@dk/hipp 0.1.25 → 0.1.27
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +10 -8
- package/hipp.js +5 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -110,8 +110,9 @@ npx @dk/hipp -- --access public --tag beta
|
|
|
110
110
|
HIPP provides out-of-band verification to prove package integrity:
|
|
111
111
|
|
|
112
112
|
```bash
|
|
113
|
-
npx @dk/hipp verify @dk/
|
|
114
|
-
npx @dk/hipp verify
|
|
113
|
+
npx @dk/hipp verify # verifies latest @dk/hipp
|
|
114
|
+
npx @dk/hipp verify @scope/package # verifies latest of a package
|
|
115
|
+
npx @dk/hipp verify @scope/package@1.0.0 # verifies specific version
|
|
115
116
|
```
|
|
116
117
|
|
|
117
118
|
### How Verification Works
|
|
@@ -176,6 +177,7 @@ The manifest contains:
|
|
|
176
177
|
|
|
177
178
|
- **Code is safe or bug-free**: Malicious or buggy code can be signed
|
|
178
179
|
- **Publisher is trustworthy**: The key holder could sign bad code intentionally
|
|
180
|
+
- **Name/email is accurate**: These are read from local `git config` and could be set to anything
|
|
179
181
|
|
|
180
182
|
Verification proves that npm matches git - it says nothing about whether that
|
|
181
183
|
code is correct or safe.
|
|
@@ -238,20 +240,20 @@ PERFORMANCE OF THIS SOFTWARE.
|
|
|
238
240
|
Verify this package with [@dk/hipp](https://www.npmjs.com/package/@dk/hipp):
|
|
239
241
|
|
|
240
242
|
```bash
|
|
241
|
-
npx @dk/hipp verify @dk/hipp@0.1.
|
|
243
|
+
npx @dk/hipp verify @dk/hipp@0.1.27
|
|
242
244
|
```
|
|
243
245
|
|
|
244
246
|
```json
|
|
245
247
|
{
|
|
246
248
|
"origin": "git@github.com:dmytri/hipp.git",
|
|
247
|
-
"tag": "v0.1.
|
|
248
|
-
"revision": "
|
|
249
|
-
"hash": "
|
|
250
|
-
"signature": "
|
|
249
|
+
"tag": "v0.1.27",
|
|
250
|
+
"revision": "528a1ce0c415b335f118ec006e50b464c75efd9a",
|
|
251
|
+
"hash": "8738b992f6546c2aa6509c43aa95dc4a8206582d2cc511e8b30f5e35c6e2eb3a",
|
|
252
|
+
"signature": "80nbN79+QNiEVMKsY520VXcWBY1s5R2Yq9kpi/EUW5Hrs8KKBRPH3tQ6JSeBGGi5ZzWDi3UEi9s/AN55c5hdAg==",
|
|
251
253
|
"name": "Dmytri Kleiner",
|
|
252
254
|
"email": "dev@dmytri.to",
|
|
253
255
|
"npm": "11.12.1",
|
|
254
256
|
"node": "v25.8.2",
|
|
255
|
-
"hipp": "0.1.
|
|
257
|
+
"hipp": "0.1.27"
|
|
256
258
|
}
|
|
257
259
|
```
|
package/hipp.js
CHANGED
|
@@ -429,7 +429,7 @@ async function runVerify(packageSpec) {
|
|
|
429
429
|
const npa = require('npm-package-arg');
|
|
430
430
|
const parsed = npa(packageSpec);
|
|
431
431
|
const pkgName = parsed.name;
|
|
432
|
-
const pkgVersion = parsed.fetchSpec;
|
|
432
|
+
const pkgVersion = parsed.fetchSpec === '*' ? null : parsed.fetchSpec;
|
|
433
433
|
log.info(`🔍 HIPP Verify: ${pkgName}${pkgVersion ? '@' + pkgVersion : ''}`);
|
|
434
434
|
|
|
435
435
|
const registryUrl = `https://registry.npmjs.org/${parsed.escapedName}/${pkgVersion || 'latest'}`;
|
|
@@ -757,7 +757,10 @@ if (isVerify) {
|
|
|
757
757
|
} else {
|
|
758
758
|
const hippPkgPath = path.join(path.dirname(process.argv[1]), 'package.json');
|
|
759
759
|
const hippPkg = JSON.parse(fs.readFileSync(hippPkgPath, 'utf8'));
|
|
760
|
-
|
|
760
|
+
const spec = hippPkg.version === '0.0.0'
|
|
761
|
+
? hippPkg.name
|
|
762
|
+
: `${hippPkg.name}@${hippPkg.version}`;
|
|
763
|
+
runVerify(spec);
|
|
761
764
|
}
|
|
762
765
|
} else if (process.argv.includes('--help') || process.argv.includes('-h')) {
|
|
763
766
|
console.log(`\x1b[36mHIPP - High Integrity Package Publisher\x1b[0m
|