UP | HOME

Get the source code of an NPM package

There is a way to get the source code of an NPM package without actually install it. It's the npm view command, use it like this:

npm view <package-name> dist.tarball

You'll get the URL to the compressed source code of that package, just download it and examine before you install it.

Or automate the whole process:

npm v <package-name> dist.tarball | xargs curl | tar -xz

Question: Why don't we just install it with npm install and go to node_modules to see the code?

Answer: Because there's a preinstall script that will run before we install that package, if the package is compromised, your computer will be at risk. The same thing with npm pack (which also download the package source code), there's a prepack script for it.

Date: 2019-01-24 Thu 00:00

Author: Huy Tran

Created: 2019-04-22 Mon 14:41