@ggcode-cli/ggcode 1.1.96 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +20 -0
- package/lib/install.js +16 -3
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -56,6 +56,26 @@ or:
|
|
|
56
56
|
GGCODE_INSTALL_VERSION=X.Y.Z ggcode
|
|
57
57
|
```
|
|
58
58
|
|
|
59
|
+
## TLS / Corporate proxy
|
|
60
|
+
|
|
61
|
+
The installer verifies TLS certificates by default.
|
|
62
|
+
|
|
63
|
+
If you are behind a corporate proxy with a custom CA certificate that Node.js does not trust, you have two options:
|
|
64
|
+
|
|
65
|
+
1. **Recommended** — add your CA to Node's trust store:
|
|
66
|
+
|
|
67
|
+
```bash
|
|
68
|
+
NODE_EXTRA_CA_CERTS=/path/to/corporate-ca.pem npm install -g @ggcode-cli/ggcode
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
2. **Not recommended** — disable TLS verification entirely:
|
|
72
|
+
|
|
73
|
+
```bash
|
|
74
|
+
GGCODE_INSECURE_TLS=1 npm install -g @ggcode-cli/ggcode
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
This prints a security warning and makes the download vulnerable to man-in-the-middle attacks.
|
|
78
|
+
|
|
59
79
|
## Native installers
|
|
60
80
|
|
|
61
81
|
Prefer a native package? Download directly from [GitHub Releases](https://github.com/topcheer/ggcode/releases/latest):
|
package/lib/install.js
CHANGED
|
@@ -375,10 +375,23 @@ function getProxyURL() {
|
|
|
375
375
|
);
|
|
376
376
|
}
|
|
377
377
|
|
|
378
|
+
// GGCODE_INSECURE_TLS=1 disables TLS certificate verification.
|
|
379
|
+
// Use ONLY behind a corporate proxy with a custom CA.
|
|
380
|
+
const INSECURE_TLS = process.env.GGCODE_INSECURE_TLS === "1";
|
|
381
|
+
if (INSECURE_TLS) {
|
|
382
|
+
console.warn(
|
|
383
|
+
"\x1b[31mWARNING: GGCODE_INSECURE_TLS=1 is set. TLS certificate verification is DISABLED.\x1b[0m\n" +
|
|
384
|
+
"This makes the download vulnerable to man-in-the-middle attacks.\n" +
|
|
385
|
+
"Only use this in trusted networks with a corporate proxy.\n" +
|
|
386
|
+
"For custom CAs, prefer NODE_EXTRA_CA_CERTS=/path/to/ca.pem instead."
|
|
387
|
+
);
|
|
388
|
+
}
|
|
389
|
+
const TLS_OPTS = { rejectUnauthorized: !INSECURE_TLS };
|
|
390
|
+
|
|
378
391
|
function httpsGetViaProxy(targetUrl, callback) {
|
|
379
392
|
const proxyURL = getProxyURL();
|
|
380
393
|
if (!proxyURL) {
|
|
381
|
-
return https.get(targetUrl,
|
|
394
|
+
return https.get(targetUrl, TLS_OPTS, callback);
|
|
382
395
|
}
|
|
383
396
|
|
|
384
397
|
const parsed = new URL(targetUrl);
|
|
@@ -401,7 +414,7 @@ function httpsGetViaProxy(targetUrl, callback) {
|
|
|
401
414
|
const tlsSocket = tls.connect({
|
|
402
415
|
socket: socket,
|
|
403
416
|
servername: parsed.hostname,
|
|
404
|
-
rejectUnauthorized:
|
|
417
|
+
rejectUnauthorized: !INSECURE_TLS,
|
|
405
418
|
}, () => {
|
|
406
419
|
const req = https.request(
|
|
407
420
|
{
|
|
@@ -409,7 +422,7 @@ function httpsGetViaProxy(targetUrl, callback) {
|
|
|
409
422
|
port: 443,
|
|
410
423
|
path: parsed.pathname + (parsed.search || ""),
|
|
411
424
|
method: "GET",
|
|
412
|
-
rejectUnauthorized:
|
|
425
|
+
rejectUnauthorized: !INSECURE_TLS,
|
|
413
426
|
createConnection: () => tlsSocket,
|
|
414
427
|
},
|
|
415
428
|
callback,
|