npm - @dk/hipp - Versions diffs - 0.1.37 → 0.1.40 - Mend

@dk/hipp 0.1.37 → 0.1.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -273,21 +273,21 @@ PERFORMANCE OF THIS SOFTWARE.
 Verify this package with [@dk/hipp](https://www.npmjs.com/package/@dk/hipp):
 ```bash
-npx @dk/hipp --verify @dk/hipp@0.1.37
+npx @dk/hipp --verify @dk/hipp@0.1.40
 ```
 ```json
 {
   "origin": "git@github.com:dmytri/hipp.git",
-  "tag": "v0.1.37",
-  "revision": "3efc2c67bcb1e75b9fb3c44a2e572dba1aa1703d",
-  "hash": "f3cae0034df0aaa5382c0d047fff684ab30354eab2a3b7f280438a95a7ef9488",
-  "signature": "c7ck6ex7mu5OqR2JiRnlnU0nnBHoYPqQkSvKDnvhfyBGUKnOUyT/uEyxifj+UW+s3GB4m651zDauhjWsqVMIDw==",
+  "tag": "v0.1.40",
+  "revision": "53c50c6f0263dd2f24b2b195e116d4ec03c77c1f",
+  "hash": "af45dd66df7b54705c7c0c2a5e3bd24222727bc34668e2d89c8079175cdd1df4",
+  "signature": "LxM3pd+3c7lXqtLAesfEM4gx0NSso3zQchm+EBmhK4X23CScWJQeWS/VC5PdVOiDWj8KquFUMzyrOG4Hj5ViCw==",
   "name": "Dmytri Kleiner",
   "email": "dev@dmytri.to",
   "npm": "11.12.1",
   "node": "v25.8.2",
   "git": "git version 2.47.3",
-  "hipp": "0.1.37"
+  "hipp": "0.1.40"
 }
 ```

package/hipp.js CHANGED Viewed

@@ -178,25 +178,24 @@ function findLastJsonBlock(readmeContent) {
   return lastValid;
 }
-function hashFiles(dir) {
-  const entries = [];
-  const walk = (d, prefix = '') => {
-    const items = fs.readdirSync(d);
-    for (const item of items.sort()) {
-      if (item === 'node_modules' || item === '.git' || item === 'hipp.priv') continue;
-      const full = path.join(d, item);
-      const rel = prefix ? prefix + '/' + item : item;
-      const stat = fs.statSync(full);
-      if (stat.isDirectory()) {
-        walk(full, rel);
-      } else {
-        const content = fs.readFileSync(full);
-        entries.push(rel + ':' + sha256(content));
-      }
-    }
-  };
-  walk(dir);
-  return sha256(entries.join('\n'));
+function packAndHash(stageDir) {
+  const result = spawnSync('npm', ['pack'], {
+    cwd: stageDir,
+    encoding: 'utf8',
+    stdio: ['pipe', 'pipe', 'pipe'],
+  });
+  if (result.status !== 0) {
+    throw new Error(`npm pack failed: ${result.stderr}`);
+  }
+  const tarballName = result.stdout.trim().split('\n').pop();
+  const tarballPath = path.join(stageDir, tarballName);
+  const tarballContent = fs.readFileSync(tarballPath);
+  fs.unlinkSync(tarballPath);
+  return { tarballName, tarballHash: sha256(tarballContent) };
 }
 function safeStageName(name) {
@@ -456,6 +455,10 @@ async function runVerify(packageSpec) {
       fail(`❌ Failed to download tarball`);
     }
+    const npmTarballContent = fs.readFileSync(tarballPath);
+    const npmHash = sha256(npmTarballContent);
+    log.success(`📦 NPM tarball hash: ${npmHash.slice(0, 12)}...`);
     if (fs.existsSync(extractDir)) {
       fs.rmSync(extractDir, { recursive: true });
     }
@@ -528,8 +531,8 @@ async function runVerify(packageSpec) {
         const trackedFiles = getTrackedFilesFromDir(tmpDir);
         copyTrackedFilesFromDir(stageDir, tmpDir, trackedFiles);
-        log.info(`📦 Computing logical hash of git files...`);
-        const cleanHash = hashFiles(stageDir);
+        log.info(`📦 Packing clean git files...`);
+        const { tarballHash: cleanHash } = packAndHash(stageDir);
         log.success(`📦 Clean hash: ${cleanHash.slice(0, 12)}...`);
         log.info(`🔍 Check 2: Verifying manifest hash...`);
@@ -568,22 +571,14 @@ async function runVerify(packageSpec) {
         const stagedPkgPath = path.join(stageDir, 'package.json');
         const stagedPkg = JSON.parse(fs.readFileSync(stagedPkgPath, 'utf8'));
+        stagedPkg.version = tagVersion;
         fs.writeFileSync(stagedPkgPath, JSON.stringify(stagedPkg, null, 2) + '\n');
-        const npmExtractPkgPath = path.join(packageDir, 'package.json');
-        const npmExtractPkg = JSON.parse(fs.readFileSync(npmExtractPkgPath, 'utf8'));
-        if (stagedPkg.version === '0.0.0') {
-          npmExtractPkg.version = '0.0.0';
-          fs.writeFileSync(npmExtractPkgPath, JSON.stringify(npmExtractPkg, null, 2) + '\n');
-        }
-        const npmExtractHash = hashFiles(packageDir);
-        const rebuildHash = hashFiles(stageDir);
-        log.success(`📦 NPM-extract hash: ${npmExtractHash.slice(0, 12)}...`);
-        log.success(`📦 Git-rebuild hash: ${rebuildHash.slice(0, 12)}...`);
+        const { tarballHash: rebuildHash } = packAndHash(stageDir);
+        log.success(`📦 Rebuild hash: ${rebuildHash.slice(0, 12)}...`);
-        if (rebuildHash !== npmExtractHash) {
-          log.error(`❌ Rebuild mismatch: git ${rebuildHash.slice(0, 12)} != npm ${npmExtractHash.slice(0, 12)}`);
+        if (rebuildHash !== npmHash) {
+          log.error(`❌ Rebuild mismatch: rebuild ${rebuildHash.slice(0, 12)} != npm ${npmHash.slice(0, 12)}`);
         } else {
           log.success(`🔄 Rebuild verified`);
           results.rebuild = true;
@@ -712,9 +707,9 @@ async function run() {
     const { privateKey } = loadOrGenerateKeys();
-    log.info(`📦 Computing logical hash...`);
-    const logicalHash = hashFiles(stageDir);
-    log.success(`🔒 Content hash: ${logicalHash.slice(0, 12)}...`);
+    log.info(`📦 Packing to compute content hash...`);
+    const { tarballHash } = packAndHash(stageDir);
+    log.success(`🔒 Content hash: ${tarballHash.slice(0, 12)}...`);
     const stagedReadmePath = path.join(stageDir, 'README.md');
     let stagedReadme = '';
@@ -731,14 +726,14 @@ async function run() {
     const hippPkg = JSON.parse(fs.readFileSync(hippPkgPath, 'utf8'));
     const hippVersion = hippPkg.version === '0.0.0' ? version : hippPkg.version;
     const originUrl = provenance.remoteUrl;
-    const dataToSign = buildSignData(logicalHash, originUrl, rawTag, revision, name, email);
+    const dataToSign = buildSignData(tarballHash, originUrl, rawTag, revision, name, email);
     const signature = signContent(dataToSign, privateKey);
     const manifestJson = {
       origin: originUrl,
       tag: rawTag,
       revision: revision,
-      hash: logicalHash,
+      hash: tarballHash,
       signature: signature,
       name: name,
       email: email,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dk/hipp",
-  "version": "0.1.37",
+  "version": "0.1.40",
   "description": "High Integrity Package Publisher",
   "main": "hipp.js",
   "bin": {