Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
careful-downloader
Advanced tools
🕵️♀️ Downloads a file and its checksums to a temporary directory, validates the hash, and optionally extracts it if safe.
Downloads a file and its checksums to a temporary directory, validates the hash, and optionally extracts it if safe. A headache-averting wrapper around got
, sumchecker
, and decompress
.
npm install careful-downloader
# or...
yarn add careful-downloader
import downloader from "careful-downloader";
await downloader(
"https://github.com/gohugoio/hugo/releases/download/v0.88.1/hugo_extended_0.88.1_Windows-64bit.zip",
"https://github.com/gohugoio/hugo/releases/download/v0.88.1/hugo_0.88.1_checksums.txt",
{
destDir: "./vendor",
algorithm: "sha256",
encoding: "binary",
extract: true,
},
);
//=> '/Users/jake/src/carefully-downloaded/vendor/hugo.exe'
Type: string
Absolute URL to the desired file to download.
Type: string
Absolute URL to a checksums file, usually just a .txt
containing filenames and hashes like this:
27493d1903a41e2dd47edc76a79918d95dfbb31474380d3704322e47ffd11b74 hugo_0.88.1_Windows-32bit.zip
ad81192d188cb584a73074d3dea9350d4609a13ed5fccaafd229b424247e5890 hugo_0.88.1_Windows-64bit.zip
aaa20e258cd668cff66400d365d73ddc375e44487692d49a5285b56330f6e6b2 hugo_extended_0.88.1_Windows-64bit.zip
Type: object
Type: string
Default: Extracted from the download URL.
Manually set the filename of the download, helpful if the one provided by the server doesn't match the filename listed in the checksum file.
Type: boolean
Default: false
Use decompress
to extract the final download to the destination directory (assuming it's a .zip
, .tar
, .tar.gz
, etc.).
Type: string
Default: tempy.directory()
Path to temporary directory for unverified and/or unextracted downloads. Automatically generated if not set (recommended). If set manually, the directory isn't purged upon finishing for security reasons.
Type: string
Default: "./downloads"
Full path or directory name relative to module to store the validated download.
Type: boolean
Default: false
Delete any existing files in the destination directory before downloading.
Type: string
Default: "sha256"
The algorithm used by the checksum file. Available options are dependent on the version of OpenSSL on the platform. Examples are 'SHA1', 'SHA256', 'SHA512', 'MD5', etc.
On recent releases of OpenSSL, openssl list -digest-algorithms
will display the available digest algorithms. Read more about crypto.createHash()
.
Type: string
Default: "binary"
Tell the file stream to read the download as a binary, UTF-8 text file, base64, etc.
MIT
FAQs
🕵️♀️ Downloads a file and its checksums, validates the hash, and optionally extracts it if safe.
We found that careful-downloader demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.