Package Diff

Package Diff displays a diff between two versions of the same npm package.

Why not simply link to the GitHub repository of a package using two different version hashes? Well, the version of an npm package checked into source control isn't always the same as the version used inside of an npm package. This is commonly done for well-intending reasons, such as checking in raw source code but packaging a minified version. This is sometimes done for nefarious reasons as well, such as when a malicious package is published.

The URL of the package diff will remain permanently accessible. You can generate such a diff by using the following URL structure:

GET /{package_name}/{min_version}/{max_version}           <- HTML
GET /{package_name}/{min_version}/{max_version}.diff      <- DIFF
  

Here are some examples:

• /express/3.0.1/3.0.2 (HTML diff)
• /express/3.0.1/3.0.2.diff (text diff)
• /shout/0.43.0/0.44.0#file-client__views__chat.tpl (npm advisory #322)
• /concat-stream/1.2.1/1.3.0#file-index.js (npm advisory #597, Snyk #20160901)
• /mongoose/3.5.4/3.5.5#file-lib__types__buffer.js (npm advisory #599, Node.js Security WG #394)
• /cryptiles/3.0.2/3.1.0 (npm advisory #720)

For more information check out the press release: Introducing Package Diff.