Expand description
Pure-Rust utilities for the npm registry and web assets.
Building blocks for fetching browser/JS dependencies at build time without Node or npm:
registry— talk to an npm registry: build tarball URLs, fetch a package’s metadata, resolve the newest version matching a semver range, and search the registry (Registry::search).download— fetch bytes over HTTP (with a retry) and build GitHub archive URLs.extract— unpack.tar.gzand.ziparchives into a destination directory, selecting all files, an explicit file map, or a predicate, with path-traversal protection.path_safety— the path-traversal hardening shared byextractandinstall: reject../absolute paths and refuse symlink-redirected writes.cache— content-hash markers, a cross-process build lock, and directory helpers for skip-if-unchanged download caches.package_json— read pinned dependency versions from apackage.json, and resolve itsexports/module/browser/mainto browser entry points (for generating an ES-module import map).resolve— locate files inside an installed dependency undernode_modules/: walk up tonode_modules/<name>and map a<name>/<subpath>to a real file, honoring the package’sexportswhen declared.install— produce a realnode_modules/directory, pure Rust, with every tarball sha512-verified: resolve apackage.json’s transitivedependenciesagainst the registry (install::node_modules), or install the exact tree apackage-lock.jsonpins — devDependencies included,.binshims and all — annpm ciin Rust (install::from_lockfile).project— mutate apackage.jsonproject: keep the lock +node_modules/in sync (project::sync), upgrade dependencies within their ranges with a dry-run plan (project::plan_upgrade/project::upgrade), and remove them (project::remove).integrity— verify a downloaded tarball’ssha512Subresource-Integrity (both install paths check it before trusting bytes).sbom— render the packages apackage-lock.jsonpins as a license summary, a CycloneDX 1.6 document, or an SPDX 2.3 document — compliance artifacts, pure Rust, no Node.audit— check those same pinned packages against vulnerability advisories from multiple sources (npm’s registry endpoint, OSV) behind a small source trait —npm audit, pure Rust.
use npm_utils::{download, extract, registry::Registry};
let reg = Registry::npm();
let lit = reg.resolve("lit", &"^3".parse()?)?;
let tgz = download::fetch(&lit.tarball_url)?;
extract::tar_gz(&tgz, "dist/lit".as_ref(), Some("package/"), extract::Select::All)?;Modules§
- audit
- Vulnerability auditing for a parsed
package-lock.json—npm audit, pure Rust. - cache
- Skip-if-unchanged cache helpers: content-hash markers, a cross-process build lock, and directory utilities.
- download
- HTTP download helpers.
- extract
- Archive extraction, hardened against hostile archives.
- install
- Install a dependency tree into a
node_modules/directory — a pure-Rust “npm install” (node_modules, from apackage.json) and “npm ci” (from_lockfile, from apackage-lock.json). Each downloads, integrity-verifies, and extracts every package; the lockfile path also createsnode_modules/.bin/shims. Both are skip-if-unchanged (a marker besidenode_modules/) and concurrency-safe via a cross-process lock. - integrity
- Subresource-Integrity verification of downloaded tarballs.
- package_
json - Pure-Rust npm manifest + lockfile schemas, modeled on the npm specs:
- path_
safety - Path-traversal hardening shared by
crate::extractandcrate::install. - project
- Project-level mutations: operations on a directory that holds a
package.json— keep the lock andnode_modules/in step with the manifest (sync), upgrade dependencies within their ranges (upgrade, previewable withplan_upgrade), and remove them (remove). - registry
- npm registry interaction: tarball URLs, package metadata, and version resolution against a semver range.
- resolve
- Locate files inside an installed dependency under
node_modules/. - sbom
- Software bill of materials + license output for a parsed
package-lock.json.