{"id":43834413,"url":"https://github.com/braydonf/gpk","last_synced_at":"2026-02-06T04:05:03.985Z","repository":{"id":54982031,"uuid":"220121867","full_name":"braydonf/gpk","owner":"braydonf","description":"A decentralized and secure package manager.","archived":false,"fork":false,"pushed_at":"2021-01-18T04:27:40.000Z","size":3352,"stargazers_count":31,"open_issues_count":16,"forks_count":10,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-04-18T01:59:50.261Z","etag":null,"topics":["javascript","nodejs","package-manager","tools"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/braydonf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-11-07T01:07:40.000Z","updated_at":"2024-04-17T22:16:21.000Z","dependencies_parsed_at":"2022-08-14T08:10:10.280Z","dependency_job_id":null,"html_url":"https://github.com/braydonf/gpk","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/braydonf/gpk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/braydonf%2Fgpk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/braydonf%2Fgpk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/braydonf%2Fgpk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/braydonf%2Fgpk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/braydonf","download_url":"https://codeload.github.com/braydonf/gpk/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/braydonf%2Fgpk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29149652,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-06T02:39:25.012Z","status":"ssl_error","status_checked_at":"2026-02-06T02:37:22.784Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["javascript","nodejs","package-manager","tools"],"created_at":"2026-02-06T04:05:03.310Z","updated_at":"2026-02-06T04:05:03.978Z","avatar_url":"https://github.com/braydonf.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gpk\n\nGit based, decentralized and secure package management for JavaScript and\nNode.js libraries and applications.\n\n## Features\n\n- Packages are decentralized via Git and can be hosted and published\n  via any Git repository.\n- Signature verification via signed Git tags.\n- Deterministic flat installation of packages to support commiting\n  and bundling dependencies with Git.\n- Resolves shared dependencies based on semantic versioning via Git\n  tags (e.g. `v1.1.0`).\n- Node.js C/C++ addon build support with `node-gyp`.\n- Exclude files from a package with `.npmignore` and `.gitignore`.\n\n## Install\n\nClone and verify:\n```\ngit clone https://github.com/braydonf/gpk\ncd gpk\ngit verify-commit HEAD\n```\n\nInstall globally:\n```\n./bin/gpk install -g\n```\n\n## Usage\n\n### Command examples\n\n- `gpk install` Install dependencies and verify signatures.\n- `gpk install https://\u003curl\u003e/\u003corg\u003e/\u003crepo\u003e` Install latest tag and add a dependency.\n- `gpk install https://\u003curl\u003e/\u003corg\u003e/\u003crepo\u003e#\u003cbranch\u003e` Install from a specific branch.\n- `gpk install -g https://\u003curl\u003e/\u003corg\u003e/\u003crepo\u003e` Install a global module.\n- `gpk install -g` Link a module globally.\n- `gpk test` Run package tests.\n- `gpk run \u003cscript\u003e` Run package defined script.\n- `gpk rebuild` Build native addons.\n- `gpk uninstall \u003cname\u003e` Uninstall and remove a dependency.\n- `gpk uninstall -g \u003cname\u003e` Uninstall a global module.\n- `gpk init` Initialize a package.\n- `gpk help` Display all available commands.\n\n### Managing dependencies\n\nHere is how to specify dependencies in `package.json`:\n\n```json\n{\n  \"dependencies\": {\n    \"bcoin\": \"git+https://github.com/bcoin-org/bcoin.git#semver:~2.0.0\",\n    \"bcrypto\": \"git+https://github.com/bcoin-org/bcrypto.git#semver:~4.2.6\",\n    \"bmultisig\": \"git+https://github.com/bcoin-org/bmultisig.git#semver:~2.0.0\",\n    \"buffer-map\": \"git+https://github.com/chjj/buffer-map.git#semver:~0.0.7\",\n    \"n64\": \"git+https://github.com/chjj/n64.git#semver:~0.2.10\"\n  }\n}\n```\nThe signature of the matching Git tag or commit is verified for each\ndependency. The dependencies must be from a Git repository. The referenced\nGit tag or commit must be signed and the necessary public keys imported.\n\nYou can also use `gpk` specific shorthand in `package.json`:\n\n```json\n{\n  \"remotes\": {\n    \"bcoin-org\": \"git+https://github.com/bcoin-org/\",\n    \"chjj\": \"git+https://github.com/chjj/\"\n  },\n  \"dependencies\": {\n    \"bcoin\": \"bcoin-org:bcoin.git#semver:~2.0.0\",\n    \"bcrypto\": \"bcoin-org:bcrypto.git#semver:~4.2.6\",\n    \"bmultisig\": \"bcoin-org:bmultisig.git#semver:~2.0.0\",\n    \"buffer-map\": \"chjj:buffer-map.git#semver:~0.0.7\",\n    \"n64\": \"chjj:n64.git#semver:~0.2.10\"\n  }\n}\n```\n\nAnd specify Git branches:\n\n```json\n{\n  \"remotes\": {\n    \"bcoin-org\": \"git+https://github.com/bcoin-org/\",\n  },\n  \"dependencies\": {\n    \"bcoin\": \"bcoin-org:bcoin.git#pkg-dependencies\",\n  }\n}\n```\n\n#### Upgrading dependencies\n\nThe behavior of `gpk` is that `gpk install` will not replace an existing\nmodule, and will otherwise give an error if an existing installation does\nnot satisfy the current `package.json` specification.\n\nTo upgrade a dependency:\n\n- Remove the dependency from `node_modules`.\n- Run `gpk install` again to fetch an updated version.\n\nTo upgrade to a version greater than the current version\nas specified by the semantic version in `package.json`, it's\nnecessary to update the `package.json` specification before\ninstalling.\n\n#### Committing dependencies\n\nIt is recommended to commit dependencies into the Git repository, this\nprovides the following benefits:\n- Guarantee of availability of dependencies. It adds a mirror of the\n  remote code, and thus a guarantee that the exact dependency is available\n  regardless of network, third-party service, or module availability.\n- Provides integrity of dependencies. This is functionally similar\n  to `package-lock.json` or `npm-shrinkwrap.json` from npm-land. For\n  committed dependencies to be used when the package is a dependency, the\n  dependencies should be added to `bundleDependencies` in `package.json`.\n- Removes the dependency upon a package manager for basic installation,\n  as the dependencies are already available. Installation of `gpk` is\n  only necessary for the management and upgrade of dependencies by\n  contributors and maintainers.\n- Compatibility with other package managers for building native addons.\n  The use of `gpk rebuild`, `npm rebuild` or `yarn rebuild` can all\n  be used.\n- Efficiency of installation. It's not necessary to clone and verify\n  each dependency, as they are already available. This is especially\n  relevant when branches or specific commits are used instead of tagged\n  releases of a dependency.\n\nNote: You can use `git commit --author=\"\u003calternative-authors\u003e\"` when\ncommiting a large number of dependencies for purposes of commit statistics.\n\n### Migration\n\nNearly all existing Node.js modules can be migrated to use `gpk` with signature\nverification. This is because Git and [signed tags][signed-tags] are already\nwidely for JavaScript and Node.js modules. Migrating to use `gpk` is handled\nby specifying the Git remote.\n\nThe following `package.json` specification:\n\n```\n{\n  \"dependencies\": {\n    \"bcrypto\": \"~5.0.4\"\n  }\n}\n```\n\nIs replaced with a Git remote:\n```\n{\n  \"dependencies\": {\n    \"bcrypto\": \"git+https://github.com/bcoin-org/bcrypto.git#semver:~5.0.4\"\n  }\n}\n```\n\nFor modules that do not specify Git remotes for their dependencies, it will\nbe necessary to specify those dependencies as well, for example:\n\n```\n{\n  \"dependencies\": {\n    \"bcrypto\": \"git+https://github.com/bcoin-org/bcrypto.git#semver:~5.0.4\",\n    \"bufio\": \"git+https://github.com/bcoin-org/bufio.git#semver:~1.0.6\",\n    \"loady\": \"git+https://github.com/chjj/loady.git#semver:~0.0.1\",\n    \"nan\": \"git+https://github.com/braydonf/nan.git#semver:~2.14.0\"\n  }\n}\n```\n\nOtherwise there would be an error, such as `Error: Unknown remote for 'bufio'`.\n\n### Configuration\n\nTo customize the global installation path, use the\n`PREFIX` environment variable, for example:\n\n```sh\nexport PREFIX=/home/user/global_node_modules\n```\n\nAnd then add that to your path, for example:\n```sh\nexport PATH=\"$PREFIX/bin:$PATH\"\n```\n\nThis may be necessary if the installation of Node.js\nwas via an operating system package manager or otherwise\ninstalled at `/usr/bin` or another path that requires\nroot or admin permissions.\n\n## Testing\n\nImport the key used for signing:\n\n```sh\ngpg --recv-keys \"5B7D C58D 90FE C1E9 90A3  10BA F24F 232D 108B 3AD4\"\n```\n\nAnd run the tests:\n```sh\ngpk test\n```\n\nFor detailed logging when running tests you can use\nthe environment variable `TEST_LOG`, for example:\n\n```sh\nTEST_LOG=true gpk test\n```\n\nTest data in created in a temporary directory, using\nthis format: `/tmp/gpk-test-\u003cname\u003e-\u003cid\u003e/`.\n\n[signed-tags]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbraydonf%2Fgpk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbraydonf%2Fgpk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbraydonf%2Fgpk/lists"}