npm-registry-client
Advanced tools
Comparing version 8.2.0 to 8.3.0
@@ -5,3 +5,2 @@ module.exports = publish | ||
| var semver = require('semver') | ||
| var crypto = require('crypto') | ||
| var Stream = require('stream').Stream | ||
@@ -11,2 +10,3 @@ var assert = require('assert') | ||
| var concat = require('concat-stream') | ||
| var ssri = require('ssri') | ||
@@ -89,6 +89,12 @@ function escaped (name) { | ||
| var tbURI = data.name + '/-/' + tbName | ||
| var integrity = ssri.fromData(tarbuffer, { | ||
| algorithms: ['sha1', 'sha512'] | ||
| }) | ||
| data._id = data.name + '@' + data.version | ||
| data.dist = data.dist || {} | ||
| data.dist.shasum = crypto.createHash('sha1').update(tarbuffer).digest('hex') | ||
| // Don't bother having sha1 in the actual integrity field | ||
| data.dist.integrity = integrity['sha512'][0].toString() | ||
| // Legacy shasum support | ||
| data.dist.shasum = integrity['sha1'][0].hexDigest() | ||
| data.dist.tarball = url.resolve(registry, tbURI) | ||
@@ -95,0 +101,0 @@ .replace(/^https:\/\//, 'http://') |
@@ -5,3 +5,3 @@ { | ||
| "description": "Client for the npm registry", | ||
| "version": "8.2.0", | ||
| "version": "8.3.0", | ||
| "repository": { | ||
@@ -27,3 +27,4 @@ "url": "https://github.com/npm/npm-registry-client.git" | ||
| "semver": "2 >=2.2.1 || 3.x || 4 || 5", | ||
| "slide": "^1.1.3" | ||
| "slide": "^1.1.3", | ||
| "ssri": "^4.1.2" | ||
| }, | ||
@@ -30,0 +31,0 @@ "devDependencies": { |
Fixed alerts
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by0.33%
68789
- Lines of code
- increased by0.39%
1552
- Number of low supply chain risk alerts
- decreased by-44.44%
5
Worsened metrics
- Dependency count
- increased by10%
11
Dependency changes
+ Addedssri@^4.1.2
+ Addedssri@4.1.6(transitive)