CLI for publishing immutable NPM packages/NodeJS modules
This is my attempt to solve some issues with NPM by using an immutable filesystem called IPFS. IPFS guarantees that whatever you downloads, will match with the hash you use to download that thing. cowpen is applying this to NodeJS modules.
It's mostly about being able to store and retrieve packages in a safe way that allows you to have reproducible builds, at all times.
pin a package, it'll be there until there is no seeds (similar to Bittorrent).cowpen might work on earlier releases of these programs but it has not been tested so we cannot guarantee anything. Please let us know if it work/doesn't work for you.
ipfs daemon --init --mountDaemon is ready in outputnpm install -g cowpen@/ipfs/IPFS-HASH-FOR-COWPENWait, what's the weird @/ipfs/... thing? That's the IPFS part of cowpen.
When NPM sees a filepath as the version argument, NPM tries to "download" the module from the filesystem instead.
And in the first step, you run IPFS with the --mount argument, IPFS mounts /ipfs and /ipns to serve content from IPFS.
So with a little bit of magic, we have installed cowpen with IPFS. Simple huh?
You just use NPM like you're used to, but without shrinkwrap and versions being IPFS hashes instead of semvers.
You want to install a package and save it in your local project? Find out the hash (cowpen will include search in the future) and install it!
npm install --save lodash@/ipfs/Qmec32NqcZCh83t9QhrfVFnHq9eHSNr389y8z6mSvBabDp
Now it's installed, and with the hash we make sure that you always have the same version installed.
You want to install all dependencies in a project that is using cowpen?
npm install
It couldn't get any easier than this.
Simple! Just do: (while being in the directory of the package you want to publish)
cowpen publish
And cowpen will return you the path you can use for installing your package.
If you're clever, you include this hash wherever you are doing releases, like a mailing list, Github Release or the Git tag when creating it.
That way, people who want to use your package via cowpen, can easily find it.
Well, here is the tricky part. We haven't quite figured out searching yet, but the idea is for every user to run their own ipfs daemon, with a keybase account for verifying the publishing...
But right now, we don't really have a solution for this. Best would be for you to simply include the hash wherever you do releases currently.
If package A publishes version 1 as ABDEF and package B publishes version 1 as ABDEF, what happens?
A package version has to published by the same peer ID as the first version was published as.
So in this case, publishing by package B would be blocked from cowpen. But what if he simple inserts the hash manually?
Rejected!
What does Cowpen mean? Well, I don't know. The name is taken from a street in Bahamas.
If you have any questions, open a Github issue here: github.com/VictorBjelkholm/cowpen/issues/new
or feel free to contact me on Twitter here: @VictorBjelkholm
The MIT License (MIT)
Copyright (c) 2016 Victor Bjelkholm
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
Dependency manager utilizing IPFS
We found that cowpen demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Socket now integrates with Bun 1.3’s Security Scanner API to block risky packages at install time and enforce your organization’s policies in local dev and CI.
Research
The Socket Threat Research Team is tracking weekly intrusions into the npm registry that follow a repeatable adversarial playbook used by North Korean state-sponsored actors.
Security News
A data handling bug in OSV.dev caused disputed CVEs to disappear from vulnerability feeds until a recent fix restored over 500 advisories.