npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@coralogix/protofetch

v0.1.15

Published

A source dependency management tool for Protobuf.

Downloads

181

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

coralogixnpmcoralogixnpm

Keywords

protoclitomlprotobufdependenciesdependency-managergrpc

Readme

Protofetch

CI Apache 2 License License Crates.io npm version GitHub Stars

A source dependency management tool for Protobuf files.

Motivation

If you use protobuf extensively as a data format for services to communicate with or to share your APIs with the outside world, you need a way to get correct versions of protobuf files for each service and ability to depend on a specific version. This is needed on both server and client side. Without automation, it can quickly become cumbersome, error-prone and overall unmanageable.

To make it bearable, usable and stable, one needs tooling that automates this work and makes it predictable. This is what Protofetch aims to do.

Why Protofetch?

Protofetch aims to tackle the complexity of handling protobuf dependencies in a declarative fashion. It makes it trivial to declare dependencies and to manage them.

It gives you the ability to have:

  • dependency on specific version/hash;
  • predictable builds/test/CI that depend on protobufs;
  • easy to read declarative specification of protobuf dependencies;
  • automate fetching of the dependencies themselves with their transitive dependencies.
  • caching of dependencies so that they can be shared across multiple projects.

Roadmap

This project is still under development and is subject to change in the future. We aim to achieve at least the following goals before releasing the first stable version.

  • [x] Fetch dependencies based on git tag or branch
  • [x] Cache dependencies locally by revision
  • [x] Fetch transitive dependencies
  • [x] Declarative rules per dependency
    • [x] Allow policies
    • [x] Deny policies
    • [x] Dependency pruning (remove proto files that are not needed)
  • [ ] Prevent circular dependencies

Getting Started

npm:

npm install @coralogix/protofetch

Cargo:

Protofetch is also released to crates.io, so if you have a Rust toolchain installed, you can build Protofetch from source with:

cargo install protofetch

Pre-built binaries:

You can download pre-built binaries from the GitHub Releases page.

Usage

# Fetch proto sources, updating the lock file if needed.
protofetch fetch
   
# Verify the lock file, and fetch proto sources. Useful for CI.
protofetch fetch --locked

Protofetch module

Each service using protofetch will require a module descriptor which uses toml format. This descriptor is by default called protofetch.toml and is located in the root of the service's repository. This can be changed, but it is heavily discouraged.

| Field | Type | Required | Description | |--------------|:-------------|:----------|:-----------------------------| | name | String | Mandatory | A name of the defined module | | description | String | Optional | A description of the module | | dependencies | [Dependency] | Optional | Dependencies to fetch |

Dependency format

| Field | Type | Required | Description | Example | |----------------|:---------|:----------|:------------------------------------------------------------------------------|:--------------------------------------------------| | url | String | Mandatory | An address of the repository to checkout protobuf files from | "github.com/coralogix/cx-api-users/" | | revision | String | Optional | A revision to checkout, this can either be a tagged version or a commit hash | v0.2 | | branch | Boolean | Optional | A branch to checkout, fetches last commit | feature/v2 | | protocol | String | Optional | A protocol to use: [ssh, https] | ssh | | allow_policies | [String] | Optional | Allow policy rules | "/prefix/", "/subpath/", "/path/to/file.proto" | | deny_policies | [String] | Optional | Deny policy rules | "/prefix/", "/subpath/", "/path/to/file.proto" | | prune | bool | Optional | Whether to prune unneeded transitive proto files | true /false | | transitive | bool | Optional | Flags this dependency as transitive | true /false | | content_roots | [String] | Optional | Which subdirectories to import from | ["/myservice", "/com/org/client"] |

Protofetch dependency toml example

name = "repository name"
description = "this is a repository"

[dep1]
url = "github.com/org/dep1"
protocol = "https"
revision = "1.3.0"
prune = true
allow_policies = ["/prefix/*", "*/subpath/*", "/path/to/file.proto"]

[dep2]
url = "github.com/org/dep2"
branch = "feature/v2"

[another-name]
url = "github.com/org/dep3"
revision = "a16f097eab6e64f2b711fd4b977e610791376223"
transitive = true

[scoped-down-dep4]
url = "github.com/org/dep4"
revision = "v1.1"
content_roots = ["/scope/path"]
allow_policies = ["prefix/subpath/scoped_path/*"]

Git protocol

Protofetch supports accessing Git repositories using ssh or https. By default, Protofetch uses ssh. You can configure the default Git protocol with the PROTOFETCH_GIT_PROTOCOL environment variable.

It is also possible to set protocol in the protofetch.toml, but this should be only necessary if the Git server does not support both protocols. Otherwise, it is better to leave this field unset, to let users choose whichever protocol they prefer.

SSH support

You need to have an SSH agent running, with your SSH key loaded:

ssh-add ~/.ssh/your-private-key

HTTPS support

If you want to use https you need to configure git to use a credentials helper.

To support https when 2FA is enabled you must generate a personal access token and set it as the password. The following permissions are sufficient when creating the token.

GitHub personal access token

Scope down multi API repo

In the case of a repo that supports multiple APIs, but only a specific directory is needed, a combination of content_roots and allow_policies can be used.

For example: the dep4 repo contains the following:

dep4
 ├── scope
 │   ├── path1
 │   └── path2
 └── scope2
     └── unrelated

We only need protobuf files from dep4/scope/path1, where path1 is the package name.

[scoped-down-dep4]
url = "github.com/org/dep4"
revision = "v1.1"
content_roots = ["/scope"]
allow_policies = ["path1/*"]

Transitive dependency support and pruning

Protofetch supports pulling transitive dependencies for your convenience. However, there is some manual work involved if the dependencies do not define their own protofetch module.

In a situation where A depends on B, you should flag that dependency as transitive.

This is helpful especially when you take advantage of the pruning feature which allows you to only recursively fetch the proto files you actually need. With pruning enabled, protofetch will recursively find what protofiles your root protos depend on and fetch them for as long as they are imported (flag as transitive dependency or fetched from other modules).

Moreover, you can also use the allow_policies to scope down the root proto files you want from a dependency. As an example, the following module depends only on A's file /proto/path/example.proto but since pruning is enabled and B is flagged as transitive, if the allowed file has any file dependencies it will pull them and its dependencies, recursively.

IMPORTANT: If you are using the prune feature, you must also use the transitive feature. However, do not use transitive unless you strictly want to pull the transitive dependencies. This is a workaround for dependencies that do not define their protofetch file on their repo.

name = "repository name"
description = "this is a repository"
proto_out_dir = "proto/src/dir/output"

[A]
protocol = "https"
url = "github.com/org/A"
revision = "1.3.0"
allow_policies = ["/proto/path/example.proto"]
prune = true

[B]
protocol = "ssh"
url = "github.com/org/B"
revision = "5.2.0"
transitive = true