Verify shrinkpack-ed packages are the same as remote about shrinkpack HOT 3 CLOSED

I'd be hesitant to have the scope of shrinkpack creep too far I think @5id. I think there could be a case though for someone taking these ideas and making a general purpose shrinkwrap verification tool, which isn't coupled to shrinkpack.

from shrinkpack.

@JamieMason just fyi, I investigated how hard it would be to do this. Fortunately, all remote packages already have a shasum that gets returned in the package json so all we need to do is calculate the sha of the file.

NPM does appear to do a shasum check against the tar when it installs a package - when using shrinkwrap it doesn't seem to do the same check. At least, I replaced one tar with another one and it still said it installed.

The commit in question is over here: https://github.com/5id/shrinkverify/commit/38a0ebce3f3ce2c507bddc3c3bf0d59052655d54

If it's a bit out of scope for this package, I may look at furthering this myself as currently we can't be 100% confidence that the files we have are the same as the files that we would get if we downloaded remotely.

The way I'm planning to use this is something like:

1. Pull repo onto CD with node_shrinkpack
2. Re-run shrinkpack (or new tool) to verify packages are properly set/correct
3. Copy the node_shrinkpack across to a docker image, publish that to a private repo

from shrinkpack.

I'm away now until the weekend but I'll have a think whether to add this. I need to understand it better which your last comment will help with when I get back.

from shrinkpack.