Security News
pnpm 10.0.0 Blocks Lifecycle Scripts by Default
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
An IPFS-backed package manager proxy cache, packaged up as an electron menu bar app.
⚠️ This project is early development, things may not work and there will be frequent breaking changes ⚠️
Forest proxies package manager http requests and caches requested packages onto IPFS then announces the CID of newly cached packages on the IPFS public DHT.
Forest listens for announcements of packages being cached to IPFS and stores announced metadata. Next time forest proxies a request for a packages that it already has the CID for, it will attempt to download the package via IPFS first, falling back to downloading the package from the original source via http if the IPFS download fails.
Forest trusts other instances but also verifies that the packages downloaded from IPFS match the original copies from the upstream registry.
Package metadata is also cached locally so you can use your package manager whilst offline too.
Currently npm is the only supported package manager but support for others like Go, Rubygems and Homebrew are planned for the future.
Headless CLI - run forest as a daemon, ideal for usage on a server or in CI
Republish local packages - republish all packages and their dependencies found in local metadata for resilient offline usage
Seeding mode - Republish copies of all packages announced on the IPFS public DHT
Export/import - easily share multiple packages cached instantly with other instances via IPFS
Watch mode - watch for new package releases and seed each one to IPFS
Package index UI - see which packages have been proxied, cached and stored on IPFS
Local package search - search through locally available packages
HTTP API - control forest over http
Javascript API - integrate forest into other javascript applications
Build from source on mac:
git clone https://github.com/forestpm/forest.git
cd forest
npm install
Configure npm to use forest as a proxy:
npm run config
# or manually set the following in your .npmrc
npm config set proxy http://0.0.0.0:8005/
npm config set https-proxy http://0.0.0.0:8005/
npm config set registry http://registry.npmjs.org/
npm config set strict-ssl false
# restore the defaults with
npm run unconfig
Ensure IPFS is running locally with pubsub enabled:
npm run ipfs
# or
ipfs daemon --enable-pubsub-experiment
Start the electon app:
npm start
or compile the electron app into ./dist
:
npm run pack
and link the command line interface:
npm link
Run just the http server directly in the command line:
forest server
You can help seed packages without running a proxy:
forest seed
You can watch for all new packages and publish them to IPFS:
forest watch
Import all packages from a package-lock.json file and import and record in a forest.lock file:
forest republish
Read a forest.lock file and download+verify each package via IPFS:
forest import
List all the packages and versions that forest has cached locally:
forest packages
Search the current directory for package-lock.json files and import all packages listed:
forest preload
Check for updates to all cached packages and download any missing ones:
forest update
Validate the CID of each cached package version:
forest verify
Empty the forest database and remove all cached packages:
forest reset
async.queue
async.queue
FAQs
An IPFS-backed package manager proxy cache
The npm package forestpm receives a total of 2 weekly downloads. As such, forestpm popularity was classified as not popular.
We found that forestpm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.
Research
Security News
Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.