@ataraxy-labs/sem 0.3.18 → 0.3.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -1
- package/scripts/verify-checksum.mjs +53 -0
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@ataraxy-labs/sem",
|
|
3
|
-
"version": "0.3.
|
|
3
|
+
"version": "0.3.19",
|
|
4
4
|
"description": "npm wrapper for the sem CLI. Downloads the matching release binary and exposes the sem command in node_modules/.bin.",
|
|
5
5
|
"license": "MIT OR Apache-2.0",
|
|
6
6
|
"type": "module",
|
|
@@ -11,6 +11,7 @@
|
|
|
11
11
|
"bin/sem.js",
|
|
12
12
|
"scripts/package-meta.mjs",
|
|
13
13
|
"scripts/postinstall.mjs",
|
|
14
|
+
"scripts/verify-checksum.mjs",
|
|
14
15
|
"scripts/sync-package-version.mjs",
|
|
15
16
|
"README.md",
|
|
16
17
|
"LICENSE-APACHE",
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
import { createHash } from 'node:crypto';
|
|
2
|
+
import fs from 'node:fs/promises';
|
|
3
|
+
|
|
4
|
+
/**
|
|
5
|
+
* Downloads checksums.txt from the release, verifies the archive matches.
|
|
6
|
+
* Returns silently on success, throws on mismatch or missing checksum.
|
|
7
|
+
*/
|
|
8
|
+
export async function verifyChecksum(archivePath, archiveName, releaseBaseUrl) {
|
|
9
|
+
const checksumsUrl = `${releaseBaseUrl}/checksums.txt`;
|
|
10
|
+
|
|
11
|
+
const response = await fetch(checksumsUrl, {
|
|
12
|
+
headers: { 'user-agent': '@ataraxy-labs/sem npm installer' },
|
|
13
|
+
redirect: 'follow',
|
|
14
|
+
});
|
|
15
|
+
|
|
16
|
+
if (!response.ok) {
|
|
17
|
+
console.warn(
|
|
18
|
+
`Could not fetch checksums (${response.status}), skipping verification.`,
|
|
19
|
+
);
|
|
20
|
+
return;
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
const checksumsText = await response.text();
|
|
24
|
+
const lines = checksumsText.trim().split('\n');
|
|
25
|
+
|
|
26
|
+
let expectedHash = null;
|
|
27
|
+
for (const line of lines) {
|
|
28
|
+
const [hash, filename] = line.split(/\s+/);
|
|
29
|
+
if (filename === archiveName) {
|
|
30
|
+
expectedHash = hash;
|
|
31
|
+
break;
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
if (!expectedHash) {
|
|
36
|
+
console.warn(
|
|
37
|
+
`No checksum found for ${archiveName} in checksums.txt, skipping verification.`,
|
|
38
|
+
);
|
|
39
|
+
return;
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
const fileBuffer = await fs.readFile(archivePath);
|
|
43
|
+
const actualHash = createHash('sha256').update(fileBuffer).digest('hex');
|
|
44
|
+
|
|
45
|
+
if (actualHash !== expectedHash) {
|
|
46
|
+
throw new Error(
|
|
47
|
+
`Checksum mismatch for ${archiveName}.\n` +
|
|
48
|
+
` Expected: ${expectedHash}\n` +
|
|
49
|
+
` Actual: ${actualHash}\n` +
|
|
50
|
+
`The downloaded file may be corrupted or tampered with.`,
|
|
51
|
+
);
|
|
52
|
+
}
|
|
53
|
+
}
|