0.0.2 • Published 12 months ago
@qiwi/sourcecrumbs v0.0.2
sourcecrumbs
Make npm provenance attestation a bit more code bound
Concept
The provenance attestation is established by publicly providing a link to a package's source code and build instructions from the build environment. This allows developers to verify where and how your package was built before they download it.
This allows, so let's try to implement a working draft. Suppose we have published a package with sourcemaps and provenance telemetry in its packument. We could try:
- compare file by file pkg inners with the bound repo commit.
- match sourcemap data with the referenced git hosted sources via sourcemap-validator.
- verify that pkg target (bundle, dist, whatever) corresponds its sources somehow. Hmm... This may require heuristics, unminification, AST comparison or something like that.
Usage
import {track} from '@qiwi/sourcecrumbs'
const result = await track({
name: 'toposource',
version: '1.1.4',
registry: 'https://registry.npmjs.org'
})
// →
result = {
meta: {
pkgRef: {
name: 'toposource',
version: '1.1.4',
registry: 'https://registry.npmjs.org'
},
repoRef: {
type: 'git',
url: 'git+https://github.com/semrel-extra/toposource.git',
hash: 'b4f56f4ce75460c670363457821c054ed4db8464',
}
},
tracks: {
'package.json': {
source: {
refs: ['package.json'],
coherence: 0.9995309568480301
},
sourcemap: null
},
'target/cjs/index.js': {
source: null,
sourcemap: {
refs: [
'src/main/ts/index.ts',
'src/main/ts/toposource.ts'
],
checks: {
valid: true
},
coherence: null
}
},
// ...
}
}
Refs
- https://github.blog/2023-04-19-introducing-npm-package-provenance/
- https://docs.npmjs.com/generating-provenance-statements
- https://slsa.dev/provenance/v0.2
- https://www.mattzeunert.com/2016/02/14/how-do-source-maps-work.html
- https://blog.sentry.io/2018/10/18/4-reasons-why-your-source-maps-are-broken/
- https://stackoverflow.com/questions/44527036/how-can-i-check-source-map-transpiled-javascript-consistency
- https://stackoverflow.com/questions/72263693/how-can-i-assert-minified-javascript-is-equivalent-to-source
- https://sourcemaps.info/spec.html