denoland-deno/docs/linking_to_external_code/integrity_checking.md

## Integrity checking & lock files

### Introduction

Let's say your module depends on remote module `https://some.url/a.ts`. When you
compile your module for the first time `a.ts` is retrieved, compiled and cached.
It will remain this way until you run your module on a new machine (say in
production) or reload the cache (through `deno cache --reload` for example). But
what happens if the content in the remote url `https://some.url/a.ts` is
changed? This could lead to your production module running with different
dependency code than your local module. Deno's solution to avoid this is to use
integrity checking and lock files.

### Caching and lock files

Deno can store and check subresource integrity for modules using a small JSON
file. Use the `--lock=lock.json` to enable and specify lock file checking. To
update or create a lock use `--lock=lock.json --lock-write`. The
`--lock=lock.json` tells Deno what the lock file to use is, while the
`--lock-write` is used to output dependency hashes to the lock file
(`--lock-write` must be used in conjunction with `--lock`).

A `lock.json` might look like this, storing a hash of the file against the
dependency:

```json
{
  "https://deno.land/std@$STD_VERSION/textproto/mod.ts": "3118d7a42c03c242c5a49c2ad91c8396110e14acca1324e7aaefd31a999b71a4",
  "https://deno.land/std@$STD_VERSION/io/util.ts": "ae133d310a0fdcf298cea7bc09a599c49acb616d34e148e263bcb02976f80dee",
  "https://deno.land/std@$STD_VERSION/async/delay.ts": "35957d585a6e3dd87706858fb1d6b551cb278271b03f52c5a2cb70e65e00c26a",
   ...
}
```

A typical workflow will look like this:

**src/deps.ts**

```ts
// Add a new dependency to "src/deps.ts", used somewhere else.
export { xyz } from "https://unpkg.com/xyz-lib@v0.9.0/lib.ts";
```

Then:

```shell
# Create/update the lock file "lock.json".
deno cache --lock=lock.json --lock-write src/deps.ts

# Include it when committing to source control.
git add -u lock.json
git commit -m "feat: Add support for xyz using xyz-lib"
git push
```

Collaborator on another machine -- in a freshly cloned project tree:

```shell
# Download the project's dependencies into the machine's cache, integrity
# checking each resource.
deno cache --reload --lock=lock.json src/deps.ts

# Done! You can proceed safely.
deno test --allow-read src
```

### Runtime verification

Like caching above, you can also use the `--lock=lock.json` option during use of
the `deno run` sub command, validating the integrity of any locked modules
during the run. Remember that this only validates against dependencies
previously added to the `lock.json` file. New dependencies will be cached but
not validated.

You can take this a step further as well by using the `--cached-only` flag to
require that remote dependencies are already cached.

```shell
deno run --lock=lock.json --cached-only mod.ts
```

This will fail if there are any dependencies in the dependency tree for mod.ts
which are not yet cached.

<!-- TODO - Add detail on dynamic imports -->
Multi page manual (#5110) 2020-05-06 18:21:13 -04:00			`## Integrity checking & lock files`

doc: improve linking to external code docs (#6158) 2020-06-10 13:43:44 -04:00			`### Introduction`

			Let's say your module depends on remote module `https://some.url/a.ts`. When you
			compile your module for the first time `a.ts` is retrieved, compiled and cached.
			`It will remain this way until you run your module on a new machine (say in`
			production) or reload the cache (through `deno cache --reload` for example). But
			what happens if the content in the remote url `https://some.url/a.ts` is
			`changed? This could lead to your production module running with different`
			`dependency code than your local module. Deno's solution to avoid this is to use`
			`integrity checking and lock files.`

			`### Caching and lock files`

docs: Clarify external code vendoring (#5597) 2020-05-18 15:50:57 -04:00			`Deno can store and check subresource integrity for modules using a small JSON`
			file. Use the `--lock=lock.json` to enable and specify lock file checking. To
doc: improve linking to external code docs (#6158) 2020-06-10 13:43:44 -04:00			update or create a lock use `--lock=lock.json --lock-write`. The
			`--lock=lock.json` tells Deno what the lock file to use is, while the
			`--lock-write` is used to output dependency hashes to the lock file
			(`--lock-write` must be used in conjunction with `--lock`).

			A `lock.json` might look like this, storing a hash of the file against the
			`dependency:`

			```json
			`{`
feat: add $STD_VERSION replacement variable in docs (#6922) 2020-07-31 05:12:20 -04:00			`"https://deno.land/std@$STD_VERSION/textproto/mod.ts": "3118d7a42c03c242c5a49c2ad91c8396110e14acca1324e7aaefd31a999b71a4",`
			`"https://deno.land/std@$STD_VERSION/io/util.ts": "ae133d310a0fdcf298cea7bc09a599c49acb616d34e148e263bcb02976f80dee",`
			`"https://deno.land/std@$STD_VERSION/async/delay.ts": "35957d585a6e3dd87706858fb1d6b551cb278271b03f52c5a2cb70e65e00c26a",`
doc: improve linking to external code docs (#6158) 2020-06-10 13:43:44 -04:00			`...`
			`}`
			```
docs: Clarify external code vendoring (#5597) 2020-05-18 15:50:57 -04:00
			`A typical workflow will look like this:`

doc: improve linking to external code docs (#6158) 2020-06-10 13:43:44 -04:00			`src/deps.ts`

docs: Clarify external code vendoring (#5597) 2020-05-18 15:50:57 -04:00			```ts
			`// Add a new dependency to "src/deps.ts", used somewhere else.`
			`export { xyz } from "https://unpkg.com/xyz-lib@v0.9.0/lib.ts";`
			```

doc: improve linking to external code docs (#6158) 2020-06-10 13:43:44 -04:00			`Then:`

docs: Clarify external code vendoring (#5597) 2020-05-18 15:50:57 -04:00			```shell
			`# Create/update the lock file "lock.json".`
			`deno cache --lock=lock.json --lock-write src/deps.ts`

			`# Include it when committing to source control.`
			`git add -u lock.json`
			`git commit -m "feat: Add support for xyz using xyz-lib"`
			`git push`
			```

			`Collaborator on another machine -- in a freshly cloned project tree:`

			```shell
			`# Download the project's dependencies into the machine's cache, integrity`
			`# checking each resource.`
doc: improve linking to external code docs (#6158) 2020-06-10 13:43:44 -04:00			`deno cache --reload --lock=lock.json src/deps.ts`
docs: Clarify external code vendoring (#5597) 2020-05-18 15:50:57 -04:00
			`# Done! You can proceed safely.`
			`deno test --allow-read src`
			```
doc: improve linking to external code docs (#6158) 2020-06-10 13:43:44 -04:00
			`### Runtime verification`

			Like caching above, you can also use the `--lock=lock.json` option during use of
			the `deno run` sub command, validating the integrity of any locked modules
			`during the run. Remember that this only validates against dependencies`
			previously added to the `lock.json` file. New dependencies will be cached but
			`not validated.`

			You can take this a step further as well by using the `--cached-only` flag to
			`require that remote dependencies are already cached.`

			```shell
			`deno run --lock=lock.json --cached-only mod.ts`
			```

			`This will fail if there are any dependencies in the dependency tree for mod.ts`
			`which are not yet cached.`

			`<!-- TODO - Add detail on dynamic imports -->`