exactly v1.0.0

Exactly

Exactly extends npm to shrinkwrap dependencies by their SHA1 hash. This ensures that package data downloaded by npm exactly matches the packages at the time of shrinkwrapping.

This project is intended as a proof of concept. It's hacky and the approach it takes in monkeypatching npm internals is fragile. This is a quick and dirty way to achieve this functionality to gain experience with it in practice.

Usage

Run exactly with the same commands and arguments as the npm binary.

Use npm during development. Then use exactly shrinkwrap and exactly install in production.

exactly shrinkwrap

Exactly will run npm shrinkwrap and add an exactlyHashes property to your npm-shrinkwrap.json.

# exactly shrinkwrap
npm info it worked if it ends with ok
npm info using npm@3.8.3
npm info using node@v4.4.0
wrote npm-shrinkwrap.json
added exactlyHashes to npm-shrinkwrap.json
{
  "qs@6.1.0": "ec1d1626b24278d99f0fdf4549e524e24eceeb26"
}
npm info ok

exactly install

Exactly will run npm install and check the hash of each package installed from npm or local directories. It will output an "npm info exactly" log line for each package it verifies.

# exactly install qs
npm info it worked if it ends with ok
npm info using npm@3.8.3
npm info using node@v4.4.0
npm info addNameTag [ 'qs', 'latest' ]
npm info exactly shasum matched: ec1d1626b24278d99f0fdf4549e524e24eceeb26
npm info lifecycle qs@6.1.0~preinstall: qs@6.1.0
npm info linkStuff qs@6.1.0
npm info lifecycle qs@6.1.0~install: qs@6.1.0
npm info lifecycle qs@6.1.0~postinstall: qs@6.1.0
/tmp/exactly
`-- qs@6.1.0

npm info ok