npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

careful-downloader

v3.0.0

Published

🕵️‍♀️ Downloads a file and its checksums, validates the hash, and optionally extracts it if safe.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

jakejarvisjakejarvis

Keywords

downloadextractchecksumhashfilehttpurlsecuritybackend

Readme

🕵️‍♀️ careful-downloader

CI npm MIT License

Downloads a file and its checksums to a temporary directory, validates the hash, and optionally extracts it if safe.

Install

npm install careful-downloader
# or...
yarn add careful-downloader

Usage

import downloader from "careful-downloader";

await downloader(
  "https://github.com/gohugoio/hugo/releases/download/v0.88.1/hugo_extended_0.88.1_Windows-64bit.zip",
  {
    checksumUrl: "https://github.com/gohugoio/hugo/releases/download/v0.88.1/hugo_0.88.1_checksums.txt",
    destDir: "vendor", // relative to process.cwd()
    algorithm: "sha256",
    extract: true,
  },
);
//=> '/Users/jake/src/carefully-downloaded/vendor/hugo.exe'

Instead of a checksumUrl, you can also simply provide a hash as a string via checksumHash:

import downloader from "careful-downloader";

await downloader(
  "https://github.com/gohugoio/hugo/releases/download/v0.88.1/hugo_extended_0.88.1_Windows-64bit.zip",
  {
    checksumHash: "aaa20e258cd668cff66400d365d73ddc375e44487692d49a5285b56330f6e6b2",
    destDir: "vendor",
    algorithm: "sha256",
    extract: false, // the default
  },
);
//=> '/Users/jake/src/carefully-downloaded/vendor/hugo_extended_0.88.1_Windows-64bit.zip'

API

downloader(downloadUrl, options)

downloadUrl

Type: string

Absolute URL to the desired file to download.

options

Type: object

checksumUrl

Type: string

Absolute URL to a checksums file, usually just a .txt containing filenames and hashes like this:

27493d1903a41e2dd47edc76a79918d95dfbb31474380d3704322e47ffd11b74  hugo_0.88.1_Windows-32bit.zip
ad81192d188cb584a73074d3dea9350d4609a13ed5fccaafd229b424247e5890  hugo_0.88.1_Windows-64bit.zip
aaa20e258cd668cff66400d365d73ddc375e44487692d49a5285b56330f6e6b2  hugo_extended_0.88.1_Windows-64bit.zip

Either this option or checksumHash is required.

checksumHash

Type: string

A single hash for the given downloaded file, e.g. abcd1234abcd1234abcd1234....

Either this option or checksumUrl is required.

filename

Type: string
Default: Extracted from the download URL.

Manually set the filename of the download, helpful if the one provided by the server doesn't match the filename listed in the checksum file.

extract

Type: boolean
Default: false

Use decompress to extract the final download to the destination directory (assuming it's a .zip, .tar, .tar.gz, etc.).

destDir

Type: string
Default: "./downloads"

Directory path relative to module where the validated download is saved or extracted. Must be located within process.cwd() for security reasons.

cleanDestDir

Type: boolean
Default: false

Delete any existing files in the destination directory before downloading.

algorithm

Type: string
Default: "sha256"

The algorithm used by the checksum file. Available options are dependent on the version of OpenSSL on the platform. Examples are 'SHA1', 'SHA256', 'SHA512', 'MD5', etc.

On recent releases of OpenSSL, openssl list -digest-algorithms will display the available digest algorithms. Read more about crypto.createHash().

encoding

Type: string
Default: "hex"

License

MIT