@foundry-rs/forge 1.3.5-nightly.20250914.72c1aa6 → 1.3.6-nightly.20250917.5dbd958

package/README.md

@@ -1,4 +1,4 @@
-# forge
+# Forge
 
-A CLI tool for testing, building, and deploying your smart contracts.
-See <https://getfoundry.sh/forge/overview> for details.
+Forge is a command-line tool that ships with Foundry. Forge tests, builds, and deploys your smart contracts.
+Forge is part of the Foundry suite and is installed alongside `cast`, `chisel`, and `anvil`.

package/bin/forge.mjs

@@ -19,43 +19,33 @@ const BINARY_DISTRIBUTION_PACKAGES = {
 };
 const BINARY_NAME = process.platform === "win32" ? "forge.exe" : "forge";
 const PLATFORM_SPECIFIC_PACKAGE_NAME = BINARY_DISTRIBUTION_PACKAGES[process.platform][process.arch];
+const colors = {
+	red: "\x1B[31m",
+	green: "\x1B[32m",
+	yellow: "\x1B[33m",
+	blue: "\x1B[34m",
+	magenta: "\x1B[35m",
+	cyan: "\x1B[36m",
+	white: "\x1B[37m",
+	reset: "\x1B[0m"
+};
 
 //#endregion
 //#region src/forge.ts
 const require = NodeModule.createRequire(import.meta.url);
 const __dirname = NodePath.dirname(fileURLToPath(import.meta.url));
 function getBinaryPath() {
-	const { platform, arch } = process;
-	let packageName;
-	let binaryName = "forge";
-	switch (platform) {
-		case "win32":
-			binaryName += ".exe";
-			if (arch === "x64") packageName = "@foundry-rs/forge-win32-amd64";
-			break;
-		case "darwin":
-			if (arch === "x64") packageName = "@foundry-rs/forge-darwin-amd64";
-			else if (arch === "arm64") packageName = "@foundry-rs/forge-darwin-arm64";
-			break;
-		case "linux":
-			if (arch === "x64") packageName = "@foundry-rs/forge-linux-amd64";
-			else if (arch === "arm64") packageName = "@foundry-rs/forge-linux-arm64";
-			break;
-		default: throw new Error(`Unsupported platform: ${platform}-${arch}`);
-	}
-	if (!packageName) {
-		console.error(`Unsupported platform: ${platform}-${arch}`);
-		process.exit(1);
-	}
 	try {
-		const binaryPath = require.resolve(`${packageName}/bin/${binaryName}`);
+		const binaryPath = require.resolve(`${PLATFORM_SPECIFIC_PACKAGE_NAME}/bin/${BINARY_NAME}`);
 		if (NodeFS.existsSync(binaryPath)) return binaryPath;
-	} catch (error) {
+	} catch {
 		return NodePath.join(__dirname, "..", "dist", BINARY_NAME);
 	}
-	console.error(`Platform-specific package ${packageName} not found.`);
-	console.error("This usually means the installation failed or your platform is not supported.");
-	console.error(`Platform: ${platform}, Architecture: ${arch}`);
+	console.error(colors.red, `Platform-specific package ${PLATFORM_SPECIFIC_PACKAGE_NAME} not found.`);
+	console.error(colors.yellow, "This usually means the installation failed or your platform is not supported.");
+	console.error(colors.reset);
+	console.error(colors.yellow, `Platform: ${process.platform}, Architecture: ${process.arch}`);
+	console.error(colors.reset);
 	process.exit(1);
 }
 NodeChildProcess.spawn(getBinaryPath(), process.argv.slice(2), { stdio: "inherit" });

package/dist/install.mjs

@@ -41,26 +41,49 @@ const colors = {
 const __dirname = NodePath.dirname(fileURLToPath(import.meta.url));
 const fallbackBinaryPath = NodePath.join(__dirname, BINARY_NAME);
 const require = NodeModule.createRequire(import.meta.url);
+const isLocalhostHost = (hostname) => hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+function ensureSecureUrl(urlString, purpose) {
+	try {
+		const url = new URL(urlString);
+		if (url.protocol === "http:") {
+			const allowInsecure = process.env.ALLOW_INSECURE_REGISTRY === "true";
+			if (!isLocalhostHost(url.hostname) && !allowInsecure) throw new Error(`Refusing to use insecure HTTP for ${purpose}: ${urlString}. Set ALLOW_INSECURE_REGISTRY=true to override (not recommended).`);
+		}
+	} catch {}
+}
 function makeRequest(url) {
 	return new Promise((resolve, reject) => {
-		const client = url.startsWith("https:") ? NodeHttps : NodeHttp;
-		client.get(url, (response) => {
+		ensureSecureUrl(url, "HTTP request");
+		(url.startsWith("https:") ? NodeHttps : NodeHttp).get(url, (response) => {
 			if (response?.statusCode && response.statusCode >= 200 && response.statusCode < 300) {
 				const chunks = [];
 				response.on("data", (chunk) => chunks.push(chunk));
-				response.on("end", () => {
-					resolve(Buffer.concat(chunks));
-				});
-			} else if (response?.statusCode && response.statusCode >= 300 && response.statusCode < 400 && response.headers.location) makeRequest(response.headers.location).then(resolve, reject);
-			else reject(/* @__PURE__ */ new Error(`npm responded with status code ${response.statusCode} when downloading the package!`));
-		}).on("error", (error) => {
-			reject(error);
-		});
+				response.on("end", () => resolve(Buffer.concat(chunks)));
+			} else if (response?.statusCode && response.statusCode >= 300 && response.statusCode < 400 && response.headers.location) {
+				const redirected = (() => {
+					try {
+						return new URL(response.headers.location, url).href;
+					} catch {
+						return response.headers.location;
+					}
+				})();
+				makeRequest(redirected).then(resolve, reject);
+			} else reject(/* @__PURE__ */ new Error(`Package registry responded with status code ${response.statusCode} when downloading the package.`));
+		}).on("error", (error) => reject(error));
 	});
 }
-function encodePackageNameForRegistry(name) {
-	return name.startsWith("@") ? encodeURIComponent(name) : name;
-}
+/**
+* Scoped package names should be percent-encoded
+* e.g. @scope/pkg -> %40scope%2Fpkg
+*/
+const encodePackageNameForRegistry = (name) => name.startsWith("@") ? encodeURIComponent(name) : name;
+/**
+* Tar archives are organized in 512 byte blocks.
+* Blocks can either be header blocks or data blocks.
+* Header blocks contain file names of the archive in the first 100 bytes, terminated by a null byte.
+* The size of a file is contained in bytes 124-135 of a header block and in octal format.
+* The following blocks will be data blocks containing the file.
+*/
 function extractFileFromTarball(tarballBuffer, filepath) {
 	let offset = 0;
 	while (offset < tarballBuffer.length) {
@@ -73,8 +96,9 @@ function extractFileFromTarball(tarballBuffer, filepath) {
 	}
 	throw new Error(`File ${filepath} not found in tarball`);
 }
-async function downloadBinaryFromNpm() {
+async function downloadBinaryFromRegistry() {
 	const registryUrl = getRegistryUrl().replace(/\/$/, "");
+	ensureSecureUrl(registryUrl, "registry URL");
 	const encodedName = encodePackageNameForRegistry(PLATFORM_SPECIFIC_PACKAGE_NAME);
 	let desiredVersion;
 	try {
@@ -86,16 +110,43 @@ async function downloadBinaryFromNpm() {
 	const metaBuffer = await makeRequest(metaUrl);
 	const metadata = JSON.parse(metaBuffer.toString("utf8"));
 	const version = desiredVersion || metadata?.["dist-tags"]?.latest;
-	const versionMeta = metadata?.versions?.[version];
-	const dist = versionMeta?.dist;
+	const dist = (metadata?.versions?.[version])?.dist;
 	if (!dist?.tarball) throw new Error(`Could not find tarball for ${PLATFORM_SPECIFIC_PACKAGE_NAME}@${version} from ${metaUrl}`);
+	ensureSecureUrl(dist.tarball, "tarball URL");
 	console.info(colors.green, "Downloading binary from:\n", dist.tarball, "\n", colors.reset);
+	/**
+	* Download the tarball of the right binary distribution package
+	* Verify integrity: prefer SRI integrity (sha512/sha256/sha1),
+	* fallback to legacy dist.shasum (sha1 hex). Fail if neither unless explicitly allowed.
+	*/
 	const tarballDownloadBuffer = await makeRequest(dist.tarball);
-	if (dist.integrity && dist.integrity.startsWith("sha512-")) {
-		const expected = dist.integrity.split("sha512-")[1];
-		const actual = NodeCrypto.createHash("sha512").update(tarballDownloadBuffer).digest("base64");
-		if (expected !== actual) throw new Error("Downloaded tarball failed integrity check (sha512 mismatch)");
-	}
+	(() => {
+		let verified = false;
+		const sriMatch = (typeof dist.integrity === "string" ? dist.integrity : "").match(/^([a-z0-9]+)-([A-Za-z0-9+/=]+)$/i);
+		if (sriMatch) {
+			const algo = sriMatch[1].toLowerCase();
+			const expected = sriMatch[2];
+			if (new Set([
+				"sha512",
+				"sha256",
+				"sha1"
+			]).has(algo)) {
+				const actual = NodeCrypto.createHash(algo).update(tarballDownloadBuffer).digest("base64");
+				if (expected !== actual) throw new Error(`Downloaded tarball failed integrity check (${algo} mismatch)`);
+				verified = true;
+			}
+		}
+		if (!verified && typeof dist.shasum === "string" && dist.shasum.length === 40) {
+			const expectedSha1Hex = dist.shasum.toLowerCase();
+			const actualSha1Hex = NodeCrypto.createHash("sha1").update(tarballDownloadBuffer).digest("hex");
+			if (expectedSha1Hex !== actualSha1Hex) throw new Error("Downloaded tarball failed integrity check (sha1 shasum mismatch)");
+			verified = true;
+		}
+		if (!verified) {
+			if (!(process.env.ALLOW_NO_INTEGRITY === "true" || process.env.ALLOW_UNVERIFIED_TARBALL === "true")) throw new Error("No integrity metadata found for downloaded tarball. Set ALLOW_NO_INTEGRITY=true to bypass (not recommended).");
+			console.warn(colors.yellow, "Warning: proceeding without integrity verification (explicitly allowed).", colors.reset);
+		}
+	})();
 	const tarballBuffer = NodeZlib.gunzipSync(tarballDownloadBuffer);
 	NodeFS.writeFileSync(fallbackBinaryPath, extractFileFromTarball(tarballBuffer, `package/bin/${BINARY_NAME}`), { mode: 493 });
 }
@@ -110,7 +161,7 @@ function isPlatformSpecificPackageInstalled() {
 if (!PLATFORM_SPECIFIC_PACKAGE_NAME) throw new Error("Platform not supported!");
 if (!isPlatformSpecificPackageInstalled()) {
 	console.log("Platform specific package not found. Will manually download binary.");
-	downloadBinaryFromNpm();
+	downloadBinaryFromRegistry();
 } else console.log("Platform specific package already installed. Skipping manual download.");
 
 //#endregion

package/package.json

@@ -1,13 +1,9 @@
 {
   "name": "@foundry-rs/forge",
-  "version": "1.3.5-nightly.20250914.72c1aa6",
+  "version": "1.3.6-nightly.20250917.5dbd958",
   "type": "module",
   "homepage": "https://getfoundry.sh/forge",
   "description": "Fast and flexible Ethereum testing framework",
-  "main": "./dist/index.mjs",
-  "engines": {
-    "node": ">=20"
-  },
   "bin": {
     "forge": "./bin/forge.mjs"
   },
@@ -19,11 +15,11 @@
     "postinstall": "node ./dist/install.mjs"
   },
   "optionalDependencies": {
-    "@foundry-rs/forge-darwin-arm64": "1.3.5-nightly.20250914.72c1aa6",
-    "@foundry-rs/forge-darwin-amd64": "1.3.5-nightly.20250914.72c1aa6",
-    "@foundry-rs/forge-linux-arm64": "1.3.5-nightly.20250914.72c1aa6",
-    "@foundry-rs/forge-linux-amd64": "1.3.5-nightly.20250914.72c1aa6",
-    "@foundry-rs/forge-win32-amd64": "1.3.5-nightly.20250914.72c1aa6"
+    "@foundry-rs/forge-darwin-arm64": "1.3.6-nightly.20250917.5dbd958",
+    "@foundry-rs/forge-darwin-amd64": "1.3.6-nightly.20250917.5dbd958",
+    "@foundry-rs/forge-linux-arm64": "1.3.6-nightly.20250917.5dbd958",
+    "@foundry-rs/forge-linux-amd64": "1.3.6-nightly.20250917.5dbd958",
+    "@foundry-rs/forge-win32-amd64": "1.3.6-nightly.20250917.5dbd958"
   },
   "publishConfig": {
     "access": "public",

package/dist/index.mjs

@@ -1,36 +0,0 @@
-#!/usr/bin/env node
-import NodeModule from "node:module";
-import NodeChildProcess from "node:child_process";
-import NodePath from "node:path";
-import { fileURLToPath } from "node:url";
-
-//#region src/const.ts
-const BINARY_DISTRIBUTION_PACKAGES = {
-	darwin: {
-		x64: "@foundry-rs/forge-darwin-amd64",
-		arm64: "@foundry-rs/forge-darwin-arm64"
-	},
-	linux: {
-		x64: "@foundry-rs/forge-linux-amd64",
-		arm64: "@foundry-rs/forge-linux-arm64"
-	},
-	win32: { x64: "@foundry-rs/forge-win32-amd64" }
-};
-const BINARY_NAME = process.platform === "win32" ? "forge.exe" : "forge";
-const PLATFORM_SPECIFIC_PACKAGE_NAME = BINARY_DISTRIBUTION_PACKAGES[process.platform][process.arch];
-
-//#endregion
-//#region src/index.ts
-const require = NodeModule.createRequire(import.meta.url);
-const __dirname = NodePath.dirname(fileURLToPath(import.meta.url));
-function getBinaryPath() {
-	try {
-		return require.resolve(`${PLATFORM_SPECIFIC_PACKAGE_NAME}/bin/${BINARY_NAME}`);
-	} catch (_error) {
-		return NodePath.join(__dirname, BINARY_NAME);
-	}
-}
-if (import.meta.url === `file://${process.argv[1]}`) NodeChildProcess.execFileSync(getBinaryPath(), process.argv.slice(2), { stdio: "inherit" });
-
-//#endregion
-export {  };