npm-utils 0.4.0

Pure-Rust utilities for the npm registry: resolve a package version, download npm tarballs and GitHub archives, and extract files.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

//! Pure-Rust utilities for the npm registry and web assets.
//!
//! Building blocks for fetching browser/JS dependencies at build time without
//! Node or npm:
//!
//! - [`registry`] — talk to an npm registry: build tarball URLs, fetch a
//!   package's metadata, and resolve the newest version matching a semver range.
//! - [`download`] — fetch bytes over HTTP (with a retry) and build GitHub
//!   archive URLs.
//! - [`extract`] — unpack `.tar.gz` and `.zip` archives into a destination
//!   directory, selecting all files, an explicit file map, or a predicate, with
//!   path-traversal protection.
//! - [`path_safety`] — the path-traversal hardening shared by `extract` and
//!   `install`: reject `..`/absolute paths and refuse symlink-redirected writes.
//! - [`cache`] — content-hash markers, a cross-process build lock, and directory
//!   helpers for skip-if-unchanged download caches.
//! - [`package_json`] — read pinned dependency versions from a `package.json`, and
//!   resolve its `exports`/`module`/`browser`/`main` to browser entry points (for
//!   generating an ES-module import map).
//! - [`install`] — produce a real `node_modules/` directory, pure Rust, with every tarball
//!   sha512-verified: resolve a `package.json`'s transitive `dependencies` against the registry
//!   ([`install::node_modules`]), or install the exact tree a `package-lock.json` pins —
//!   devDependencies included, `.bin` shims and all — an `npm ci` in Rust
//!   ([`install::from_lockfile`]).
//! - [`integrity`] — verify a downloaded tarball's `sha512` Subresource-Integrity (both
//!   install paths check it before trusting bytes).
//!
//! ```no_run
//! use npm_utils::{download, extract, registry::Registry};
//!
//! # fn main() -> Result<(), Box<dyn std::error::Error>> {
//! let reg = Registry::npm();
//! let lit = reg.resolve("lit", &"^3".parse()?)?;
//! let tgz = download::fetch(&lit.tarball_url)?;
//! extract::tar_gz(&tgz, "dist/lit".as_ref(), Some("package/"), extract::Select::All)?;
//! # Ok(()) }
//! ```

pub mod cache;
pub mod download;
pub mod extract;
pub mod install;
pub mod integrity;
// The npm `package.json` / `package-lock.json` schemas — a pure-parsing module (no IO),
// modeled on the npm specs, with strict spec-conformance tests living beside it.
pub mod package_json;
pub mod path_safety;
pub mod registry;