About.
Operator
GIVO is built and operated by Danthur Lice as a Tree Combinator
project. Contact: dev (at) treecombinator.com.
Source
The givo CLI, the code that runs on your machine, is open
source: github.com/treecombinator/givo-cli
(also linked from the package's repository field). The registry
service itself is not published, the same model npm uses: open client, closed
service. What the service guarantees is verifiable from the outside; see below.
What the registry sees and stores
- Installs are open and unauthenticated: no account, no token, no tracking beyond standard operational logs.
- Every write (publish, release, deprecate, tombstone, token and account operations) becomes an immutable, append-only audit record carrying the acting token's id.
- Tokens are stored hashed; the raw value is shown once and never kept.
- Federated packages are cached copies of npmjs content, verified against the manifest checksum before caching.
Verify, do not trust
- Every released version has a public stamp at
/npm/<pkg>/-/<base>-<v>.stamp.json; recomputesha256(<name>@<version>:<integrity>)and compare. - Your lockfile pins integrity hashes; npm and pnpm verify every tarball on your machine. A registry cannot alter released bytes silently.
- Leaving takes one line:
npm config delete registry --location=user.
The full trade-off, written for skeptics (human and machine), is in AGENTS.md and in the docs.
Operational expectations
GIVO is operated best effort by one person; there is no paid SLA. What holds
regardless of the operator's day: released versions are immutable, everything
that ever resolved through GIVO keeps installing during an npmjs outage, every
package's write history is public at
/npm/-/givo/audit/<pkg>, and leaving takes one line.
Liveness: https://registry.givo.dev/ answers
{"ok": true}.
Abuse
Malicious package, compromised release, name squatting: see
givo.dev/abuse. Verified reports get the version tombstoned
(downloads answer 410, the record stays as evidence) and the
publishing token revoked.