3
I am creating a generator to generate some static HTML pages. However, I came across the situation of having to use the NPX to use the AMP Optimizer.
I can execute the command as follows:
exec.Command("npx", "@ampproject/toolbox-cli", "optimize", "nome_do_arquivo.html")
There are other ways I can do this, but anyway the problem seems to persist in all cases.
The problem is that it gets the @ampproject/toolbox-cli which could be any file. There is no signature, hash, or specific version. Golang, for example, includes a go.sum which allows you to check the hashes, so if the downloaded content is different it will fail. That is, when running the go run cmd/generate.go it will download exactly what I want, or fail if the hash/timestamp is different.
Is there any way to verify the integrity of @ampproject/toolbox-cli and only execute if the hash is equal to a specific one, for example?!
I still find it strange that there is no way to specify the hash of the file, I think is too much trust in NPM. :|
– Inkeliz