Alternatives

Other tools in this space, and when they might suit you better.

Écluse is one answer to a problem many people are working on, and nowhere near the only good one. Its core idea, holding fresh packages behind a delay and applying a policy at a chokepoint, has been reached independently by a range of projects and vendors, several more mature than Écluse is today.

This page is a genuine, good-faith guide. Each entry says what a tool offers and when to reach for it; if one fits you better than Écluse, use it. For why Écluse exists and how it differs, see MOTIVATION.md.

Self-hosted filtering proxies

A service you run and point your clients at, which filters or gates packages on the way through. The closest cousins to Écluse.

Package-manager and bot cooldowns

Per-project, per-consumer controls that need no infrastructure: right when you can guarantee consistent configuration across everyone who installs.

Commercial platforms and hosted services

Turnkey, vendor-supported central enforcement without building or maintaining it yourself.

Complementary tools (not substitutes)

These address a different part of the problem and pair with any of the above.

Where Écluse fits

Écluse aims at one corner of these trade-offs: an enforced, central chokepoint that's open and self-hostable, composes in front of the managed registry you already run rather than replacing it or hosting packages itself, and applies a deny-by-default freshness policy consistently, so a malicious-package disclosure is answered by comparing timelines rather than auditing logs. npm is the first supported ecosystem; the core is registry-agnostic, with PyPI and RubyGems on the roadmap. It's also early and unproven (see MOTIVATION.mdWhat Écluse is not).

If a different point on these trade-offs serves you better, use one of the tools above.