npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

matrix256-js

v1.0.3

Published

JavaScript reference implementation of matrix256v1 — a SHA-256 fingerprint over the (path, size) records of a rooted filesystem tree.

Downloads

33

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

shitwolfymakesshitwolfymakes

Keywords

Readme

matrix256-js

License: Apache 2.0 npm version npm downloads conformance lint

JavaScript reference implementation of matrix256v1 — a SHA-256 fingerprint over the (path, size) records of a rooted filesystem tree.

Dependencies

Zero runtime dependencies — pure JavaScript on the Node.js standard library:

  • node:crypto — SHA-256 (createHash('sha256'))
  • node:fs — directory walk, file metadata
  • node:buffer — byte handling for non-UTF-8 filenames
  • TextEncoder / TextDecoder — UTF-8 with U+FFFD substitution per spec §2.2
  • String.prototype.normalize('NFC') — Unicode normalization per spec §2.2

Dev dependencies are scoped to linting (eslint + eslint-plugin-jsdoc) and enforce the library discipline below. They live in package.json under devDependencies; consumers running npm install matrix256-js never see them. The JavaScript ecosystem is treated as a supply-chain risk; no third-party runtime packages may be added without explicit justification. Type information is provided via JSDoc comments rather than TypeScript so that no build step (and therefore no typescript toolchain dependency) is required.

Node.js 18 or newer.

Library discipline

The library promise is: a consumer's process must never break because of code in this package. The rules below are enforced by eslint (CI runs npm run lint on every push); a few rows are intent rules that still require code review.

| Category | What's guarded | Enforced by | |---|---|---| | Code-injection safety | No eval(...), no new Function(...). Code is written at author time, never constructed at run time from data. | no-eval, no-implied-eval, no-new-func | | Throw discipline | No process.exit(...) from library code; no node:assert in library paths. Failures throw typed Error instances with messages, never bare strings, so callers can instanceof-check and re-throw. | no-throw-literal and no-restricted-syntax selectors for process.exit and node:assert imports | | Equality | === / !== only — no == / !=. No reliance on implicit ToNumber / ToString coercion of caller-supplied values. | eqeqeq | | Bounds checking | Out-of-bounds array/buffer access in JS returns undefined rather than throwing, which usually defers a confusing failure to a later call site. Length checks before indexing. | code review | | Output discipline | No console.log / console.error / console.warn from library code. A fingerprint call has no business producing output. | no-console | | Side effects at import | No top-level work beyond imports and constants. The single host-platform read (process.platform for the host separator byte in src/v1.js) is the only environment touch at module load. | code review | | Documentation | Every public function carries a JSDoc block with @param and @returns. Public API stays self-describing without a TypeScript build step. | jsdoc/require-jsdoc (publicOnly), jsdoc/require-param, jsdoc/require-returns |

Tests under tests/ are exempt via a matching files block in eslint.config.js — they use console.* and node:assert freely, as Node's test idiom expects.

npm install     # install eslint + plugin into node_modules
npm run lint    # run the discipline checks

Usage

import * as v1 from 'matrix256-js/v1';

const digest = v1.fingerprint('/media/user/DISC');

The package exposes nothing at the top level. Future algorithm versions will be added as sibling submodules (./v2.js, …) so callers always address an explicit version.

Conformance

This implementation's Tier-1 conformance test is the synthetic fixture suite at tests/generate_fixtures.js. The script constructs each fixture in a temporary directory, runs v1.fingerprint against it, and verifies the produced digest against the canonical value published in the spec repo's conformance_fixtures.json (human-readable companion: CONFORMANCE_FIXTURES.md). The suite has no external data dependency and runs on every commit in CI.

node tests/generate_fixtures.js                      # run all fixtures
node tests/generate_fixtures.js --fixture 14         # one fixture
node tests/generate_fixtures.js --range 1-10         # a range
node tests/generate_fixtures.js --generate           # emit JSON for the spec repo

By default the runner expects the spec repo to be cloned alongside this one as ../matrix256/. Override with --fixtures PATH. Platform-incompatible fixtures (e.g. case-sensitive sort on a case-insensitive filesystem, surrogate-escape paths off Linux) are reported as skips rather than failures.

The script mirrors the construction logic of the Python sibling matrix256-py/tests/generate_fixtures.py; both languages must agree on every fixture's on-disk state and produced digest.

See also (in the spec repo)

  • SPEC.md — normative algorithm
  • RATIONALE.md — design rationale
  • IMPLEMENTERS.md — practical guidance (encoding, mount handling, bridge discs)
  • CORPUS.md — known-good digests across real discs
  • CONFORMANCE_FIXTURES.md / conformance_fixtures.json — Tier-1 synthetic fixture suite

License

Licensed under the Apache License, Version 2.0. See LICENSE for the full text. Apache 2.0 grants an explicit patent license alongside the copyright license and includes a patent-retaliation clause that terminates those patent rights if you sue any contributor over the Work.