P2P support for sharing packages like torrent files #5289

scarletquasar · 2025-06-12T23:48:17Z

scarletquasar
Jun 12, 2025

Hello my fellow companions! Today we've faced a very brief but concerning moment in the open source world: npm was offline and for a little while we were not able to install packages directly from npm. This affected everywhere: local development, deployments, tests and every kind of dynamic application that ever depended on installing npm packages. We should never be so centralized in a single one provider, but unfortnately - we are. Of course medium to big companies will have their own registries, but even them won't be able to store so many packages as npm itself - over two million.

What I am trying to say, and that was already said in this issue is that we need to have the ability and the freedom to install the packages when we want, without external dependencies, that's what open source means. With that objective I come here today to discuss again the idea of enabling users to use verdaccio with a p2p interface (basically, torrent) to obtain packages through the nearest seeder and distributed (could be even text files, supposing we had 5 million different packages, the final file size for containing hashes would be less than 500mb, we can also have different hash packing files to aggregate older versions of the libraries and use them as needed - this size is ok if we want to keep the package sharing secure)

I've even considered talking to universities to check if they are wanting to host "mirrors" of npm, but no one of them seems to care, so I had to come up with a solution that could work for everyone.

mbtools · 2025-06-15T07:04:20Z

mbtools
Jun 15, 2025
Collaborator

I share your concerns. It is indeed a risk that we all live with and it's not insignificant.

Having a p2p backup sounds good. Technically possible. But I see huge challenges looking at it from a consumer pov:

completeness: if it's missing a version of a package which I need, what then?
speed: some packages will download fast, other will come in pieces from remote ie slow locations.
trust: packages (pieces of them) will download from a lot of different places. Sure, there are hashes and integrity checks but am I willing to trust all these sources? My answer is no.
costs: storage is probably doable but the required bandwidth will be tremendous.
chicken/egg: it only works well if there's a sufficiently large network of sharers. Given above and that it would be used by most "only in emergencies" (ie npm down), how will we get to this point?

All package.json and tarballs are accessible in the filesystem (as a default) and can be shared via p2p. What's really missing in Verdaccio?

0 replies

scarletquasar · 2025-06-15T14:16:29Z

scarletquasar
Jun 15, 2025
Author

I share your concerns. It is indeed a risk that we all live with and it's not insignificant.

Having a p2p backup sounds good. Technically possible. But I see huge challenges looking at it from a consumer pov:

completeness: if it's missing a version of a package which I need, what then?

speed: some packages will download fast, other will come in pieces from remote ie slow locations.

trust: packages (pieces of them) will download from a lot of different places. Sure, there are hashes and integrity checks but am I willing to trust all these sources? My answer is no.

costs: storage is probably doable but the required bandwidth will be tremendous.

chicken/egg: it only works well if there's a sufficiently large network of sharers. Given above and that it would be used by most "only in emergencies" (ie npm down), how will we get to this point?

All package.json and tarballs are accessible in the filesystem (as a default) and can be shared via p2p. What's really missing in Verdaccio?

Hello @mbtools! I thank you so much for your response, mainly being a collaborator, that is good to hear constructive questions. I reach out to verdaccio because it is the nextiest thing that I can think about to allow one to host their own npm servers and reduce the impacts of a global npm outage. Answering your questions, I thought something like:

If a missing version is needed, like in real world torrents, there is not much what we can do to get it from p2p connections but we can also get it directly from the git provider where it is hosted - it also stands for the objective, even git providers can suffer outages and we know most of the things are centralized on GitHub today;
Speed is a real concern, but usually, the speed rates will be great and there is always the possibility to keep using the Git providers and npm as core mirrors, the idea here is to provide high availability, so, using all the possible means to obtain the packages is a must if we want to achieve that ;
About the integrity checks, we can achieve some kind of consensus with provided sets of checksum databases that can even be text files, for millions of differents versions of packages we hardly achieve some gigabytes and we can provide full dumps of checksum files or even specify in a new or existing RFC a model to provide a checksum server - as I said, this has to be trusted, so the hash itself can be provided by the open source package creators, be contained in files from trusted entities and finally provided in these servers - storing the hashes is absurdly less than storing the packages themselves
I didn't understand much about the costs question here, is it related to storing the checksums? As a divided/decentralized possibility, the cost would be next to zero, even algorithms to generate the hashes automatically can be used for each version
Torrent had to start somewhere, didn't it? The same logic applies here, this is an initiative that needs to have the word spreaded, of couse we can't "force" anyone to seed, but seeding is a group effort that would make the development world better - and when I think about better, that would be awesome to see the efforts making results

I'm sorry if I didn't correctly cover any of the topics, giving my vision here, I accept (and encourage) counterarguments to it, but it is my plan to try to achieve something like it, even if done as hobby and takes a little while, plugins are a good way to get kickstarted on that idea.

0 replies

mbtools · 2025-06-18T18:00:19Z

mbtools
Jun 18, 2025
Collaborator

Sounds like a fun project. Let us know if you need enhancements in Verdaccio.

Just an example of the scale we are talking about: the semver tarball is 27.7KB and downloaded 69.5million times per day = 183 GB.

If your machine becomes a seeder (for packages), then you will pay for the data egress (others downloading from you). For a big host, that could become quite expensive.

As you wrote, it all has to start from zero where scaling problems don't exist (yet 😉 ).

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Verdaccio

P2P support for sharing packages like torrent files #5289

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Verdaccio

P2P support for sharing packages like torrent files #5289

Uh oh!

scarletquasar Jun 12, 2025

Replies: 3 comments

Uh oh!

mbtools Jun 15, 2025 Collaborator

Uh oh!

Uh oh!

scarletquasar Jun 15, 2025 Author

Uh oh!

mbtools Jun 18, 2025 Collaborator

scarletquasar
Jun 12, 2025

mbtools
Jun 15, 2025
Collaborator

scarletquasar
Jun 15, 2025
Author

mbtools
Jun 18, 2025
Collaborator