TUF JavaScript Client

5.0.1 · active · verified Sun Apr 19

tuf-js is a robust JavaScript and TypeScript implementation of The Update Framework (TUF), providing secure software update mechanisms against various supply chain attacks, including rollback, mix-and-match, and freeze attacks. The package is currently at version 5.0.1 and is actively maintained, demonstrating a consistent release cadence with patches and minor updates, and major versions released to align with Node.js LTS cycles and critical dependency upgrades. It adheres directly to the TUF specification, offering a client-side library for cryptographic signature verification, secure metadata fetching, and managing trust anchors. Key differentiators include its strong focus on security, TypeScript support, and its role as a reference implementation for TUF within the JavaScript ecosystem, ensuring resilient and verifiable software distribution. It is designed for use in environments requiring robust integrity checks for updates, operating on Node.js versions 20.17.0 or higher, or 22.9.0 or higher.

Common errors

```
ERR_REQUIRE_ESM
```
cause Attempting to import tuf-js (an ESM-first package) using CommonJS `require()` syntax.

fix Migrate your project to use ES Modules (ESM) syntax (`import ... from 'tuf-js'`) and ensure your Node.js environment or bundler correctly handles ESM.
```
Error: The client is configured for Node.js version X.Y.Z, which is not supported.
```
cause Running tuf-js v4.x or later on an unsupported Node.js version (e.g., Node.js 18 or older).

fix Upgrade your Node.js runtime environment to version 20.17.0, 22.9.0, or newer. Check the `engines` field in `package.json` for exact requirements.
```
Error: Signature verification failed for role 'root'
```
cause The initial `root.json` provided to the `TufClient` is invalid, corrupted, or does not match the repository's actual root metadata, leading to a failure in establishing the initial trust anchor.

fix Verify the `initialRoot` metadata provided to the `TufClient` constructor. Ensure it is the correct, cryptographically valid root metadata for your TUF repository.
```
Error: Target 'your-target-name' not found in repository metadata.
```
cause The specified target file name (`targetName`) does not exist in the latest verified `targets.json` metadata from the TUF repository, or the path is incorrect.

fix Confirm the exact `targetName` by inspecting your TUF repository's `targets.json` or related delegated role metadata. Ensure the target has been published and its metadata is signed and updated in the repository.

Warnings

breaking tuf-js v4.0.0 dropped support for Node.js 18. Applications must upgrade to Node.js 20.17.0, 22.9.0, or newer to continue using tuf-js v4 and above.
Fix: Upgrade your Node.js runtime environment to a supported version (e.g., `nvm install 20` or `nvm install 22`).
breaking Starting with v4.0.0, the internal `make-fetch-happen` dependency was bumped from 14.x to 15.x. While generally backward compatible, this might introduce subtle behavioral changes or new requirements for network operations.
Fix: Review your application's network configuration and error handling, especially if relying on specific `make-fetch-happen` behaviors. Test thoroughly after upgrading.
gotcha tuf-js is an ESM-first package. Attempting to import it using CommonJS `require()` syntax will result in errors.
Fix: Ensure your project is configured for ESM. Use `import ... from 'tuf-js'` syntax and verify your `package.json` includes `"type": "module"` or uses `.mjs` file extensions for client-side code.

Install

npm install tuf-js npm
yarn add tuf-js yarn
pnpm add tuf-js pnpm

Imports

TufClient
wrong:
```
const { TufClient } = require('tuf-js')
```
correct:
```
import { TufClient } from 'tuf-js'
```
The primary class for interacting with a TUF repository. tuf-js has been ESM-first since v4; CommonJS `require()` is not supported.
RemoteFetcher
wrong:
```
import { Fetcher } from 'tuf-js' // Incorrect class name
```
correct:
```
import { RemoteFetcher } from 'tuf-js'
```
A concrete implementation of the Fetcher interface, suitable for HTTP(S) network requests. Requires global `fetch` to be available (present in Node.js 18+).
Root
wrong:
```
import { Root } from 'tuf-js' // Root model is in @tufjs/models
```
correct:
```
import { Root } from '@tufjs/models'
```
The Root metadata model, essential for bootstrapping the TUF client with its initial trust anchor. This type is provided by the `@tufjs/models` package, which is a peer dependency.
InMemoryStorage
wrong:
```
import { InMemoryStorage } from 'tuf-js' // Not exported directly by tuf-js
```
correct:
```
import { InMemoryStorage } from '@tufjs/client'
```
A simple in-memory implementation of ClientStorage and TargetStorage, typically used for testing or simplified quickstarts. Available from the `@tufjs/client` package, which provides common client utilities.

Quickstart

This quickstart demonstrates how to initialize a `TufClient`, perform a metadata update, and then download a specific target file from a remote TUF repository using in-memory storage for simplicity.

import { TufClient, RemoteFetcher } from 'tuf-js';
import { Root } from '@tufjs/models';
import { InMemoryStorage } from '@tufjs/client'; // Provides simple in-memory storage

async function initializeAndDownloadTarget() {
  const repoURL = 'https://example.com/tuf-repo/'; // Replace with your TUF repository base URL

  // In a real application, you would bundle a trusted initial root.json.
  // This is a minimal placeholder for demonstration purposes.
  const initialRootJSON = JSON.stringify({
    "_type": "root",
    "spec_version": "1.0.0",
    "version": 1,
    "expires": "2030-01-01T00:00:00Z",
    "keys": {},
    "roles": {
      "root": {"keyids": [], "threshold": 1},
      "targets": {"keyids": [], "threshold": 1},
      "snapshot": {"keyids": [], "threshold": 1},
      "timestamp": {"keyids": [], "threshold": 1}
    }
  });

  // Parse the initial root metadata
  const initialRoot = Root.fromJSON(JSON.parse(initialRootJSON));

  // Use in-memory storage for this example. In production, use persistent storage.
  const client = new TufClient({
    repoURL: repoURL,
    root: initialRoot,
    clientStorage: new InMemoryStorage(),
    targetStorage: new InMemoryStorage(),
    fetcher: new RemoteFetcher()
  });

  try {
    console.log('Attempting to update TUF metadata...');
    await client.update(); // Fetches and verifies the latest metadata
    console.log('TUF metadata updated successfully.');

    const targetName = 'path/to/my-app-binary-v1.0.0.zip'; // Replace with an actual target path
    console.log(`Getting target info for: ${targetName}`);
    const targetInfo = await client.getTargetInfo(targetName);

    if (targetInfo) {
      console.log(`Target '${targetName}' found. Downloading...`);
      const targetContent = await client.downloadTarget(targetInfo);
      console.log(`Downloaded ${targetContent.length} bytes for '${targetName}'.`);
      // Here, targetContent (Uint8Array) can be saved to disk or processed.
    } else {
      console.log(`Target '${targetName}' not found in the repository.`);
    }
  } catch (error) {
    console.error('TUF client operation failed:', error);
  }
}

// To run this, ensure you have a global `fetch` (Node.js 18+ or polyfill)
// and install `@tufjs/client` and `@tufjs/models` alongside `tuf-js`.
initializeAndDownloadTarget();

view raw JSON →