Sourcecrumbs NPM

sourcecrumbs

Make npm provenance attestation a bit more code bound

Concept

The provenance attestation is established by publicly providing a link to a package's source code and build instructions from the build environment. This allows developers to verify where and how your package was built before they download it.

This allows, so let's try to implement a working draft. Suppose we have published a package with sourcemaps and provenance telemetry in its packument. We could try:

compare file by file pkg inners with the bound repo commit.
match sourcemap data with the referenced git hosted sources via sourcemap-validator.
verify that pkg target (bundle, dist, whatever) corresponds its sources somehow. Hmm... This may require heuristics, unminification, AST comparison or something like that.

Usage

import {track} from '@qiwi/sourcecrumbs'

const result = await track({
  name: 'toposource',
  version: '1.1.4',
  registry: 'https://registry.npmjs.org'
})
// →
result = {
  meta: {
    pkgRef: {
      name: 'toposource',
      version: '1.1.4',
      registry: 'https://registry.npmjs.org'
    },
    repoRef: {
      type: 'git',
      url: 'git+https://github.com/semrel-extra/toposource.git',
      hash: 'b4f56f4ce75460c670363457821c054ed4db8464',
    }
  },
  tracks: {
    'package.json': {
      source: {
        refs: ['package.json'],
        coherence: 0.9995309568480301
      },
      sourcemap: null
    },
    'target/cjs/index.js': {
      source: null,
      sourcemap: {
        refs: [
          'src/main/ts/index.ts',
          'src/main/ts/toposource.ts'
        ],
        checks: {
          valid: true
        },
        coherence: null
      }
    },
    // ...
  }
}

Refs

Licence

MIT

sourcecrumbs

@types/fast-diff @types/sourcemap-validator fast-diff fs-extra globby parse-url sourcemap-validator tar tempy tslib

@everything-registry/sub-chunk-2800

0.0.2

12 months ago

0.0.1

12 months ago

0.0.0

12 months ago