Verify published packages against their source code.
npx npm-verified <package-name-with-optional-version-to-verify>
npx npm-verified npm-verified@latest npx npm-verified react
How it works
- Downloads and extracts the requested package archive from https://registry.npmjs.org with
- Clones the source code repository specified in the downloaded package's
git clone --branch <version-tag>where
X.Y.Z(both are attempted). If none of the tags are found, the
masterbranch is cloned.
- Finds in the cloned source code repository the package root directory where a
package.jsonwith the requested package name is located.
- Installs the dependencies there via
npm packthere to prepare the package archive that is supposed to be uploaded to the
- Extracts the package archive created from the source code.
- Compares the files from the downloaded archive with the files from the prepared archive.
- Prints the mismatching parts as a human-readable diff, sets the process exit code to
0if the files are the same, to
1if the files are different.
Requirements and limitations
package.jsonwith the package name must exist in the source code repository.
package.jsonin the published package must contain the link to the source code repository.
- The repository must have a tag corresponding to the published package version, either
X.Y.Z, or the
masterbranch must have the published version.
- Currently, only
gitrepositories are supported.
- Currently, the
npmapplications to prepare the package from the source code are obtained from the environment, not from the source code.
- Currently, the tool uses
- Package verification as a service.
- README badge.
- CI integration.
- Has to use the same
npmversions that the repository maintainers use to prepare packages.
- Has to scale: package build processes eat CPU.
- More human-readable stats diff (missing, extra files).
- Machine-readable output (for integrations).
- @davidgilbertson for sharing the ideas on the security of the public
npmregistry and package publishing process.
- @mzhurovich for talking me into actually implementing this tool.
- @npm for the largest package registry in the world.