose.
Can I use private PyPI repositories?
Yes. Upstream sources can be any PyPI-compatible URL, including private repositories with authentication. Set credentials per upstream in config.toml — they're never exposed to clients.
Does it work with Poetry, uv, and pip-tools?
Yes. Depsilo implements the standard PyPI Simple API (PEP 503). Any tool that respects index-url will work: pip, Poetry, uv, pip-tools, PDM, and others.
Where is my data stored?
On your own servers, always. Depsilo is entirely self-hosted. We have no access to your packages, your network, or your configuration. Community is fully open source (MIT).
What's the difference between Community and Pro?
Community covers everything you need to speed up your team's installs. Pro adds the compliance and governance layer: persistent audit logs, package allow/deny rules, CVE vulnerability scanning, per-project SBOM generation (SPDX & CycloneDX), and S3/PostgreSQL for larger deployments.
Can I run multiple Depsilo instances sharing one cache?
Yes, with the Team plan. Multiple Depsilo nodes can share a single S3-compatible storage backend. Each node serves from the same cache, so a package fetched by any node is immediately available to all others.
How do I activate a Pro license?
Add one line to config.toml: [license] key = "YOUR-LICENSE-KEY". Then restart Depsilo. The license is verified against our API on startup and re-checked every 24 hours. Internet access is required for verification, but a verification failure never stops the service from running.
Which package managers are supported?
All 13 are production-ready: pip (Python), apt (Ubuntu/Debian), npm (Node.js), Go modules, cargo (Rust), Maven (Java/Kotlin), RubyGems, Composer (PHP), NuGet (.NET), Conda, CRAN (R), Helm (Kubernetes), and Docker Registry (container images). All share the same cache engine, storage, and web UI.
How do I configure each package manager to use Depsilo?
Each ecosystem has a one-line config. See the Quick Start page at your Depsilo instance for ready-to-copy commands. Prefer a desktop experience? Download the Depsilo desktop app from GitHub Releases.
Can Depsilo generate an SBOM?
Yes. Create a project in the admin panel, configure your package manager to use the project's proxy URL, and Depsilo automatically tracks every package downloaded. Export an SBOM in SPDX 2.3 or CycloneDX 1.5 format at any time. Pro feature.
Does Depsilo scan for vulnerabilities?
Yes. Depsilo checks every cached package against OSV.dev for known CVEs. You can set CVSS thresholds per ecosystem to auto-block vulnerable packages, and review suggested block rules in the security dashboard. Pro feature.
DEPLOY

Running in production in under 10 minutes

Single binary. One config file. No runtime dependencies, no JVM, no Elasticsearch.

1

Run with Docker

docker run -d \ -p 8080:8080 \ -v $(pwd)/data:/data \ --restart unless-stopped \ depsilo/depsilo

Uses SQLite and local filesystem by default. No other dependencies required.

2

Configure your machines

pip
pip config set \ global.index-url \ http://YOUR_IP:8080/pip/
apt
# Add source echo "deb http://YOUR_IP:8080\ /apt/ubuntu $(lsb_release -cs)\ main" | sudo tee \ /etc/apt/sources.list.d/depsilo.list # Update sudo apt update
3

Open the dashboard

http://YOUR_SERVER_IP:8080
Ready for traffic

Hit rate, top packages, upstream health, storage usage — no extra setup required. Prometheus metrics at /metrics.

Want docker-compose with PostgreSQL and S3? See the full deployment guide →

Or download the desktop app

No Docker? Download Depsilo as a native desktop app for macOS, Windows, or Linux. Same features, native window, built-in setup wizard.

Download from GitHub Releases