Where in the npm code does it verify the packages against a checksum? Also is it possible to verify one machine’s installation of node and packages vs another machine? As in, is it possible to generate a bunch of checksums for a machine to compare with whatever’s in the registry, and on a separate machine.
In npm, it seems to be using a tree library called the arborist to create a replica of the directory structure. On the other as a user i’d like to be able to validate, generate, checksums of the packages for the sake of provenance and verification. How do i go about doing this? And is it built into the package manager?
Advertisement
Answer
Where in the npm code does it verify the packages against a checksum?
Here: https://github.com/npm/cli/blob/04eb43f2b2a387987b61a7318908cf18f03d97e0/lib/utils/tar.js#L78-L80
const integrity = await ssri.fromData(tarball, { algorithms: ['sha1', 'sha512'], })
As in, is it possible to generate a bunch of checksums for a machine to compare with whatever’s in the registry, and on a separate machine.
I’m not sure of the details of your use case but I believe it should be possible. Have a look at the fromData()
and other functions of the ssri
module that npm
uses to generate the integrity SHAs.
Note that npm
generates the SHAs from tarballs (or from git SHAs if you are installing from git
rather than the npm
registry). So you’ll need to package the modules up as tarballs. The npm pack
command might come in handy.
Related (but not quite what you’re looking for I don’t think) would be the “Verifying the PGP signature of a package from the npm public registry” article in the npm
docs..