Idea: Expose npm packages as signed exchange bundles

(Jan Olaf Krems) #1

Hi everyone,

First time posting so I hope this is the right place: I’d like to propose exposing the registry packages as signed exchanges. Signed exchange bundles have some advantages over the current .tar.gz format:

  1. They can hopefully soon be used directly on the web.
  2. They have a proper index allowing to load individual files from the archive without unpacking.
  3. Each file comes with meta data like content-type which can reduce the reliance on file extensions to guess behavior.
  4. Since exchanges are individually signed, deduplication across registries / proxies is safe and doesn’t require trusting intermediaries.


(Eric Dahlseng) #2

Interesting! Do you have any resources on signed exchange bundles? I haven’t heard of these before!

(Markus Rule) #3

Hi everyone. I havent heard about it before too, but I think you are right and it is interesting.

(Jan Olaf Krems) #4

This might be a decent introduction to the whole thing:

There’s also a talk about the first use of signed exchanges (not yet bundles) in Chrome: