npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

package-verify

v1.0.3

Published

Verify published package contents against an explicit manifest

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

komed3komed3

Keywords

packageverifymanifestnpmpublishciintegrityvalidation

Readme

package-verify

Verify published package contents against an explicit manifest.

package-verify is a read-only verification tool that checks whether the contents of a package directory match an explicitly defined manifest. It is intended to be used before publishing (locally or in CI) to ensure that only the expected build outputs are included.

The tool never modifies files and never generates content.

Installation

npm install --save-dev package-verify

Basic Usage

npx verify-pkg

With no arguments, the CLI looks for a manifest file named verify.manifest.json in the current working directory.

CLI Options

verify-pkg [options]

| Option | Description | | ------ | ----------- | | --version, -v | Print version and exit | | --manifest=path | Path to the manifest file (default: verify.manifest.json) | | --cwd=path | Working directory to verify (default: process cwd) | | --verbose | Print some logging information during verification | | --dry-run | Run checks without setting a non-zero exit code | | --fail-on-warn | Treat warnings as errors | | --report=path | Write the full verification result as JSON |

Example:

verify-pkg --verbose --fail-on-warn --report=verify-report.json

Exit Codes

| Condition | Exit code | | --------- | --------- | | No errors (and no warnings if --fail-on-warn is set) | 0 | | Errors found | 1 | | Warnings found with --fail-on-warn | 1 |

This behavior makes the tool CI-friendly by default.

Manifest File

The manifest describes what the package is expected to contain after build.

Default filename:

verify.manifest.json

The file is validated against the official JSON schema:

schema/package-verify.schema.json

Minimal Manifest Example:

{
  "meta": {
    "manifestVersion": 1
  },
  "context": {
    "packageRoot": "."
  },
  "policy": {
    "defaultSeverity": "error",
    "unexpectedFiles": "warn",
    "on": {
      "missingExpected": "error",
      "emptyPattern": "warn"
    }
  },
  "expect": {
    "files": [
      "dist/index.js",
      "dist/index.d.ts",
      "package.json",
      "README.md"
    ]
  }
}

policy

Controls how violations are classified.

"policy": {
  "defaultSeverity": "error",
  "unexpectedFiles": "warn",
  "on": {
    "missingExpected": "error",
    "emptyPattern": "warn",
    "deriveFailure": "warn"
  }
}

| Field | Meaning | | ----- | ------- | | defaultSeverity | Fallback severity | | unexpectedFiles | Severity for files not covered by expect | | on.missingExpected | Missing file from expect.files | | on.emptyPattern | Pattern matched nothing | | on.deriveFailure | Derivation errors |

Valid severities: error, warn and ignore.

expect

Defines what must exist in the package.

files

Explicit file paths (relative to packageRoot) that must exist.

"files": [
  "dist/index.js",
  "dist/index.d.ts"
]

patterns

Glob patterns that must match at least one file.

"patterns": [
  "dist/**/*.js",
  "dist/**/*.d.ts"
]

atLeastOne

Groups of alternative files where at least one per group must exist.

"atLeastOne": [
  [ "README.md", "README.txt" ],
  [ "LICENSE", "LICENSE.md" ]
]

derive (optional)

Allows deriving expected targets from source files.

Typical use case:
verify that build outputs exist for a given source structure.

"derive": {
  "sources": {
    "root": "src",
    "include": "*.ts",
    "exclude": [ "**/*.test.ts" ]
  },
  "rules": [
    {
      "match": [ "**/*.ts" ],
      "mode": "esm"
    }
  ],
  "targets": {
    "esm": [
      "dist/**/*.js",
      "dist/**/*.d.ts"
    ]
  }
}

Source files are identified under derive.sources.root according to the specified include and exclude patterns. Rules are applied to map source files to target groups. Targets, used as templates, define what files must exist for each target group.

If derivation fails, policy.on.deriveFailure is applied.

CI Example (GitHub Actions)

- name: Verify package contents
  run: npx verify-pkg --fail-on-warn

JSON Report

verify-pkg --report=verify-report.json

Writes the full verification result (files, patterns, derive checks, summary) as JSON.

License

MIT © 2026 komed3 (Paul Köhler)