Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@rushstack/package-deps-hash
Advanced tools
The `package-deps-hash` library generates a JSON object containing the git hashes of all files used to produce a given package. This is useful for scenarios where you want to define a "change receipt" file to be published with a package. The [Rush](http
@rushstack/package-deps-hash is a utility for computing a hash based on the contents of a package and its dependencies. This is particularly useful for build systems and caching mechanisms where you need to determine if a package or its dependencies have changed.
Compute Package Hash
This feature allows you to compute a hash for a given package directory. The hash is based on the contents of the package and its dependencies, which can be used to determine if any changes have occurred.
const { getPackageDeps } = require('@rushstack/package-deps-hash');
const path = require('path');
async function computeHash() {
const packagePath = path.resolve(__dirname, 'path/to/your/package');
const packageDeps = await getPackageDeps(packagePath);
console.log(packageDeps);
}
computeHash();
Custom File Globs
This feature allows you to specify custom file globs to include in the hash computation. This can be useful if you want to include or exclude specific files or types of files in the hash calculation.
const { getPackageDeps } = require('@rushstack/package-deps-hash');
const path = require('path');
async function computeHashWithGlobs() {
const packagePath = path.resolve(__dirname, 'path/to/your/package');
const customGlobs = ['**/*.js', '**/*.json'];
const packageDeps = await getPackageDeps(packagePath, { globs: customGlobs });
console.log(packageDeps);
}
computeHashWithGlobs();
hasha is a package for hashing files and strings using various algorithms. It is more general-purpose compared to @rushstack/package-deps-hash, which is specifically designed for hashing package dependencies.
crypto is a built-in Node.js module that provides cryptographic functionality, including hashing. While it can be used to hash files and strings, it does not provide the same level of convenience for hashing package dependencies as @rushstack/package-deps-hash.
webpack is a module bundler that includes functionality for hashing the contents of bundles. While it can be used to achieve similar goals, it is a much larger and more complex tool compared to @rushstack/package-deps-hash.
The package-deps-hash
library generates a JSON object containing the git hashes of all files used to produce
a given package. This is useful for scenarios where you want to define a "change receipt" file to be published
with a package. The Rush tool uses this library to implement incremental build detection.
Only files in a git repo that are not in .gitignore will be considered in building the hash. The file content and the current state of the package can be compared then to determine whether the package needs to be rebuilt.
Internally it uses the GIT hashes to derive the hashes for package content. This allows the process to leverage Git's hash optimizations, as opposed to creating a more elaborate diffing scheme.
NOTE: Git is required to be accessible in the command line path.
let _ = require('lodash');
let { getPackageDeps } = require('@rushstack/package-deps-hash');
// Gets the current deps object for the current working directory
let deps = getPackageDeps();
let existingDeps = JSON.parse(fs.readFileSync('package-deps.json'));
if (_.isEqual(deps, existingDeps)) {
// Skip re-building package.
} else {
// Rebuild package.
}
@rushstack/package-deps-hash
is part of the Rush Stack family of projects.
FAQs
The `package-deps-hash` library generates a JSON object containing the git hashes of all files used to produce a given package. This is useful for scenarios where you want to define a "change receipt" file to be published with a package. The [Rush](http
We found that @rushstack/package-deps-hash demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.