Security News
High-Severity RCE Vulnerability Disclosed in next-mdx-remote
HashiCorp disclosed a high-severity RCE in next-mdx-remote affecting versions 4.3.0 to 5.x when compiling untrusted MDX on the server.
By Sarah Gooding - Feb 12, 2026
Latest Threat Research:Malicious dYdX Packages Published to npm and PyPI After Maintainer Compromise.Details →
package-hash
Advanced tools
package-hash
Generates a hash for an installed npm package, useful for salting caches. AVA for example caches precompiled test files. It generates a salt for its cache based on the various packages that are used when compiling the test files.
package-hash can generate an appropriate hash based on the package location
(on disk) and the package.json file. This hash is salted with a hash
for the package-hash itself.
package-hash can detect when the package-to-be-hashed is a Git repository. In
the AVA example this is useful when you're debugging one of the packages used to
compile the test files. You can clone it locally and use npm link so AVA can
find the clone. The hash will include the HEAD (.git/HEAD) and its
corresponding ref (e.g. .git/refs/heads/master), any packed refs
(.git/packed-refs), as well as the diff (git diff) for any non-committed
changes. This makes it really easy to test your changes without having to
explicitly clear the cache in the parent project.
Installation
$ npm install --save package-hash
Usage
const sync = require('package-hash').sync
const hash = sync(require.resolve('babel-core/package.json'))
sync() can be called with a directory or file path. File paths are translated
to directories using
path.dirname(). The
path must exist. A package.json must exist within the directory.
To get the path to an npm package it's best to use
require.resolve('the-name/package.json'), since require.resolve('the-name')
may resolve to a subdirectory of the package.
Currently only a synchronous interface is available.
Compatibility
package-hash has been tested with Node 0.10 and above, including Windows
support. Note that git diff support is not available in Node 0.10.
Other packages similar to package-hash
hasha
Hasha is a Node.js library for hashing using Node.js' built-in crypto module. It supports various algorithms and can hash strings, buffers, and streams. Compared to package-hash, hasha is more flexible in terms of input types but does not specifically target package contents for hashing.
checksum
Checksum is a simple package to create checksums of files and directories in Node.js. It is similar to package-hash in that it can be used to verify the integrity of package contents. However, checksum provides a simpler API with fewer configuration options compared to package-hash.
FAQs
Generates a hash for an installed npm package, useful for salting caches
The npm package package-hash receives a total of 5,134,184 weekly downloads. As such, package-hash popularity was classified as popular.
We found that package-hash demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 14 Apr 2016
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
OpenClaw Skill Marketplace Emerges as Active Malware Vector
Security researchers report widespread abuse of OpenClaw skills to deliver info-stealing malware, exposing a new supply chain risk as agent ecosystems scale.
By Sarah Gooding - Feb 09, 2026
Security News
The Next Open Source Security Race: Triage at Machine Speed
Claude Opus 4.6 has uncovered more than 500 open source vulnerabilities, raising new considerations for disclosure, triage, and patching at scale.
By Sarah Gooding - Feb 06, 2026