Is there a way to specify a hash, version, or signature when running `npx` (from npm)?

Asked

Viewed 51 times

3

I am creating a generator to generate some static HTML pages. However, I came across the situation of having to use the NPX to use the AMP Optimizer.

I can execute the command as follows:

exec.Command("npx", "@ampproject/toolbox-cli", "optimize", "nome_do_arquivo.html")

There are other ways I can do this, but anyway the problem seems to persist in all cases.


The problem is that it gets the @ampproject/toolbox-cli which could be any file. There is no signature, hash, or specific version. Golang, for example, includes a go.sum which allows you to check the hashes, so if the downloaded content is different it will fail. That is, when running the go run cmd/generate.go it will download exactly what I want, or fail if the hash/timestamp is different.


Is there any way to verify the integrity of @ampproject/toolbox-cli and only execute if the hash is equal to a specific one, for example?!

1 answer

3


There is the possibility to provide a specific version of the package to be installed by npx.

Of documentation, you can use it like this:

npx [options] <command>[@version] [command-arg]...

As to the hash or some kind of signature, I couldn’t find any kind of reference indicating support by npx.


For example:

$ npx create-react-app@4.0.3 --version
4.0.3

But if I specify a different version:

$ npx create-react-app@2.1.8 --version
2.1.8

Since, once published to npm, packages can only be deleted (and not modified), I think specify the version, so hard-coded, already serve as an additional security barrier. Surely the kind of concern demonstrated in the question is important.

Of course, there’s still the possibility of hacking into the npm servers, but let’s ignore that for our own sake. ;)

  • I still find it strange that there is no way to specify the hash of the file, I think is too much trust in NPM. :|

Browser other questions tagged

You are not signed in. Login or sign up in order to post.