堆栈内存溢出
  简体   繁体   English

npm如何验证包以及如何在机器之间验证npm/node安装包?

[英]How does npm verify packages and how to verify npm/node installation packages between machines?

 原文  2021-11-01 04:26:59       node.js/ linux/ npm

问题描述

Where in the npm code does it verify the packages against a checksum?它在 npm 代码中的哪个位置根据校验和验证包? Also is it possible to verify one machine's installation of node and packages vs another machine?是否可以验证一台机器与另一台机器的节点和包的安装? As in, is it possible to generate a bunch of checksums for a machine to compare with whatever's in the registry, and on a separate machine.如在,是否可以为机器生成一堆校验和,以与注册表中的任何内容进行比较,并在单独的机器上进行比较。

In npm, it seems to be using a tree library called the arborist to create a replica of the directory structure.在 npm 中,它似乎使用了一个名为 arborist 的树库来创建目录结构的副本。 On the other as a user i'd like to be able to validate, generate, checksums of the packages for the sake of provenance and verification.另一方面,作为用户,为了出处和验证,我希望能够验证、生成包的校验和。 How do i go about doing this?我该怎么做? And is it built into the package manager?它是否内置于包管理器中?

1 个解决方案

解决方案1
 0  2021-11-01 06:42:43

Where in the npm code does it verify the packages against a checksum?它在 npm 代码中的哪个位置根据校验和验证包?

Here: https://github.com/npm/cli/blob/04eb43f2b2a387987b61a7318908cf18f03d97e0/lib/utils/tar.js#L78-L80这里: https : //github.com/npm/cli/blob/04eb43f2b2a387987b61a7318908cf18f03d97e0/lib/utils/tar.js#L78-L80

  const integrity = await ssri.fromData(tarball, {
    algorithms: ['sha1', 'sha512'],
  })

As in, is it possible to generate a bunch of checksums for a machine to compare with whatever's in the registry, and on a separate machine.如在,是否可以为机器生成一堆校验和,以与注册表中的任何内容进行比较,并在单独的机器上进行比较。

I'm not sure of the details of your use case but I believe it should be possible.我不确定您的用例的详细信息,但我相信这应该是可能的。 Have a look at the fromData() and other functions of the ssri module that npm uses to generate the integrity SHAs.查看npm用于生成完整性 SHAssri模块fromData()和其他函数

Note that npm generates the SHAs from tarballs (or from git SHAs if you are installing from git rather than the npm registry).请注意, npm从 tarball 生成 SHAs(如果您是从git而不是npm注册表安装,则从 git SHAs 生成)。 So you'll need to package the modules up as tarballs.因此,您需要将模块打包为 tarball。 The npm pack command might come in handy. npm pack命令可能会派上用场。

Related (but not quite what you're looking for I don't think) would be the "Verifying the PGP signature of a package from the npm public registry" article in the npm docs..相关的(但不完全是你正在寻找的我不认为)将是npm文档中的“验证来自 npm 公共注册表的包的 PGP 签名”文章。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在安装时自动链接npm软件包? - How to automatically link npm packages at installation time? 安装npm软件包时出错 - Error in installation of npm packages 如何在生产中使用npm软件包? - How to use npm packages in production? 如何在Nodester中管理npm软件包? - How are npm packages managed in nodester? 如何发布和使用npm软件包 - How publish and use the npm packages 如何在 plesk 上安装 npm 软件包? - How to install npm packages on plesk? 如何在Laravel中使用NPM软件包 - How to use npm packages in laravel npm缓存包吗? - Does npm cache packages? 如何使用节点的npm从git获取包 - how to get packages from git using node's npm 如何使用nvm迁移未在npm注册表中注册的全局节点程序包? - How to migrate global node packages that are not registered at the npm registry using nvm?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM