Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkg: add lockfile #642

Merged
merged 2 commits into from
Nov 30, 2018
Merged

pkg: add lockfile #642

merged 2 commits into from
Nov 30, 2018

Conversation

braydonf
Copy link
Contributor

Closes #619

@codecov-io

This comment has been minimized.

Sign in to view
@pinheadmz
Copy link
Member

✅ Installed clean at a916bfa everything works and all test pass! Is there anything else a user can do to verify? Or npm install just takes care of it? How could I test a verification-failure just to experience it?

@braydonf
Copy link
Contributor Author

braydonf commented Nov 29, 2018
edited
Loading

You can change the hashes to something obviously wrong to verify that npm is checking them. You should see something like this:

$ npm install
npm ERR! code EINTEGRITY
npm ERR! sha512-xCBgECKslwrCOLnDpCCzxVH0ljBAeZr2ci3CakICBAtSAQINyTyfJ9Rk1zCJ+xecI5a2cndNYC8l116//0swUg== integrity checksum failed when using sha512: wanted sha512-xCBgECKslwrCOLnDpCCzxVH0ljBAeZr2ci3CakICBAtSAQINyTyfJ9Rk1zCJ+xecI5a2cndNYC8l116//0swUg== but got sha512-xCBgECKslwrCOLnDpCCzxVH0ljBAeZr2ci3CaKICBAtSAQINyTyfJ9Rk1zCJ+xEcI5a2cndNYC8l116//0sWUg==. (5708 bytes)

Next is to verify that the hash is of the code that it's expected to be.

pinheadmz
pinheadmz reviewed Nov 30, 2018
View reviewed changes
docs/Beginner's-Guide.md
``` bash
$ npm install -g bcoin --production
```
Bcoin is meant to be installed via git for security purposes, as there are security issues when installing via npm. All tagged commits for release should be signed by @chjj's [PGP key][keybase] (`B4B1F62DBAC084E333F3A04A8962AB9DE6666BBD`). Signed copies of node.js are available from [nodejs.org][node], or from your respective OS's package repositories.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@chjj
Copy link
Member

chjj commented Nov 30, 2018

Looks good. I love how small our package-lock.json is now.

Going forward we should start doing tarball releases as well. I've been working simple tool which creates a non-npm tarball and generates a build file for the native dependencies.

@chjj chjj merged commit 314933c into bcoin-org:master Nov 30, 2018
@braydonf braydonf deleted the pkg-lockfile branch November 30, 2018 20:30
@braydonf braydonf added this to the 2.0.0 milestone Jan 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pinheadmz pinheadmz pinheadmz left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.0.0
Development

Successfully merging this pull request may close these issues.

Security of dependencies
4 participants
@braydonf @codecov-io @pinheadmz @chjj