Research
Security News
Malicious PyPI Package ‘pycord-self’ Targets Discord Developers with Token Theft and Backdoor Exploit
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
package-hash
Advanced tools
Generates a hash for an installed npm package, useful for salting caches
The package-hash npm package is designed to generate a hash from the contents of a Node.js package. It computes a hash based on the actual contents of the package files, making it useful for tasks such as cache busting, integrity checks, or detecting changes in package contents.
Generate hash from package contents
This feature allows you to generate a hash string from the contents of a package located at a specified path. The function returns a promise that resolves with the hash.
const packageHash = require('package-hash');
packageHash('path/to/package').then(hash => {
console.log('Package hash:', hash);
}).catch(err => {
console.error('Error generating package hash:', err);
});
Hasha is a Node.js library for hashing using Node.js' built-in crypto module. It supports various algorithms and can hash strings, buffers, and streams. Compared to package-hash, hasha is more flexible in terms of input types but does not specifically target package contents for hashing.
Checksum is a simple package to create checksums of files and directories in Node.js. It is similar to package-hash in that it can be used to verify the integrity of package contents. However, checksum provides a simpler API with fewer configuration options compared to package-hash.
Generates a hash for an installed npm package, useful for salting caches. AVA for example caches precompiled test files. It generates a salt for its cache based on the various packages that are used when compiling the test files.
package-hash
can generate an appropriate hash based on the package location
(on disk) and the package.json
file. This hash is salted with a hash
for the package-hash
itself.
package-hash
can detect when the package-to-be-hashed is a Git repository. In
the AVA example this is useful when you're debugging one of the packages used to
compile the test files. You can clone it locally and use npm link
so AVA can
find the clone. The hash will include the HEAD (.git/HEAD
) and its
corresponding ref (e.g. .git/refs/heads/master
), any packed refs
(.git/packed-refs
), as well as the diff (git diff
) for any non-committed
changes. This makes it really easy to test your changes without having to
explicitly clear the cache in the parent project.
$ npm install --save package-hash
const packageHash = require('package-hash')
// Asynchronously:
const hash = await packageHash(require.resolve('babel-core/package.json'))
// Synchronously:
const hash = packageHash.sync(require.resolve('babel-core/package.json'))
packageHash()
/ packageHash.sync()
must be called with a file path for an
existing package.json
file. To get the path to an npm package it's easiest to
use require.resolve('the-name/package.json')
.
You can provide multiple paths:
const hash = await packageHash([
require.resolve('babel-core/package.json'),
require.resolve('babel-preset-es2015/package.json')
])
An optional salt value can also be provided:
const hash = await packageHash(require.resolve('babel-core/package.json'), 'salt value')
packageHash(paths, salt?)
paths: string | string[]
➜ can be a single file path, or an array of paths.
salt: Array | Buffer | Object | string
➜ optional. If an Array
or Object
(not null
) it is first converted to a JSON string.
Returns a promise for the hex-encoded hash string.
packageHash.sync(paths, salt?)
paths: string | string[]
➜ can be a single file path, or an array of paths.
salt: Array | Buffer | Object | string
➜ optional. If an Array
or Object
(not null
) it is first converted to a JSON string.
Returns a hex-encoded hash string.
package-hash
has been tested with Node.js 8 and above, including Windows
support.
FAQs
Generates a hash for an installed npm package, useful for salting caches
The npm package package-hash receives a total of 2,980,230 weekly downloads. As such, package-hash popularity was classified as popular.
We found that package-hash demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
Security News
The UK is proposing a bold ban on ransomware payments by public entities to disrupt cybercrime, protect critical services, and lead global cybersecurity efforts.
Security News
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.