CLI for publishing immutable NPM packages/NodeJS modules
This is my attempt to solve some issues with NPM by using an immutable filesystem called IPFS. IPFS guarantees that whatever you downloads, will match with the hash you use to download that thing. cowpen is applying this to NodeJS modules.
It's mostly about being able to store and retrieve packages in a safe way that allows you to have reproducible builds, at all times.
pina package, it'll be there until there is no seeds (similar to Bittorrent).
cowpen might work on earlier releases of these programs but it has not been tested so we cannot guarantee anything. Please let us know if it work/doesn't work for you.
ipfs daemon --init --mount
Daemon is readyin output
npm install -g cowpen@/ipfs/IPFS-HASH-FOR-COWPEN
Wait, what's the weird @/ipfs/... thing? That's the IPFS part of cowpen.
When NPM sees a filepath as the version argument, NPM tries to "download" the module from the filesystem instead.
And in the first step, you run IPFS with the
--mount argument, IPFS mounts /ipfs and /ipns to serve content from IPFS.
So with a little bit of magic, we have installed cowpen with IPFS. Simple huh?
You just use NPM like you're used to, but without shrinkwrap and versions being IPFS hashes instead of semvers.
You want to install a package and save it in your local project? Find out the hash (cowpen will include search in the future) and install it!
npm install --save lodash@/ipfs/Qmec32NqcZCh83t9QhrfVFnHq9eHSNr389y8z6mSvBabDp
Now it's installed, and with the hash we make sure that you always have the same version installed.
You want to install all dependencies in a project that is using cowpen?
It couldn't get any easier than this.
Simple! Just do: (while being in the directory of the package you want to publish)
And cowpen will return you the path you can use for installing your package.
If you're clever, you include this hash wherever you are doing releases, like a mailing list, Github Release or the Git tag when creating it.
That way, people who want to use your package via cowpen, can easily find it.
Well, here is the tricky part. We haven't quite figured out searching yet, but the idea is for every user to run their own ipfs daemon, with a keybase account for verifying the publishing...
But right now, we don't really have a solution for this. Best would be for you to simply include the hash wherever you do releases currently.
If package A publishes version 1 as ABDEF and package B publishes version 1 as ABDEF, what happens?
A package version has to published by the same peer ID as the first version was published as.
So in this case, publishing by package B would be blocked from cowpen. But what if he simple inserts the hash manually?
What does Cowpen mean? Well, I don't know. The name is taken from a street in Bahamas.
If you have any questions, open a Github issue here: github.com/VictorBjelkholm/cowpen/issues/new
or feel free to contact me on Twitter here: @VictorBjelkholm
The MIT License (MIT)
Copyright (c) 2016 Victor Bjelkholm
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.