你可以使用 npm 搜索栏来查找要在项目中使用的包。npm search 使用 npms 和 npms 分析器;有关两者的更多信息,请参阅 https://npms.io/about。

You can use the npm search bar to find packages to use in your projects. npm search uses npms and the npms analyzer; for more information on both, see https://npms.io/about.

搜索包

Searching for a package

  1. 在搜索栏中,输入搜索词并按 Enter。在你键入时,将出现可能的选择。

    In the search bar, type a search term and press Enter. As you type, possible choices will appear.

    Screenshot of a search text box Screenshot of the search text box and search results
  2. 要列出根据 包搜索排名标准 排名的包,请在左侧边栏中的 "对包进行分类" 下单击标准。例如,要按受欢迎程度对包进行排序,请单击 "人气"。

    To list packages ranked according to package search rank criteria, in the left sidebar, under "Sort packages", click the criterion. For example, to sort packages by popularity, click "Popularity".

  3. 在包搜索结果列表中,单击包的名称。

    In the package search results list, click the name of the package.

包搜索排名标准

Package search rank criteria

通常,有数十个甚至数百个具有相似名称和/或相似用途的包。为了帮助你确定要探索的最佳包,我们使用 npms 分析器根据四个标准对每个包进行了排名:

Often, there are dozens or even hundreds of packages with similar names and/or similar purposes. To help you decide the best ones to explore, each package has been ranked according to four criteria using the npms analyzer:

人气

Popularity

流行度表示包已下载了多少次。这是其他人发现有用的包的有力指标。

Popularity indicates how many times the package has been downloaded. This is a strong indicator of packages that others have found to be useful.

质量

Quality

质量包括诸如 README 文件的存在、稳定性、测试、最新的依赖、自定义网站和代码复杂性等考虑因素。

Quality includes considerations such as the presence of a README file, stability, tests, up-to-date dependencies, custom website, and code complexity.

维护

Maintenance

维护根据开发者对包的关注程度对包进行排名。例如,更频繁维护的包更有可能与当前或即将发布的 npm CLI 版本一起工作。

Maintenance ranks packages according to the attention they are given by developers. More frequently maintained packages are more likely to work well with the current or upcoming versions of the npm CLI, for example.

最佳

Optimal

最佳以一种有意义的方式将其他三个标准(受欢迎程度、质量、维护)组合成一个分数。

Optimal combines the other three criteria (popularity, quality, maintenance) into one score in a meaningful way.

包出处

Package provenance

当包已发布并注明出处时,你可以:

When packages have been published with provenance, you can:

  • 验证包的发布位置和方式。

    Verify where and how a package was published.

  • 验证授权用户是否发布了包。

    Validate that an authorized user published a package.

你可以使用此信息来审核包并确定是否要使用它们。有关 npm 出处的更多信息,请参阅“关于 npm 出处”。

You can use this information to audit packages and determine whether or not you want to consume them. For more information about npm provenance, see "About npm provenance."

查看 npm 注册表中包的出处信息:

To view provenance information for a package in the npm registry:

  1. 在 npm 注册表中,导航到一个包。

    In the npm registry, navigate to a package.

  2. 在包页面上自述文件右侧的版本字段中,查找绿色复选标记。如果有绿色复选标记,则表示该包已发布并附有出处。

    On the package's page, in the Version field to the right of the README, look for a green check mark. If there is a green check mark, this means the package was published with provenance.

    Screenshot showing a Version field with a green check mark
  3. 单击复选标记,然后单击查看更多详细信息。

    Click on the check mark, then click View more details.

  4. 查看包的以下信息:

    View the following information for the package:

    • 构建环境:用于构建包的环境。

      Build Environment: The environment used to build the package.

    • 构建总结:指向构建包的工作流运行的链接。

      Build Summary: A link to the workflow run that built the package.

    • 源代码提交:指向构建包的提交的链接。

      Source Commit: A link to the commit the package was built from.

    • 构建文件:用于构建包的工作流文件的链接。

      Build File: A link to the workflow file used to build the package.

    • 公共账本:指向证明授权用户发布包的透明日志条目的链接。

      Public Ledger: A link to a transparency log entry attesting an authorized user published the package.

    Screenshot showing npm provenance information for a published package

注意:每当你在 npmjs.com 上访问包的出处信息时,npm 都会检查链接的源代码提交和存储库。如果找不到链接的源提交或存储库,页面顶部和出处信息旁边将显示一条错误消息。这是为了通知你,无法再确定此包的来源,当存储库被删除或设为私有时可能会发生这种情况。

Note: Whenever you access a package's provenance information on npmjs.com, the linked source commit and repository are checked by npm. If the linked source commit or repository cannot be found, an error message will appear at the top of the page and alongside the provenance information. This is to inform you that the provenance for this package can no longer be established, which may occur when a repository is deleted or made private.

Screenshot showing a warning when the provenance source commit or repository cannot be found.

验证出处证明

Verifying provenance attestations

当你从注册表下载包时,你可以使用以下 CLI 命令验证包的来源:

When you download a package from the registry, you can verify the provenance of a package with the following CLI command:

npm audit signatures

此命令检查注册表签名和出处证明。如果一个包缺少或无效的签名或证明,它会返回一个错误。这可能表明包已被篡改。

This command checks the registry signatures and provenance attestations. If a package has missing or invalid signatures or attestations, it returns an error. This could indicate that a package has been tampered with.

注意:为了运行审计命令来验证包来源,你必须:

Note: In order to run the audit command to verify package provenance, you must:

  • 安装 npm CLI 版本 v9.5.0 或更高版本:npm install -g npm@latest

    Install npm CLI version v9.5.0 or later: npm install -g npm@latest

  • 使用 npm installnpm ci 安装依赖

    Install dependencies with npm install or npm ci

npm 中文网 - 粤ICP备13048890号