Gathering detailed insights and metrics for @electron/asar
Gathering detailed insights and metrics for @electron/asar
Simple extensive tar-like archive format with indexing
Installations
npm install @electron/asarDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Min. Node Version
>=22.12.0
Node Version
22.12.0
NPM Version
10.9.0
Score
96.1
Supply Chain
99.5
Quality
84.9
Maintenance
100
Vulnerability
100
License
Releases
34
Languages
2
TypeScript
JavaScript
TypeScript (54.06%)
JavaScript (45.94%)
Developer
electron
Download Statistics
Total Downloads
55,015,125
Last Day
44,635
Last Week
837,569
Last Month
3,756,008
Last Year
32,915,993
GitHub Statistics
MIT License
2,701 Stars
384 Commits
255 Forks
70 Watchers
3 Branches
49 Contributors
Updated on Jul 01, 2025
Maintainers
1
Package Meta Information
Latest Version
4.0.0
Package Id
@electron/asar@4.0.0
Unpacked Size
88.62 kB
Size
21.90 kB
File Count
25
NPM Version
10.9.0
Node Version
22.12.0
Published on
May 14, 2025
Total Downloads
Cumulative downloads
Total Downloads
55,015,125
Last Day
12.8%
44,635
Compared to previous day
Last Week
-10.8%
837,569
Compared to previous week
Last Month
1.6%
3,756,008
Compared to previous month
Last Year
71.1%
32,915,993
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
@electron/asar - Electron Archive
Asar is a simple extensive archive format, it works like tar that concatenates
all files together without compression, while having random access support.
Features
- Support random access
- Use JSON to store files' information
- Very easy to write a parser
Command line utility
Install
This module requires Node 22.12.0 or later.
1$ npm install --engine-strict @electron/asar
Usage
1$ asar --help 2 3 Usage: asar [options] [command] 4 5 Commands: 6 7 pack|p <dir> <output> 8 create asar archive 9 10 list|l <archive> 11 list files of asar archive 12 13 extract-file|ef <archive> <filename> 14 extract one file from archive 15 16 extract|e <archive> <dest> 17 extract archive 18 19 20 Options: 21 22 -h, --help output usage information 23 -V, --version output the version number 24
Excluding multiple resources from being packed
Given:
app
(a) ├── x1
(b) ├── x2
(c) ├── y3
(d) │ ├── x1
(e) │ └── z1
(f) │ └── x2
(g) └── z4
(h) └── w1
Exclude: a, b
1$ asar pack app app.asar --unpack-dir "{x1,x2}"
Exclude: a, b, d, f
1$ asar pack app app.asar --unpack-dir "**/{x1,x2}"
Exclude: a, b, d, f, h
1$ asar pack app app.asar --unpack-dir "{**/x1,**/x2,z4/w1}"
Using programmatically
Example
1import { createPackage } from '@electron/asar'; 2 3const src = 'some/path/'; 4const dest = 'name.asar'; 5 6await createPackage(src, dest); 7console.log('done.');
Please note that there is currently no error handling provided!
Transform
You can pass in a transform option, that is a function, which either returns
nothing, or a stream.Transform. The latter will be used on files that will be
in the .asar file to transform them (e.g. compress).
1import { createPackageWithOptions } from '@electron/asar'; 2 3const src = 'some/path/'; 4const dest = 'name.asar'; 5 6function transform (filename) { 7 return new CustomTransformStream() 8} 9 10await createPackageWithOptions(src, dest, { transform: transform }); 11console.log('done.');
Format
Asar uses Pickle to safely serialize binary value to file.
The format of asar is very flat:
| UInt32: header_size | String: header | Bytes: file1 | ... | Bytes: file42 |
The header_size and header are serialized with Pickle class, and
header_size's Pickle object is 8 bytes.
The header is a JSON string, and the header_size is the size of header's
Pickle object.
Structure of header is something like this:
1{ 2 "files": { 3 "tmp": { 4 "files": {} 5 }, 6 "usr" : { 7 "files": { 8 "bin": { 9 "files": { 10 "ls": { 11 "offset": "0", 12 "size": 100, 13 "executable": true, 14 "integrity": { 15 "algorithm": "SHA256", 16 "hash": "...", 17 "blockSize": 1024, 18 "blocks": ["...", "..."] 19 } 20 }, 21 "cd": { 22 "offset": "100", 23 "size": 100, 24 "executable": true, 25 "integrity": { 26 "algorithm": "SHA256", 27 "hash": "...", 28 "blockSize": 1024, 29 "blocks": ["...", "..."] 30 } 31 } 32 } 33 } 34 } 35 }, 36 "etc": { 37 "files": { 38 "hosts": { 39 "offset": "200", 40 "size": 32, 41 "integrity": { 42 "algorithm": "SHA256", 43 "hash": "...", 44 "blockSize": 1024, 45 "blocks": ["...", "..."] 46 } 47 } 48 } 49 } 50 } 51}
offset and size records the information to read the file from archive, the
offset starts from 0 so you have to manually add the size of header_size and
header to the offset to get the real offset of the file.
offset is a UINT64 number represented in string, because there is no way to
precisely represent UINT64 in JavaScript Number. size is a JavaScript
Number that is no larger than Number.MAX_SAFE_INTEGER, which has a value of
9007199254740991 and is about 8PB in size. We didn't store size in UINT64
because file size in Node.js is represented as Number and it is not safe to
convert Number to UINT64.
integrity is an object consisting of a few keys:
- A hashing
algorithm, currently onlySHA256is supported. - A hex encoded
hashvalue representing the hash of the entire file. - An array of hex encoded hashes for the
blocksof the file. i.e. for a blockSize of 4KB this array contains the hash of every block if you split the file into N 4KB blocks. - A integer value
blockSizerepresenting the size in bytes of each block in theblockshashes above
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
all changesets reviewed
Reason
all dependencies are pinned
Details
- Info: 6 out of 6 GitHub-owned GitHubAction dependencies pinned
- Info: 6 out of 6 third-party GitHubAction dependencies pinned
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.md:0
Reason
2 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'main'
- Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'
- Warn: required approving review count is 1 on branch 'main'
- Info: codeowner review is required on branch 'main'
- Warn: no status checks found to merge onto branch 'main'
- Info: PRs are required in order to make changes on branch 'main'
Reason
6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/semantic.yml:16
- Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/semantic.yml:17
- Info: found token with 'none' permissions: .github/workflows/add-to-project.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/docs.yml:10
- Warn: no topLevel permission defined: .github/workflows/release.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/semantic.yml:11
- Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:12
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 30 are checked with a SAST tool
Score
5.8
/10
Last Scanned on 2025-06-30
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More