搜索并选择要下载的包

你可以使用 npm 搜索栏来查找要在项目中使用的包。搜索使用软件包标题、说明、自述文件和关键字中的内容进行，由 opensearch 提供支持。搜索结果基于软件包标题、描述、自述文件和关键字的关键字匹配显示。不应用任何主观排名标准，除了最低限度地提高垃圾软件包或全新软件包的优先级，旨在对所有其他软件包保持中立立场。

¥You can use the npm search bar to find packages to use in your projects. The search is performed using content from the package's title, description, readme, and keywords and is powered by opensearch. Search results are displayed based on keyword matching from the package's title, description, readme, and keywords. No subjective ranking criteria are applied, except for a minimal boost to deprioritize spammy or entirely new packages, aiming to maintain a neutral stance towards all other packages.

搜索包

¥Searching for a package

1. 在搜索栏中，输入搜索词并按 Enter。在你键入时，将出现可能的选择。

   ¥In the search bar, type a search term and press Enter. As you type, possible choices will appear.

   

2. 结果显示找到的软件包的大致数量，并附带一个用于排序选项的下拉菜单。用户可以选择排序方法（例如关键字匹配（默认）、下载计数、最依赖和上次发布日期）来优化搜索。

   ¥The results display an approximate count of packages found, accompanied by a dropdown menu for sorting options. Users can refine their search by choosing from sorting methods such as keyword matching (Default), download counts, most dependents, and last published date.

   

3. 在包搜索结果列表中，单击包的名称。

   ¥In the package search results list, click the name of the package.

包出处

¥Package provenance

当包已发布并注明出处时，你可以：

¥When packages have been published with provenance, you can:

• 验证包的发布位置和方式。

  ¥Verify where and how a package was published.

• 验证授权用户是否发布了包。

  ¥Validate that an authorized user published a package.

你可以使用此信息来审核包并确定是否要使用它们。有关 npm 出处的更多信息，请参阅“关于 npm 出处”。

¥You can use this information to audit packages and determine whether or not you want to consume them. For more information about npm provenance, see "About npm provenance."

查看 npm 注册表中包的出处信息：

¥To view provenance information for a package in the npm registry:

1. 在 npm 注册表中，导航到一个包。

   ¥In the npm registry, navigate to a package.

2. 在包页面上自述文件右侧的版本字段中，查找绿色复选标记。如果有绿色复选标记，则表示该包已发布并附有出处。

   ¥On the package's page, in the Version field to the right of the README, look for a green check mark. If there is a green check mark, this means the package was published with provenance.

   

3. 单击复选标记，然后单击查看更多详细信息。

   ¥Click on the check mark, then click View more details.

4. 查看包的以下信息：

   ¥View the following information for the package:

   • 构建环境：用于构建包的环境。

     ¥Build Environment: The environment used to build the package.

   • 构建总结：指向构建包的工作流运行的链接。

     ¥Build Summary: A link to the workflow run that built the package.

   • 源代码提交：指向构建包的提交的链接。

     ¥Source Commit: A link to the commit the package was built from.

   • 构建文件：用于构建包的工作流文件的链接。

     ¥Build File: A link to the workflow file used to build the package.

   • 公共账本：指向证明授权用户发布包的透明日志条目的链接。

     ¥Public Ledger: A link to a transparency log entry attesting an authorized user published the package.

   

注意：每当你在 npmjs.com 上访问软件包的出处信息时，npm 都会检查链接的源提交和存储库。如果找不到链接的源提交或存储库，页面顶部和出处信息旁边将显示一条错误消息。这是为了通知你，无法再确定此包的来源，当存储库被删除或设为私有时可能会发生这种情况。

¥Note: Whenever you access a package's provenance information on npmjs.com, the linked source commit and repository are checked by npm. If the linked source commit or repository cannot be found, an error message will appear at the top of the page and alongside the provenance information. This is to inform you that the provenance for this package can no longer be established, which may occur when a repository is deleted or made private.

验证出处证明

¥Verifying provenance attestations

当你从注册表下载包时，你可以使用以下 CLI 命令验证包的来源：

¥When you download a package from the registry, you can verify the provenance of a package with the following CLI command:

此命令检查注册表签名和出处证明。如果一个包缺少或无效的签名或证明，它会返回一个错误。这可能表明包已被篡改。

¥This command checks the registry signatures and provenance attestations. If a package has missing or invalid signatures or attestations, it returns an error. This could indicate that a package has been tampered with.