# Artifact Server

## Overview

With this deployment, vulnerable dependencies are directly replaced in the relevant dependency or lock files (for example npm’s `package-lock.json`).

In the future, whenever a vulnerable dependency is identified by Seal’s source control integration, it will automatically create a pull request updating the dependencies accordingly, so that next time the package manager will search for the sealed version instead. However for now, automated pull requests aren't available for this setup.

The package manager (or Artifactory) must be configured to use Seal’s artifact server so it will find the sealed packages. This can be done in a centralized manner if all pipelines are using Artifactory. Otherwise it must be configured individually for each pipeline.

## Integration

The initial integration requires configuring Seal's artifact server as an artifact source in each CI pipeline. For example, here is how you would configure Seal as the artifact server on npm:

```
registry=https://npm.sealsecurity.io
//npm.sealsecurity.io/:username=my-project
//npm.sealsecurity.io/:_password=$TOKEN_IN_BASE64
//npm.sealsecurity.io/:always-auth=true
```

## Sealing a package

The dependencies must be manually edited by the developers.

Unlike the [CLI](/fundamentals/deployments/local-configuration.md) deployment which uses the local configuration file, here the developers are required to directly edit their dependencies to use the sealed packages. For example, here is how you would replace a transitive dependency on npm:

```json
{
  "overrides": {
    "ini@1.3.5": "1.3.5-sp1"
  }
}
```

{% hint style="warning" %}
Manually editing transitive dependencies can be challenging, and misconfigured dependencies might lead to quirky behaviors.

Developers are advised to verify after every manual edit that the packages pulled are what they expect them to be.
{% endhint %}

The sealed versions are made to be fully-compatible with the vulnerable ones, so other than fixing the vulnerability there are no side-effects to the substitution. However, as the pull requests naturally trigger the automated tests in the pipeline, the developers can verify there’s no negative impact.

Once a developer reviews and approves the changes, the pull request will be merged and the changes will be reflected on Seal's web application.

<figure><img src="/files/SThebzbtopbpldUkN2nK" alt="" width="373"><figcaption><p>Sealing a package by manually editing the dependencies</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sealsecurity.io/fundamentals/deployments/artifact-server.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.