[英]Does the public NPM registry validate the checksums of uploaded tarballs?
I recently witnessed an instance of a corrupted package version being published to the npm registry.我最近目睹了一个损坏的 package 版本被发布到 npm 注册表的实例。 I've found many questions around what to do in this event (ie republish the package), but few around "What causes it to happen in the first place?"我发现很多关于在这个事件中做什么(即重新发布包)的问题,但很少有关于“什么导致它首先发生?”的问题。
In my case (which I sadly can't share - private organizational scope, etc etc), pulling the tarball with npm pack
reveals that the file is indeed incomplete/corrupt, and does not match the expected checksum.在我的情况下(遗憾的是,我无法分享 - 私人组织 scope 等),使用npm pack
提取 tarball 显示该文件确实不完整/损坏,并且与预期的校验和不匹配。
The npm publish
payload includes a dist.Integrity
field with a SHA-512 checksum, alongside each package upload. npm publish
负载包括一个带有 SHA-512 校验和的dist.Integrity
字段,以及每个 package 上传。 This might be a bit difficult to answer given its closed-source nature - But does the NPM registry do any validation on its side, to check that the uploaded contents actually match the checksum, before making the package version available for consumption?鉴于其闭源性质,这可能有点难以回答 - 但是 NPM 注册表是否会对其进行任何验证,以检查上传的内容是否与校验和匹配,然后再使 package 版本可供使用?
Thanks in advance!提前致谢!
Follow-up: Yes, it does.追问:是的,确实如此。 I verified this by capturing an npm upload
payload and changing the dist.integrity
checksum.我通过捕获npm upload
有效负载并更改dist.integrity
校验和来验证这一点。 NPM correctly diagnosed the checksum mismatch, and refused the package. NPM 正确诊断校验和不匹配,拒绝 package。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.