npm · Oct 7, 2022 · Oct 7, 2022 · Oct 7, 2022 · Oct 7, 2022 · Nov 2, 2022
diff --git a/.commitlintrc.js b/.commitlintrc.js
diff --git a/.eslintignore b/.eslintignore
@@ -0,0 +1,2 @@
+coverage/
+dist/
diff --git a/.eslintrc b/.eslintrc
@@ -0,0 +1,7 @@
+{
+  "extends": [
+    "@readme/eslint-config",
+    "@readme/eslint-config/typescript"
+  ],
+  "root": true
+}
diff --git a/.eslintrc.js b/.eslintrc.js
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,17 +1,32 @@
-# This file is automatically added by @npmcli/template-oss. Do not edit.
-
 version: 2
-
 updates:
-  - package-ecosystem: npm
-    directory: /
+  - package-ecosystem: github-actions
+    directory: "/"
     schedule:
-      interval: daily
-    allow:
-      - dependency-type: direct
-    versioning-strategy: increase-if-necessary
+      interval: monthly
+    reviewers:
+      - erunion
+    labels:
+      - dependencies
     commit-message:
-      prefix: deps
-      prefix-development: chore
+      prefix: chore(deps)
+      prefix-development: chore(deps-dev)
+
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: monthly
+    open-pull-requests-limit: 10
+    reviewers:
+      - erunion
     labels:
-      - "Dependencies"
+      - dependencies
+    groups:
+      minor-development-deps:
+        dependency-type: 'development'
+        update-types:
+          - minor
+          - patch
+    commit-message:
+      prefix: chore(deps)
+      prefix-development: chore(deps-dev)
diff --git a/.github/matchers/tap.json b/.github/matchers/tap.json
diff --git a/.github/settings.yml b/.github/settings.yml
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,157 +1,68 @@
-# This file is automatically added by @npmcli/template-oss. Do not edit.
-
 name: CI
 
-on:
-  workflow_dispatch:
-  pull_request:
-  push:
-    branches:
-      - main
-      - latest
-  schedule:
-    # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1
-    - cron: "0 9 * * 1"
+on: [push]
 
 jobs:
-  engines:
-    name: Engines - ${{ matrix.platform.name }} - ${{ matrix.node-version }}
-    if: github.repository_owner == 'npm'
-    strategy:
-      fail-fast: false
-      matrix:
-        platform:
-          - name: Linux
-            os: ubuntu-latest
-            shell: bash
-        node-version:
-          - 14.17.0
-          - 16.13.0
-          - 18.0.0
-    runs-on: ${{ matrix.platform.os }}
-    defaults:
-      run:
-        shell: ${{ matrix.platform.shell }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Git User
-        run: |
-          git config --global user.email "npm-cli+bot@github.com"
-          git config --global user.name "npm CLI robot"
-      - name: Setup Node
-        uses: actions/setup-node@v3
-        with:
-          node-version: ${{ matrix.node-version }}
-      - name: Update Windows npm
-        # node 12 and 14 ship with npm@6, which is known to fail when updating itself in windows
-        if: matrix.platform.os == 'windows-latest' && (startsWith(matrix.node-version, '12.') || startsWith(matrix.node-version, '14.'))
-        run: |
-          curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz
-          tar xf npm-7.5.4.tgz
-          cd package
-          node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz
-          cd ..
-          rmdir /s /q package
-      - name: Install npm@7
-        if: startsWith(matrix.node-version, '10.')
-        run: npm i --prefer-online --no-fund --no-audit -g npm@7
-      - name: Install npm@latest
-        if: ${{ !startsWith(matrix.node-version, '10.') }}
-        run: npm i --prefer-online --no-fund --no-audit -g npm@latest
-      - name: npm Version
-        run: npm -v
-      - name: Install Dependencies
-        run: npm i --ignore-scripts --no-audit --no-fund --engines-strict
-
-  lint:
-    name: Lint
-    if: github.repository_owner == 'npm'
+  linting:
     runs-on: ubuntu-latest
-    defaults:
-      run:
-        shell: bash
+
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Git User
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+
+      - name: Get npm cache directory
+        id: npm-cache-dir
         run: |
-          git config --global user.email "npm-cli+bot@github.com"
-          git config --global user.name "npm CLI robot"
-      - name: Setup Node
-        uses: actions/setup-node@v3
+          echo "::set-output name=dir::$(npm config get cache)"
+
+      - uses: actions/cache@v4
+        id: npm-cache
         with:
-          node-version: 18.x
-      - name: Install npm@latest
-        run: npm i --prefer-online --no-fund --no-audit -g npm@latest
-      - name: npm Version
-        run: npm -v
-      - name: Install Dependencies
-        run: npm i --ignore-scripts --no-audit --no-fund
-      - name: Lint
-        run: npm run lint --ignore-scripts
-      - name: Post Lint
-        run: npm run postlint --ignore-scripts
+          path: ${{ steps.npm-cache-dir.outputs.dir }}
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - run: npm ci
+      - run: npm run lint
 
-  test:
-    name: Test - ${{ matrix.platform.name }} - ${{ matrix.node-version }}
-    if: github.repository_owner == 'npm'
+  node_tests:
+    name: Node ${{ matrix.node }} on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
     strategy:
-      fail-fast: false
+      fail-fast: true
       matrix:
-        platform:
-          - name: Linux
-            os: ubuntu-latest
-            shell: bash
-          - name: macOS
-            os: macos-latest
-            shell: bash
-          - name: Windows
-            os: windows-latest
-            shell: cmd
-        node-version:
-          - 14.17.0
-          - 14.x
-          - 16.13.0
-          - 16.x
-          - 18.0.0
-          - 18.x
-    runs-on: ${{ matrix.platform.os }}
-    defaults:
-      run:
-        shell: ${{ matrix.platform.shell }}
+        os:
+          - ubuntu-latest
+          - windows-latest
+        node:
+          - lts/-1
+          - lts/*
+          - latest
+
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Git User
-        run: |
-          git config --global user.email "npm-cli+bot@github.com"
-          git config --global user.name "npm CLI robot"
-      - name: Setup Node
-        uses: actions/setup-node@v3
+      - name: Checkout source
+        uses: actions/checkout@v4
+
+      - name: Install Node ${{ matrix.node }}
+        uses: actions/setup-node@v4
         with:
-          node-version: ${{ matrix.node-version }}
-      - name: Update Windows npm
-        # node 12 and 14 ship with npm@6, which is known to fail when updating itself in windows
-        if: matrix.platform.os == 'windows-latest' && (startsWith(matrix.node-version, '12.') || startsWith(matrix.node-version, '14.'))
+          node-version: ${{ matrix.node }}
+
+      - name: Get npm cache directory
+        id: npm-cache-dir
         run: |
-          curl -sO https://registry.npmjs.org/npm/-/npm-7.5.4.tgz
-          tar xf npm-7.5.4.tgz
-          cd package
-          node lib/npm.js install --no-fund --no-audit -g ..\npm-7.5.4.tgz
-          cd ..
-          rmdir /s /q package
-      - name: Install npm@7
-        if: startsWith(matrix.node-version, '10.')
-        run: npm i --prefer-online --no-fund --no-audit -g npm@7
-      - name: Install npm@latest
-        if: ${{ !startsWith(matrix.node-version, '10.') }}
-        run: npm i --prefer-online --no-fund --no-audit -g npm@latest
-      - name: npm Version
-        run: npm -v
-      - name: Install Dependencies
-        run: npm i --ignore-scripts --no-audit --no-fund
-      - name: Add Problem Matcher
-        run: echo "::add-matcher::.github/matchers/tap.json"
-      - name: Test
-        run: npm test --ignore-scripts -iwr
+          echo "::set-output name=dir::$(npm config get cache)"
+
+      - uses: actions/cache@v4
+        id: npm-cache
+        with:
+          path: ${{ steps.npm-cache-dir.outputs.dir }}
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - run: npm ci
+      - run: npm run build
+      - run: npx vitest
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -1,19 +1,12 @@
-# This file is automatically added by @npmcli/template-oss. Do not edit.
-
-name: CodeQL
+name: "CodeQL"
 
 on:
   push:
-    branches:
-      - main
-      - latest
+    branches: [ main ]
   pull_request:
-    branches:
-      - main
-      - latest
+    branches: [ main ]
   schedule:
-    # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1
-    - cron: "0 10 * * 1"
+    - cron: '0 0 1 * *'
 
 jobs:
   analyze:
@@ -23,16 +16,20 @@ jobs:
       actions: read
       contents: read
       security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Git User
-        run: |
-          git config --global user.email "npm-cli+bot@github.com"
-          git config --global user.name "npm CLI robot"
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
-        with:
-          languages: javascript
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.gitignore b/.gitignore
@@ -1,28 +1,3 @@
-# This file is automatically added by @npmcli/template-oss. Do not edit.
-
-# ignore everything in the root
-/*
-
-# keep these
-!**/.gitignore
-!/.commitlintrc.js
-!/.eslintrc.js
-!/.eslintrc.local.*
-!/.github/
-!/.gitignore
-!/.npmrc
-!/.release-please-manifest.json
-!/bin/
-!/CHANGELOG*
-!/CODE_OF_CONDUCT.md
-!/docs/
-!/lib/
-!/LICENSE*
-!/map.js
-!/package.json
-!/README*
-!/release-please-config.json
-!/scripts/
-!/SECURITY.md
-!/tap-snapshots/
-!/test/
+coverage/
+dist/
+node_modules/
diff --git a/.npmignore b/.npmignore
@@ -0,0 +1,5 @@
+.github/
+coverage/
+test/
+.eslint*
+.prettier*
diff --git a/.npmrc b/.npmrc
diff --git a/.prettierignore b/.prettierignore
@@ -0,0 +1,2 @@
+coverage/
+dist/
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
diff --git a/LICENSE.md b/LICENSE.md
@@ -1,16 +1,18 @@
-ISC License
+Copyright © 2023 ReadMe
 
-Copyright 2021 (c) npm, Inc.
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the “Software”), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
 
-Permission to use, copy, modify, and/or distribute this software for
-any purpose with or without fee is hereby granted, provided that the
-above copyright notice and this permission notice appear in all copies.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS" AND THE COPYRIGHT HOLDER DISCLAIMS
-ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
-COPYRIGHT HOLDER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
-CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
-OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
-USE OR PERFORMANCE OF THIS SOFTWARE.
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/README.md b/README.md
diff --git a/SECURITY.md b/SECURITY.md
diff --git a/lib/index.js b/lib/index.js
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,64 +1,38 @@
 {
-  "name": "ssri",
-  "version": "9.0.1",
-  "description": "Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.",
-  "main": "lib/index.js",
-  "files": [
-    "bin/",
-    "lib/"
-  ],
-  "scripts": {
-    "prerelease": "npm t",
-    "postrelease": "npm publish",
-    "posttest": "npm run lint",
-    "test": "tap",
-    "coverage": "tap",
-    "lint": "eslint \"**/*.js\"",
-    "postlint": "template-oss-check",
-    "template-oss-apply": "template-oss-apply --force",
-    "lintfix": "npm run lint -- --fix",
-    "snap": "tap"
-  },
-  "tap": {
-    "check-coverage": true,
-    "nyc-arg": [
-      "--exclude",
-      "tap-snapshots/**"
-    ]
+  "name": "@readme/ssri",
+  "version": "3.0.0",
+  "description": "Standard Subresource Integrity library -- parses, generates, and verifies integrity metadata according to the SRI spec.",
+  "license": "MIT",
+  "author": "ReadMe <support@readme.io> (https://readme.com)",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "engines": {
+    "node": ">=18"
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/npm/ssri.git"
+    "url": "https://github.com/readmeio/ssri.git"
   },
-  "keywords": [
-    "w3c",
-    "web",
-    "security",
-    "integrity",
-    "checksum",
-    "hashing",
-    "subresource integrity",
-    "sri",
-    "sri hash",
-    "sri string",
-    "sri generator",
-    "html"
-  ],
-  "author": "GitHub Inc.",
-  "license": "ISC",
-  "dependencies": {
-    "minipass": "^3.1.1"
+  "bugs": {
+    "url": "https://github.com/readmeio/ssri/issues"
   },
-  "devDependencies": {
-    "@npmcli/eslint-config": "^3.0.1",
-    "@npmcli/template-oss": "4.4.4",
-    "tap": "^16.0.1"
+  "scripts": {
+    "build": "tsc",
+    "lint": "eslint . --ext .js,.ts",
+    "prebuild": "rm -rf dist/",
+    "prepack": "npm run build",
+    "pretest": "npm run lint",
+    "prettier": "prettier --list-different --write \"./**/**.{js,ts}\"",
+    "test": "vitest --coverage"
   },
-  "engines": {
-    "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+  "devDependencies": {
+    "@readme/eslint-config": "^14.4.2",
+    "@types/node": "^22.0.2",
+    "@vitest/coverage-v8": "^3.0.4",
+    "eslint": "^8.57.0",
+    "prettier": "^3.0.3",
+    "typescript": "^5.2.2",
+    "vitest": "^3.0.4"
   },
-  "templateOSS": {
-    "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.4.4"
-  }
+  "prettier": "@readme/eslint-config/prettier"
 }
diff --git a/release-please-config.json b/release-please-config.json
diff --git a/src/index.ts b/src/index.ts
@@ -0,0 +1,133 @@
+import crypto from 'crypto';
+
+const SPEC_ALGORITHMS = ['sha256', 'sha384', 'sha512'];
+
+// TODO: this should really be a hardcoded list of algorithms we support,
+// rather than [a-z0-9].
+const BASE64_REGEX = /^[a-z0-9+/]+(?:=?=?)$/i;
+const STRICT_SRI_REGEX = /^([a-z0-9]+)-([A-Za-z0-9+/=]{44,88})(\?[\x21-\x7E]*)?$/;
+const VCHAR_REGEX = /^[\x21-\x7E]+$/;
+
+const getOptString = (options: string[]) => (!options || !options.length ? '' : `?${options.join('?')}`);
+
+export interface Options {
+  algorithm?: string;
+  options?: string[];
+}
+
+class Hash {
+  source: string;
+
+  digest: string;
+
+  algorithm: string;
+
+  options: string[];
+
+  constructor(hash: string) {
+    this.source = hash.trim();
+
+    // set default values so that we make V8 happy to
+    // always see a familiar object template.
+    this.digest = '';
+    this.algorithm = '';
+    this.options = [];
+
+    // 3.1. Integrity metadata (called "Hash" by ssri)
+    // https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata-description
+    const match = this.source.match(STRICT_SRI_REGEX);
+    if (!match) {
+      return;
+    } else if (!SPEC_ALGORITHMS.some(a => a === match[1])) {
+      return;
+    }
+
+    this.algorithm = match[1];
+    this.digest = match[2];
+
+    const rawOpts = match[3];
+    if (rawOpts) {
+      this.options = rawOpts.slice(1).split('?');
+    }
+  }
+
+  toJSON() {
+    return this.toString();
+  }
+
+  toString() {
+    if (
+      !(
+        // The spec has very restricted productions for algorithms.
+        // https://www.w3.org/TR/CSP2/#source-list-syntax
+        (
+          SPEC_ALGORITHMS.some(x => x === this.algorithm) &&
+          // Usually, if someone insists on using a "different" base64, we
+          // leave it as-is, since there's multiple standards, and the
+          // specified is not a URL-safe variant.
+          // https://www.w3.org/TR/CSP2/#base64_value
+          this.digest.match(BASE64_REGEX) &&
+          // Option syntax is strictly visual chars.
+          // https://w3c.github.io/webappsec-subresource-integrity/#grammardef-option-expression
+          // https://tools.ietf.org/html/rfc5234#appendix-B.1
+          this.options.every(opt => opt.match(VCHAR_REGEX))
+        )
+      )
+    ) {
+      return '';
+    }
+
+    const options = this.options && this.options.length ? `?${this.options.join('?')}` : '';
+    return `${this.algorithm}-${this.digest}${options}`;
+  }
+}
+
+export function parse(sri: string) {
+  if (!sri) {
+    return null;
+  }
+
+  return new Hash(sri);
+}
+
+export function create(data: Buffer | string, opts: Options = {}) {
+  // eslint-disable-next-line no-param-reassign
+  opts = {
+    algorithm: 'sha512',
+    options: [],
+    ...opts,
+  };
+
+  const algorithm = opts.algorithm;
+  const optString = getOptString(opts.options);
+
+  const digest = crypto.createHash(algorithm).update(data).digest('base64');
+  return new Hash(`${algorithm}-${digest}${optString}`);
+}
+
+export function verify(data: Buffer | string, sri: Hash | string) {
+  try {
+    if (typeof sri === 'object' && sri instanceof Hash) {
+      // eslint-disable-next-line no-param-reassign
+      sri = sri.toString();
+    }
+
+    // eslint-disable-next-line no-param-reassign
+    sri = parse(sri);
+    if (!sri) {
+      return false;
+    }
+
+    const algorithm = sri.algorithm;
+    const digest = crypto.createHash(algorithm).update(data).digest('base64');
+    const newSri = parse(`${algorithm}-${digest}`);
+
+    return sri.toString() === newSri.toString();
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  } catch (err) {
+    // `crypto.createHash()` will throw errors if `algorithm` is invalid which will happen if we're
+    // supplied with an invalid or corrupt hash. Since we just want this method to only verify if
+    // two given hashes match, we don't want to throw if that happens.
+    return false;
+  }
+}
diff --git a/test/.eslintrc b/test/.eslintrc
@@ -0,0 +1,3 @@
+{
+  "extends": "@readme/eslint-config/testing/vitest"
+}
diff --git a/test/check.js b/test/check.js
diff --git a/test/create.js b/test/create.js
diff --git a/test/from.js b/test/from.js
diff --git a/test/index.test.ts b/test/index.test.ts
@@ -0,0 +1,154 @@
+import crypto from 'crypto';
+import fs from 'fs';
+
+import { describe, beforeEach, it, expect } from 'vitest';
+
+import * as ssri from '../src';
+
+const TEST_DATA = fs.readFileSync(__filename);
+
+function hash(data, algorithm) {
+  return crypto.createHash(algorithm).update(data).digest('base64');
+}
+
+describe('ssri', function () {
+  describe('#create', function () {
+    it('should generate a sha512 hash object from Buffer data', function () {
+      expect(ssri.create(TEST_DATA).toString()).toBe(`sha512-${hash(TEST_DATA, 'sha512')}`);
+    });
+
+    it('should generate a sha512 hash object from String data', function () {
+      expect(ssri.create(TEST_DATA.toString('utf8')).toString()).toBe(`sha512-${hash(TEST_DATA, 'sha512')}`);
+    });
+
+    it('should generate a sha256 hash object with `opts.algorithm`', function () {
+      expect(ssri.create(TEST_DATA, { algorithm: 'sha256' }).toString()).toBe(`sha256-${hash(TEST_DATA, 'sha256')}`);
+    });
+
+    it('should be able to add options to a hash with `opts.options', function () {
+      expect(
+        ssri
+          .create(TEST_DATA, {
+            algorithm: 'sha256',
+            options: ['foo', 'bar'],
+          })
+          .toString(),
+      ).toBe(`sha256-${hash(TEST_DATA, 'sha256')}?foo?bar`);
+    });
+
+    it('should support transforming a Hash object into a JSON string with `JSON.stringify`', function () {
+      expect(JSON.stringify(ssri.create(TEST_DATA))).toBe(`"sha512-${hash(TEST_DATA, 'sha512')}"`);
+    });
+  });
+
+  describe('#parse', function () {
+    it('should parse an integrity string', function () {
+      const sha = hash(TEST_DATA, 'sha512');
+      const integrity = `sha512-${sha}`;
+      expect(Object.fromEntries(Object.entries(ssri.parse(integrity)))).toStrictEqual({
+        source: integrity,
+        digest: sha,
+        algorithm: 'sha512',
+        options: [],
+      });
+    });
+
+    it('should parse options from integrity string', function () {
+      const sha = hash(TEST_DATA, 'sha512');
+      const integrity = `sha512-${sha}?one?two?three`;
+      expect(Object.fromEntries(Object.entries(ssri.parse(integrity)))).toStrictEqual({
+        source: integrity,
+        digest: sha,
+        algorithm: 'sha512',
+        options: ['one', 'two', 'three'],
+      });
+    });
+
+    it('should omit unsupported algos', function () {
+      const xxx = new Array(50).join('x');
+
+      expect(Object.fromEntries(Object.entries(ssri.parse(`foo-${xxx}`)))).toStrictEqual({
+        source: `foo-${xxx}`,
+        algorithm: '',
+        digest: '',
+        options: [],
+      });
+
+      expect(Object.fromEntries(Object.entries(ssri.parse(`sha512-${xxx}`)))).toStrictEqual({
+        source: `sha512-${xxx}`,
+        algorithm: 'sha512',
+        digest: xxx,
+        options: [],
+      });
+    });
+
+    it('should discard invalid format entries', function () {
+      const missingDash = 'thisisbad';
+      const missingAlgorithm = '-deadbeef';
+      const missingDigest = 'sha512-';
+
+      expect(ssri.parse(missingDash).toString()).toBe('');
+      expect(ssri.parse(missingAlgorithm).toString()).toBe('');
+      expect(ssri.parse(missingDigest).toString()).toBe('');
+    });
+
+    it('should trim whitespace from either end', function () {
+      const integrity = `      sha512-${hash(TEST_DATA, 'sha512')}    `;
+      expect(Object.fromEntries(Object.entries(ssri.parse(integrity)))).toStrictEqual({
+        source: integrity.trim(),
+        algorithm: 'sha512',
+        digest: hash(TEST_DATA, 'sha512'),
+        options: [],
+      });
+    });
+
+    it('should discard hashes that dont abide by the spec', function () {
+      const valid = `sha512-${hash(TEST_DATA, 'sha512')}`;
+      const badAlgorithm = `sha1-${hash(TEST_DATA, 'sha1')}`;
+      const badBase64 = 'sha512-@#$@%#$';
+      const badOpts = `${valid}?\x01\x02`;
+
+      expect(ssri.parse(badAlgorithm).toString()).toBe('');
+      expect(ssri.parse(badBase64).toString()).toBe('');
+      expect(ssri.parse(badOpts).toString()).toBe('');
+    });
+
+    it('should not allow weird stuff in sri', function () {
+      const badInt = 'mdc2\u0000/../../../hello_what_am_I_doing_here-Juwtg9UFssfrRfwsXu+n/Q==';
+
+      expect(ssri.parse(badInt).toString()).toBe('');
+    });
+  });
+
+  describe('#verify', function () {
+    let sri;
+
+    beforeEach(function () {
+      sri = ssri.parse(`sha512-${hash(TEST_DATA, 'sha512')}`);
+    });
+
+    it('should verify Buffer data', function () {
+      expect(ssri.verify(TEST_DATA, sri)).toBe(true);
+    });
+
+    it('should verify String data', function () {
+      expect(ssri.verify(TEST_DATA.toString('utf8'), sri)).toBe(true);
+    });
+
+    it('should return false when verification fails', function () {
+      expect(ssri.verify('nope', sri)).toBe(false);
+    });
+
+    it('should return false on an invalid sri hash', function () {
+      expect(ssri.verify('nope', 'sha512-nope')).toBe(false);
+    });
+
+    it('should return false on garbage sri input', function () {
+      expect(ssri.verify('nope', 'garbage')).toBe(false);
+    });
+
+    it('should return false on empty sri input', function () {
+      expect(ssri.verify('nope', '')).toBe(false);
+    });
+  });
+});
diff --git a/test/integrity-stream.js b/test/integrity-stream.js
diff --git a/test/integrity.js b/test/integrity.js
diff --git a/test/mutable-opts-resilience.js b/test/mutable-opts-resilience.js
diff --git a/test/parse.js b/test/parse.js
diff --git a/test/stringify.js b/test/stringify.js
diff --git a/test/tsconfig.json b/test/tsconfig.json
@@ -0,0 +1,7 @@
+{
+  "extends": "../tsconfig.json",
+  "compilerOptions": {
+    "noImplicitAny": false,
+  },
+  "include": ["../src/**/*", "*.ts", "**/*"],
+}
diff --git a/test/update.js b/test/update.js
diff --git a/tsconfig.json b/tsconfig.json
@@ -0,0 +1,12 @@
+{
+  "compilerOptions": {
+    "allowJs": true,
+    "baseUrl": "./src",
+    "declaration": true,
+    "esModuleInterop": true,
+    "lib": ["es2020"],
+    "noImplicitAny": true,
+    "outDir": "dist/"
+  },
+  "include": ["./src/**/*"]
+}