Skip to main content

Crate npm_utils

Crate npm_utils 

Source
Expand description

Pure-Rust utilities for the npm registry and web assets.

Building blocks for fetching browser/JS dependencies at build time without Node or npm:

  • registry — talk to an npm registry: build tarball URLs, fetch a package’s metadata, and resolve the newest version matching a semver range.
  • download — fetch bytes over HTTP (with a retry) and build GitHub archive URLs.
  • extract — unpack .tar.gz and .zip archives into a destination directory, selecting all files, an explicit file map, or a predicate, with path-traversal protection.
  • path_safety — the path-traversal hardening shared by extract and install: reject ../absolute paths and refuse symlink-redirected writes.
  • cache — content-hash markers, a cross-process build lock, and directory helpers for skip-if-unchanged download caches.
  • package_json — read pinned dependency versions from a package.json, and resolve its exports/module/browser/main to browser entry points (for generating an ES-module import map).
  • install — produce a real node_modules/ directory, pure Rust, with every tarball sha512-verified: resolve a package.json’s transitive dependencies against the registry (install::node_modules), or install the exact tree a package-lock.json pins — devDependencies included, .bin shims and all — an npm ci in Rust (install::from_lockfile).
  • integrity — verify a downloaded tarball’s sha512 Subresource-Integrity (both install paths check it before trusting bytes).
use npm_utils::{download, extract, registry::Registry};

let reg = Registry::npm();
let lit = reg.resolve("lit", &"^3".parse()?)?;
let tgz = download::fetch(&lit.tarball_url)?;
extract::tar_gz(&tgz, "dist/lit".as_ref(), Some("package/"), extract::Select::All)?;

Modules§

cache
Skip-if-unchanged cache helpers: content-hash markers, a cross-process build lock, and directory utilities.
download
HTTP download helpers.
extract
Archive extraction, hardened against hostile archives.
install
Install a dependency tree into a node_modules/ directory — a pure-Rust “npm install” (node_modules, from a package.json) and “npm ci” (from_lockfile, from a package-lock.json). Each downloads, integrity-verifies, and extracts every package; the lockfile path also creates node_modules/.bin/ shims. Both are skip-if-unchanged (a marker beside node_modules/) and concurrency-safe via a cross-process lock.
integrity
Subresource-Integrity verification of downloaded tarballs.
package_json
Pure-Rust npm manifest + lockfile schemas, modeled on the npm specs:
path_safety
Path-traversal hardening shared by crate::extract and crate::install.
registry
npm registry interaction: tarball URLs, package metadata, and version resolution against a semver range.