A tool to verify that published npm packages haven't been compromised by comparing them against their source code.
This tool helps you verify that the code published to npm matches what you'd get by building the source code yourself. It does this by:
- Version Check — Ensures the source code version matches the installed package version
- Build — Builds the package from source using the specified build script
- Checksum Generation — Creates SHA256 checksums of both the built output and the installed package
- Comparison — Compares checksums to detect any differences
Build outputs are preserved so you can manually inspect differences if any are found.
pnpm installAdd the npm packages you want to verify to package.json dependencies:
{
"dependencies": {
"@example/package": "1.0.0"
}
}Clone or copy the package's source code into the packages/ directory. Make sure you have the exact source code that corresponds to the published version.
packages/
└── example-package/
├── package.json
├── src/
└── ...
Create entries in config.json for each package you want to verify:
{
"@example/package": {
"path": "packages/example-package",
"dist": "dist",
"buildScript": "pnpm run build"
}
}| Field | Description |
|---|---|
path |
Path to the source code directory (relative to project root) |
dist |
Path to the build output folder (relative to path) |
buildScript |
Command to build the package |
ignore |
(Optional) Array of glob patterns for files to exclude from comparison |
{
"@example/package": {
"path": "packages/example",
"dist": "dist",
"buildScript": "pnpm run build",
"ignore": ["*.js.map", "tsconfig.tsbuildinfo"]
}
}Run the integrity check:
pnpm run checkOr directly with Node:
node index.jsThe tool provides detailed output for each package:
============================================================
📦 Checking: @example/package
============================================================
[1/4] Checking version match...
✅ Version match: 1.0.0
[2/4] Building package...
✅ Build completed successfully
[3/4] Generating checksums...
Source dist checksum: abc123...
Installed checksum: abc123...
[4/4] Comparing checksums...
✅ All checksums match! Package integrity verified ✓
| Code | Meaning |
|---|---|
0 |
All packages passed integrity check |
1 |
One or more packages failed |
If you see a version mismatch error, ensure your source code matches the exact version installed:
❌ Version mismatch! Source: 1.0.0, Installed: 1.0.1
⚠️ Please update the source code to version 1.0.1
Solution: Check out the correct git tag/commit for the installed version.
If checksums don't match:
- Verify you have the correct source code version
- Check if the build process is deterministic
- Compare the differing files manually to investigate
If the build fails:
- Ensure all build dependencies are installed
- Check that the
buildScriptis correct - Try running the build manually in the package directory
package-integrity-check/
├── index.js # Main integrity check script
├── config.json # Package configuration
├── package.json # Project dependencies (includes packages to verify)
├── node_modules/ # Installed packages (from npm)
└── packages/ # Source code of packages to verify
└── {package}/
├── package.json
└── ...
ISC