{"id":13452028,"url":"https://github.com/wilk/snpm","last_synced_at":"2025-04-13T00:37:18.521Z","repository":{"id":140248559,"uuid":"117947034","full_name":"wilk/snpm","owner":"wilk","description":"Secure NPM PoC","archived":false,"fork":false,"pushed_at":"2018-11-29T13:36:52.000Z","size":29,"stargazers_count":9,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-13T00:37:12.438Z","etag":null,"topics":["github","javascript","npm","opensource","proof-of-concept","security"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wilk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-01-18T07:18:06.000Z","updated_at":"2019-12-14T23:59:39.000Z","dependencies_parsed_at":"2024-01-16T03:46:13.103Z","dependency_job_id":"20b161af-c0a1-498c-9350-c03134ca45e8","html_url":"https://github.com/wilk/snpm","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wilk%2Fsnpm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wilk%2Fsnpm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wilk%2Fsnpm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wilk%2Fsnpm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wilk","download_url":"https://codeload.github.com/wilk/snpm/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248650414,"owners_count":21139671,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github","javascript","npm","opensource","proof-of-concept","security"],"created_at":"2024-07-31T07:01:10.564Z","updated_at":"2025-04-13T00:37:18.503Z","avatar_url":"https://github.com/wilk.png","language":"JavaScript","readme":"# snpm\nSecure NPM Proof of Concept\n\nThis is an attempt to make NPM secure when a package is shipped with compiled Javascript.\n\nIt has been used as a reference for [SNPM RFC](https://github.com/npm/rfcs/pull/16).\n\n## The algorithm\nA NPM package containing compiled Javascript (so called binaries) **MUST** have the following info inside the `package.json`:\n\n- a property called [bin](https://docs.npmjs.com/files/package.json#bin) containing the binary file path\n- a property called [checksums](http://wiki.commonjs.org/wiki/Packages/1.1) containing the checksum (SHA1) of the binary file\n- a property called [repository](https://docs.npmjs.com/files/package.json#repository) containing the repo url (**only Github urls allowed, for now**)\n- a property called [version](https://docs.npmjs.com/files/package.json#version) containing the current version of the package\n- a script called [build](https://docs.npmjs.com/files/package.json#scripts) with the command to compile the source code\n\nAn example of valid package.json:\n\n```javascript\n{\n  \"version\": \"1.7.2\",\n  \"checksums\": {\n    \"md5\": \"c0488e3e4c5f6deaac26b80f4974f7ba\",\n    \"sha1\": \"f7894b95b2f7f4c61582b54c0c9465719952684e\"\n  },\n  \"scripts\": {\n    \"build\": \"babel index.js --out-file dist.js\"\n  },\n  \"bin\": \"dist.js\",\n  \"repository\": {\n    \"type\": \"git\",\n    \"url\": \"https://github.com/wilk/thanc\"\n  }\n}\n```\n\nNow, follows the rules of the above info:\n\n- `bin` property MUST be a path to a file\n- `version` property MUST exist because it will be used to download the tar.gz of the repo\n- `repository` property MUST exist because it will be used in conjunction with `version` for the same purpose\n- `checksums` property MUST contain the SHA1 hash of the `bin` file\n- `build` script MUST be used locally with the devDependencies (or even with dependencies)\n\nSteps from you as the package owner:\n\n - build the package\n - generate build hashes inside package.json\n - publish with snpm\n\nSteps from snpm:\n - snpm receives the repo url (Github), the package version and the checksum\n - snpm downloads the repo from the url\n - snpm installs every deps\n - snpm runs build steps (`snpm run build`)\n - snpm generates build hashes\n - snpm checks build hashes with those inside the package.json\n - snpm registers the build if they're ok, otherwise it returns a 400\n\n### SNPM usage\nFirst of all, clone the repository:\n\n```bash\n$ git clone https://github.com/wilk/snpm.git\n$ cd snpm\n```\n\nSNPM comes with two tools: `registry` and `snpm`.\nThese tools will communicate through websockets because async operations may require too much time for a single HTTP connection.\n\nSo, start the `registry`:\n\n```bash\n$ docker-compose up\n```\n\nOr directly with NPM:\n\n```bash\n$ npm start\n```\n\nThen, download a package that follows the above rules list and use `snpm` to publish it.\nFor instance, you can try with [thanc](https://github.com/wilk/thanc) that has been built with this concept in mind:\n\n```bash\n$ docker-compose exec snpm sh\n$ npm install thanc\n```\n\nOr directly with NPM:\n\n```bash\n$ npm install thanc\n```\n\nNow, you're ready to use `snpm`:\n\n```bash\n$ node snpm.js node_modules/thanc\n```\n\nWith that command, you're simulating `snpm publish` feature: check out your command line windows to see what's going on between the `snpm` and the `registry`.\nBasically, the `registry` is waiting for new connections: when `snpm` is invoked with a path (of the package you want to publish), it reads the `package.json` from it and uploads the information to the `registry`.\n","funding_links":[],"categories":["JavaScript"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwilk%2Fsnpm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwilk%2Fsnpm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwilk%2Fsnpm/lists"}