21Oca
Does Node.js’s npm provide cryptographic authentication and integrity validation?
Does Node.js's npm
package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with steps asking the user to install Node.js dependencies with npm install ...
. I usually don't do this as I trust my OS package manager (ie apt
) to actually validate the origin/trust and integrity of the package before installing it.
Does npm
provide cryptographic authentication and integrity checks for all items downloaded before installing them by default?
Note: Transport validation via X.509 does not count as a valid auth/integrity check.