npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

dl-git-repo-safe

v1.0.3

Published

Download and extract a git repository (GitHub, GitLab, Bitbucket) from node. Security-patched fork with git-clone-safe.

Downloads

423

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

doni.setiawan48doni.setiawan48

Keywords

downloadgithubgitlabbitbucketreporepositorytarextracttarballsecuritycve-2022-25900safe

Readme

dl-git-repo-safe

⚠️ Security Notice: This is a security-patched fork of download-git-repo. It replaces the vulnerable git-clone dependency with git-clone-safe to fix CVE-2022-25900 (command injection via git clone).

Download and extract a git repository (GitHub, GitLab, Bitbucket) from node.

What Changed?

| | download-git-repo (original) | dl-git-repo-safe (this fork) | |---|---|---| | git-clone | ^0.1.0 (vulnerable) | replaced with git-clone-safe@^1.2.0 | | CVE-2022-25900 | Affected | Fixed | | API | — | 100% compatible (drop-in replacement) |

CVE-2022-25900

The original download-git-repo depends on git-clone@^0.1.0, which is vulnerable to command injection. An attacker can craft a malicious repository URL that executes arbitrary commands on the system. This fork replaces git-clone with git-clone-safe, which properly sanitizes git clone arguments.

Migration

Replace download-git-repo with dl-git-repo-safe:

npm uninstall download-git-repo
npm install dl-git-repo-safe

Or use npm/yarn overrides to replace it transitively:

{
  "overrides": {
    "download-git-repo": "npm:dl-git-repo-safe@^1.0.0"
  }
}

No code changes required — the API is identical.

Installation

$ npm install dl-git-repo-safe

API

download(repository, destination, options, callback)

Download a git repository to a destination folder with options, and callback.

repository

The shorthand repository string to download the repository from:

  • GitHub - github:owner/name or simply owner/name
  • GitLab - gitlab:owner/name
  • Bitbucket - bitbucket:owner/name

The repository parameter defaults to the master branch, but you can specify a branch or tag as a URL fragment like owner/name#my-branch. In addition to specifying the type of where to download, you can also specify a custom origin like gitlab:custom.com:owner/name. Custom origin will default to https or git@ for http and clone downloads respectively, unless protocol is specified. Feel free to submit an issue or pull request for additional origin options.

In addition to having the shorthand for supported git hosts, you can also hit a repository directly with:

  • Direct - direct:url

This will bypass the shorthand normalizer and pass url directly. If using direct without clone, you must pass the full url to the zip file, including paths to branches if needed. If using direct with clone, you must pass the full url to the git repo and you can specify a branch like direct:url#my-branch.

destination

The file path to download the repository to.

options

An optional options object parameter with download options. Options include:

  • clone - boolean default false - If true use git clone instead of an http download. While this can be a bit slower, it does allow private repositories to be used if the appropriate SSH keys are setup.
  • All other options (proxy, headers, filter, etc.) will be passed down accordingly and may override defaults
    • Additional download options: https://github.com/kevva/download#options
    • Additional clone options: https://github.com/jaz303/git-clone#clonerepo-targetpath-options-cb

callback

The callback function as function (err).

Examples

Shorthand

Using http download from Github repository at master.

var download = require('dl-git-repo-safe')
download('flippidippi/download-git-repo-fixture', 'test/tmp', function (err) {
  console.log(err ? 'Error' : 'Success')
})

Using git clone from Bitbucket repository at my-branch.

download('bitbucket:flippidippi/download-git-repo-fixture#my-branch', 'test/tmp', { clone: true }, function (err) {
  console.log(err ? 'Error' : 'Success')
})

Using http download from GitLab repository with custom origin and token.

download('gitlab:mygitlab.com:flippidippi/download-git-repo-fixture#my-branch', 'test/tmp', { headers: { 'PRIVATE-TOKEN': '1234' } }, function (err) {
  console.log(err ? 'Error' : 'Success')
})

Using git clone from GitLab repository with custom origin and protocol. Note that the repository type (github, gitlab etc.) is not required if cloning from a custom origin.

download('https://mygitlab.com:flippidippi/download-git-repo-fixture#my-branch', 'test/tmp', { clone: true }, function (err) {
  console.log(err ? 'Error' : 'Success')
})

Direct

Using http download from direct url.

download('direct:https://gitlab.com/flippidippi/download-git-repo-fixture/repository/archive.zip', 'test/tmp', function (err) {
  console.log(err ? 'Error' : 'Success')
})

Using git clone from direct url at master.

download('direct:https://gitlab.com/flippidippi/download-git-repo-fixture.git', 'test/tmp', { clone: true }, function (err) {
  console.log(err ? 'Error' : 'Success')
})

Using git clone from direct url at my-branch.

download('direct:https://gitlab.com/flippidippi/download-git-repo-fixture.git#my-branch', 'test/tmp', { clone: true }, function (err) {
  console.log(err ? 'Error' : 'Success')
})

Verification

To confirm git-clone-safe is installed instead of git-clone:

npm ls git-clone git-clone-safe
npm audit

License

MIT