mongodb-client-encryption - npm Package Compare versions

Comparing version 6.1.0-alpha to 6.1.0-alpha.0

HISTORY.md

@@ -5,2 +5,10 @@ # Changelog
 
+## [6.1.0-alpha.0](https://github.com/mongodb-js/mongodb-client-encryption/compare/v6.1.0-alpha...v6.1.0-alpha.0) (2024-06-28)
+
+
+### Bug Fixes
+
+* **MONGOSH-1808:** static building on intel macs and windows ([#24](https://github.com/mongodb-js/mongodb-client-encryption/issues/24)) ([f27e8e1](https://github.com/mongodb-js/mongodb-client-encryption/commit/f27e8e1d658dfa269d684d632727b5abf89ecae5))
+* **NODE-6237:** build against glibc 2.27 ([#28](https://github.com/mongodb-js/mongodb-client-encryption/issues/28)) ([1c9b74a](https://github.com/mongodb-js/mongodb-client-encryption/commit/1c9b74a2fe2d4974e0d09ab25f2e5740111bbe07))
+
 ## [6.1.0-alpha](https://github.com/mongodb-js/mongodb-client-encryption/compare/v6.0.1...v6.1.0-alpha) (2024-06-17)
@@ -7,0 +15,0 @@

package.json

 {
   "name": "mongodb-client-encryption",
-  "version": "6.1.0-alpha",
+  "version": "6.1.0-alpha.0",
   "description": "Official client encryption module for the MongoDB Node.js driver",
@@ -49,3 +49,3 @@ "main": "lib/index.js",
     "@typescript-eslint/eslint-plugin": "^7.7.0",
-    "bson": "^6.6.0",
+    "bson": "^6.7.0",
     "chai": "^4.4.1",
@@ -52,0 +52,0 @@ "chai-subset": "^1.6.0",

README.md

@@ -26,2 +26,30 @@ # MongoDB Client Encryption
 
+### Release Integrity
+
+Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:
+
+```
+gpg --import node-driver.asc
+```
+
+The GitHub release contains a detached signature file for the NPM package (named
+`mongodb-client-encryption-X.Y.Z.tgz.sig`).
+
+The following command returns the link npm package. 
+```shell
+npm view mongodb-client-encryption@vX.Y.Z dist.tarball 
+```
+
+Using the result of the above command, a `curl` command can return the official npm package for the release.
+
+To verify the integrity of the downloaded package, run the following command:
+```shell
+gpg --verify mongodb-client-encryption-X.Y.Z.tgz.sig mongodb-client-encryption-X.Y.Z.tgz
+```
+
+>[!Note]
+No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical.
+
+To verify the native `.node` packages, follow the same steps as above using `mongodb-client-encryption-X.Y.Z-platform.tgz` and the corresponding `.sig` file.
+
 ### Development
@@ -31,8 +59,32 @@
 
-Run the following command to build libmongocrypt and setup the node bindings for development:
 
+Run the following command to build libmongocrypt and you are setup to develop the node bindings:
+
 ```shell
-bash ./etc/build-static.sh
+npm run install:libmongocrypt
 ```
 
+#### `libmongocrypt.mjs`
+
+```
+node libmongocrypt.mjs [optional flags]
+
+By default attempts to download and compile the bindings with the crypto prebuilds of libmongocrypt.
+Can be configured to clone and build without crypto.
+
+--gitURL=string         A custom remote git repository to clone libmongocrypt from. You must also set --build to use this.
+--libVersion=string     A custom version reference to either download or checkout after cloning.
+                        You may use "latest" to get current libmongocrypt `HEAD`.
+--clean                 Combined with --build, the script will not skip cloning and rebuilding libmongocrypt.
+--build                 Instead of downloading, clone and build libmongocrypt along with the bindings.
+--dynamic               Skips cloning or downloading libmongocrypt, runs prebuild with build_type set to "dynamic" to compile
+                        a prebuild that links to a system copy of libmongocrypt.
+--skip-bindings         Skips running prebuild. Useful if only the libmongocrypt dependency is desired.
+
+Only suitable for local development:
+
+--fastDownload          If you are improving this script or otherwise repeatedly downloading libmongocrypt,
+                        this flag will interrupt the un-tar operation as early as possible. It should work, most of the time.
+```
+
 #### Prebuild Platforms
@@ -39,0 +91,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

92270

increased by3.25%

Number of lines in readme file

114

increased by83.87%

Number of medium supply chain risk alerts

1

decreased by-50%

No dependency changes