前端之家

  1. 首页
  2. 问答

NPM公共注册中心是否验证上传的tarball的校验和?

问答

我最近目睹了一个损坏的软件包版本实例被发布到npm注册表。我发现有关此事件的处理方法(即重新发布该程序包)的问题很多,但有关“什么原因导致它首先发生?”的问题很少?

就我而言(不幸的是,我不能分享-私人组织范围等),用npm pack拉动tarball显示文件确实不完整/损坏,并且与预期的校验和不匹配。

npm publish有效负载包括带有每个SHA-512校验和的dist.Integrity字段,以及每个软件包上载。考虑到其封闭源代码的性质,这可能很难回答-但是NPM注册中心是否会对其进行任何验证,以在使软件包版本可供使用之前检查上传的内容是否确实与校验和相符?

谢谢!

li57268631 回答:NPM公共注册中心是否验证上传的tarball的校验和?

跟进:是的,确实如此。我通过捕获SRCDIR = ../src BUILDDIR = build INCDIR = ../inc # Compiler to use CC = gcc # Include paths for header files INCLUDES = -I $(INCDIR) # Compiler flags # WARNING: Optimization will remove critical code (Problems seen in delay function). Use with caution. CFLAGS = -Wall -Wextra -g $(INCLUDES) --std=gnu99 CFLAGSNOWARN = -g $(INCLUDES) --std=gnu99 # extra gcc flags used to build dependency files DEPFLAGS = -MMD -MP # Paths to required libraries (-L flags) LFLAGS = # The specific libraries that project depends on (-l flags) LIBS = -lreadline -lpthread # All source files SRCS = $(wildcard $(SRCDIR)/*.c) SRCS_1 = $(filter-out $(SRCDIR)/FileToAvoid.c,$(wildcard $(SRCDIR)/*.c)) # All object files OBJS := $(SRCS:$(SRCDIR)/%.c=%.o) OBJS_1 := $(SRCS_1:$(SRCDIR)/%.c=%.o) # name of executable MAIN = test.exe # make all .PHONY: all # this is the default target ## create temporary .o files and compile main executable all: $(MAIN) avoidfile: $(OBJS_1) @echo "Compiling executable: $(MAIN)" @$(CC) $(CFLAGS) -o $(MAIN) $(OBJS_1) $(LFLAGS) $(LIBS) @echo $(MAIN): $(OBJS) @echo "Compiling executable: $(MAIN)" @$(CC) $(CFLAGS) -o $(MAIN) $(OBJS) $(LFLAGS) $(LIBS) @echo # Automatically builds all object files from source files # -c option compiles but does not link (create object files) # -o is output filename $(OBJS): %.o : $(SRCDIR)/%.c @echo "Compiling object file: $@" @$(CC) $(CFLAGS) $(DEPFLAGS) -c $< -o $@ @echo $(OBJS_1): %.o : $(SRCDIR)/%.c @echo "Compiling object fileslean: $@" @$(CC) $(CFLAGS) $(DEPFLAGS) -c $< -o $@ @echo 负载来验证了这一点 并更改npm upload校验和。 NPM正确诊断出校验和不匹配,并拒绝了该软件包。

npm
本文链接:https://www.f2er.com/3100985.html

大家都在问