Node Package Verify
This package was inspired by Darcy Clarke's blog post about manifest confusion.
npverify is still pretty hacky and I'm happy to consider any pull requests to improve it.
Usage
npverify can be used as a command line tool or as a library. To use it as a command line tool, simply run
python -m npverify verify [PACKAGENAME]
.
npverify will download the manifest and tarball for the latest release of the package and compare the values in package.json
against the manifest.
As it turns out, this is a mess, and almost no package is without some kind of deviation. To eliminate expected deviations npverify attempts to (incompletely) implements npm's normalization for package data.