npm - @dk/hipp - Versions diffs - 0.1.8 → 0.1.12 - Mend

@dk/hipp 0.1.8 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -148,20 +148,43 @@ INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
 OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
 ```json
 {
   "origin": "git@github.com:dmytri/hipp.git",
-  "tag": "v0.1.8"
+  "tag": "v0.1.10"
 }
 ```
-```npx @dk/hipp @dk/hipp@0.1.8```
+```npx @dk/hipp @dk/hipp@0.1.10
+```
+<!-- HIPP-META -->
+```json
+{
+  "origin": "git@github.com:dmytri/hipp.git",
+  "tag": "v0.1.11"
+}
+```
+```npx @dk/hipp @dk/hipp@0.1.11
+```
+<!-- /HIPP-META -->
+```json
+{
+  "origin": "git@github.com:dmytri/hipp.git",
+  "tag": "v0.1.12"
+}
+```
+```npx @dk/hipp @dk/hipp@0.1.12```
 <!-- HIPP-MANIFEST -->
 ```json
 {
-  "hash": "57d56d76a120bbc755700c3aa1f91f756e2cda09076dc0df522beb6a22018dca",
-  "signature": "eclO/AvbMfQMGS7g/vwX1DbB3dbm4XxWvlMFjo06KpE+d3w7KagtIv9klyjTazls74yGy3qcHhoy3i6/zWmZAg=="
+  "hash": "9213a0bc269441f5dc3dc07fe07eba4d127815ae78f0d7e07474547bb342ce1b",
+  "signature": "Bg5/in81S3ia4x4W2C1WzvXeZPxspCdXEcSHCyLT3aUaEF5JrSANcIerZXrgbAvDyrxsf9O2wDJ/0cZNI4KOAA=="
 }
 ```
 <!-- /HIPP-MANIFEST -->

package/hipp.js CHANGED Viewed

@@ -372,6 +372,19 @@ function getTrackedFiles() {
     .filter(Boolean);
 }
+function getTrackedFilesFromDir(repoDir) {
+  const out = execFileSync('git', ['ls-files', '-z'], {
+    encoding: 'buffer',
+    stdio: ['pipe', 'pipe', 'pipe'],
+    cwd: repoDir,
+  });
+  return out
+    .toString('utf8')
+    .split('\0')
+    .filter(Boolean);
+}
 function copyTrackedFiles(stageDir, files) {
   const repoRoot = process.cwd();
@@ -393,6 +406,25 @@ function copyTrackedFiles(stageDir, files) {
   }
 }
+function copyTrackedFilesFromDir(stageDir, repoDir, files) {
+  for (const rel of files) {
+    const src = path.join(repoDir, rel);
+    const dest = path.join(stageDir, rel);
+    const stat = fs.lstatSync(src);
+    fs.mkdirSync(path.dirname(dest), { recursive: true });
+    if (stat.isSymbolicLink()) {
+      const target = fs.readlinkSync(src);
+      fs.symlinkSync(target, dest);
+    } else if (stat.isDirectory()) {
+      fs.mkdirSync(dest, { recursive: true });
+    } else if (stat.isFile()) {
+      fs.copyFileSync(src, dest);
+    }
+  }
+}
 async function runVerify(packageSpec) {
   let pkgName, pkgVersion;
   if (packageSpec.startsWith('@')) {
@@ -462,45 +494,55 @@ async function runVerify(packageSpec) {
       fail(`❌ JSON meta (origin/tag) not found in README`);
     }
-    const manifestBase64 = extractManifestFromReadme(stagedReadme);
-    if (!manifestBase64) {
+    const manifestStr = extractManifestFromReadme(stagedReadme);
+    if (!manifestStr) {
       fail(`❌ Manifest not found in README`);
     }
-    const manifest = parseManifest(manifestBase64);
+    const manifest = parseManifest(manifestStr);
     if (!manifest || !manifest.hash || !manifest.signature) {
       fail(`❌ Invalid manifest format`);
     }
+    const originUrl = jsonMeta.origin;
+    const tag = jsonMeta.tag;
     const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), `hipp-verify-git-`));
+    const stageDir = fs.mkdtempSync(path.join(os.tmpdir(), `hipp-verify-stage-`));
     try {
-      log.info(`🌿 Fetching from git origin...`);
+      log.info(`🌿 Fetching from git origin at tag ${tag}...`);
+      git(['clone', '--branch', tag, '--depth', '1', originUrl, tmpDir], { stdio: 'pipe' });
-      const originUrl = jsonMeta.origin;
-      const tag = jsonMeta.tag;
+      const publicKeyPath = path.join(tmpDir, 'hipp.pub');
+      if (!fs.existsSync(publicKeyPath)) {
+        fail(`❌ hipp.pub not found in git at tag ${tag}`);
+      }
-      git(['clone', '--branch', tag, '--depth', '1', originUrl, tmpDir], { stdio: 'pipe' });
+      const publicKey = fs.readFileSync(publicKeyPath, 'utf8');
+      log.info(`🏗️  Staging git files...`);
+      const trackedFiles = getTrackedFilesFromDir(tmpDir);
+      copyTrackedFilesFromDir(stageDir, tmpDir, trackedFiles);
-      const clonedReadmePath = path.join(tmpDir, 'README.md');
-      if (!fs.existsSync(clonedReadmePath)) {
+      const stagedReadmePath = path.join(stageDir, 'README.md');
+      if (!fs.existsSync(stagedReadmePath)) {
         fail(`❌ README.md not found in git at tag ${tag}`);
       }
-      const clonedReadme = fs.readFileSync(clonedReadmePath, 'utf8');
-      const clonedHash = computeReadmeHash(clonedReadme);
+      let stagedReadme = fs.readFileSync(stagedReadmePath, 'utf8');
+      const verifyBlock = '```npx @dk/hipp ' + pkgName + '@' + tag + '```';
+      const jsonMetaStr = '```json\n{\n  "origin": "' + originUrl + '",\n  "tag": "' + tag + '"\n}\n```';
+      stagedReadme = stagedReadme.trimEnd() + '\n\n' + jsonMetaStr + '\n\n' + verifyBlock + '\n';
+      const stagedHash = computeReadmeHash(stagedReadme);
-      if (clonedHash !== manifest.hash) {
+      if (stagedHash !== manifest.hash) {
         fail(`❌ Hash mismatch: git content does not match npm manifest`);
       }
       log.success(`🔒 Content hash verified: ${manifest.hash.slice(0, 12)}...`);
-      const publicKeyPath = path.join(tmpDir, 'hipp.pub');
-      if (!fs.existsSync(publicKeyPath)) {
-        fail(`❌ hipp.pub not found in git at tag ${tag}`);
-      }
-      const publicKey = fs.readFileSync(publicKeyPath, 'utf8');
       const signData = buildSignData(manifest.hash, originUrl, tag);
       const signatureValid = verifySignature(signData, manifest.signature, publicKey);
@@ -514,6 +556,7 @@ async function runVerify(packageSpec) {
       log.info(`📍 Tag: ${tag}`);
     } finally {
       fs.rmSync(tmpDir, { recursive: true, force: true });
+      fs.rmSync(stageDir, { recursive: true, force: true });
     }
   } finally {
     fs.rmSync(tarballPath, { recursive: true, force: true });
@@ -565,9 +608,10 @@ async function run() {
     log.success('📝 hipp.pub committed.');
   }
+  const { rawTag, version } = getVersionFromExactTagOnHead();
   ensureCleanRepo(pkg);
-  const { rawTag, version } = getVersionFromExactTagOnHead();
   const refInfo = ensureMutableRefPolicy();
   const provenance = ensureRemoteProvenance(rawTag, refInfo.head);
   const lockInfo = ensureLockIntegrity(pkg);
@@ -608,7 +652,9 @@ async function run() {
       stagedReadme = fs.readFileSync(stagedReadmePath, 'utf8');
     }
-    stagedReadme += '\n```json\n{\n  "origin": "' + provenance.remoteUrl + '",\n  "tag": "' + rawTag + '"\n}\n```\n\n```npx @dk/hipp ' + pkg.name + '@' + version + '```\n\n';
+    const verifyBlock = '```npx @dk/hipp ' + pkg.name + '@' + version + '```';
+    const jsonMetaStr = '```json\n{\n  "origin": "' + provenance.remoteUrl + '",\n  "tag": "' + rawTag + '"\n}\n```';
+    stagedReadme = stagedReadme.trimEnd() + '\n\n' + jsonMetaStr + '\n\n' + verifyBlock + '\n';
     const readmeHash = computeReadmeHash(stagedReadme);
     const dataToSign = buildSignData(readmeHash, provenance.remoteUrl, rawTag);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dk/hipp",
-  "version": "0.1.8",
+  "version": "0.1.12",
   "description": "High Integrity Package Publisher",
   "main": "hipp.js",
   "bin": {