npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

release-verification

v3.1.0

Published

verify released packages match github

Downloads

10

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

bmacnaughtonbmacnaughtoncheempzcheempz

Keywords

verificationreleaseintegrityvulnerability

Readme

release-verifier

release-verifier is a command line tool that verifies a released package matches that same tagged version in a source repository.

npm, rubygems, and pypi are the supported repositories and github is the supported source repository.

command line ui

to verify the latest version of the package appoptics-apm in the npm repository:

$ node verify appoptics-apm -r npm

to verify the latest version of the package appoptics_apm in the rubygems repository:

$ node verify appoptics_apm -r rubygems

to verify a specific version (note the default repository is npm):

$ node verify appoptics-apm -v 6.6.0

to verify a range of versions

$ node verify appoptics-apm -v '> 6.0.0'

if a released package (or version) doesn't contain a reference to the github source repository it can be specified with the -S option. the value of the -S option is the user and repository name on github, e.g., appoptics/release-verification.

$ node verify -r rubygems appoptics_apm -v 4.3.0 -S appoptics/appoptics-apm-ruby

it's also possible to specify a config file. a config file essentially provides default values for options, i.e., specifying an option on the command line overrides what is in the config file. defaults can be either the cli option name or the alias. in the case of aliases that contain dash characters the config file option is the camelCase version of the kebab-case name, e.g. the exclude-dir command line option is mapped to the excludeDir config file property. the test directory has two config file examples.

$ node verify -r rubygems appoptics_apm -v 4.9.0 -c ./test/test-config-rubygems.js

some github repositories are private. in order to work access private repositories the user must be authenticated and supply a github token on the command line using the --token option.

$ node verify -r pypi appoptics-apm -v 3.5.9 -S librato/python-appoptics -k $GIT_TOKEN

additional options can be found in lib/get-cli-options.js or via $ node verify -h

adding a package repository

i've tried to design the this so that repositories can be added with a minimum of effort. but i'm discovering the differences in various repositories as i go through them, so the design could be better. and the code is the only real documentation. so if you have a repository you'd like added let me know.

to add a package-repository start by creating a <package-repository>Verifier class that extends BaseVerifier. put it in a file named lib/<package-repository>-verifier.js, copy the general structure from one of the existing verifiers. then let me know what i've missed in the code and/or documentation for this. then import your file and add the mapping of the repository name to the class in verify.js.

adding a source repository

if it's not github then some thinking will be needed. i haven't spent any time on this. it does seem like support for bitbucket should be coming along but the source repository is less abstracted than the package repositories.

stuff to be done

  • allow output format with detail differences
  • add --base option to create work directories in another place
  • document the api that verify.js uses.
  • add bitbucket support.
  • add download support to populate either pkg-unpacked or git-unpacked with external dependencies.