npm - deepseek-tui - Versions diffs - 0.3.29 → 0.3.32 - Mend

deepseek-tui 0.3.29 → 0.3.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md +4 -0
package/package.json +2 -2
package/scripts/artifacts.js +25 -1
package/scripts/install.js +65 -4
package/scripts/verify-release-assets.js +64 -2

package/README.md CHANGED Viewed

@@ -40,3 +40,7 @@ Other platform/architecture combinations are not supported and will fail during
 - `npm publish` runs a release-asset check to ensure all required binary assets
   exist for the target GitHub release before publishing.
+- Install-time downloads are verified against the release checksum manifest before
+  the wrapper marks them executable.
+- Set `DEEPSEEK_TUI_RELEASE_BASE_URL` to point the installer at a local or
+  staged release-asset directory for smoke tests.

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "deepseek-tui",
-  "version": "0.3.29",
-  "deepseekBinaryVersion": "0.3.28",
+  "version": "0.3.32",
+  "deepseekBinaryVersion": "0.3.31",
   "description": "Install and run deepseek and deepseek-tui binaries from GitHub release artifacts.",
   "author": "Hmbown",
   "license": "MIT",

package/scripts/artifacts.js CHANGED Viewed

@@ -1,6 +1,8 @@
 const path = require("path");
 const os = require("os");
+const CHECKSUM_MANIFEST = "deepseek-artifacts-sha256.txt";
 const ASSET_MATRIX = {
   linux: {
     x64: ["deepseek-linux-x64", "deepseek-tui-linux-x64"],
@@ -40,8 +42,22 @@ function executableName(base, platform) {
   return platform === "win32" ? `${base}.exe` : base;
 }
+function releaseBaseUrl(version, repo = "Hmbown/DeepSeek-TUI") {
+  const override =
+    process.env.DEEPSEEK_TUI_RELEASE_BASE_URL || process.env.DEEPSEEK_RELEASE_BASE_URL;
+  if (override) {
+    const trimmed = String(override).trim();
+    return trimmed.endsWith("/") ? trimmed : `${trimmed}/`;
+  }
+  return `https://github.com/${repo}/releases/download/v${version}/`;
+}
 function releaseAssetUrl(baseName, version, repo = "Hmbown/DeepSeek-TUI") {
-  return `https://github.com/${repo}/releases/download/v${version}/${baseName}`;
+  return new URL(baseName, releaseBaseUrl(version, repo)).toString();
+}
+function checksumManifestUrl(version, repo = "Hmbown/DeepSeek-TUI") {
+  return releaseAssetUrl(CHECKSUM_MANIFEST, version, repo);
 }
 function releaseBinaryDirectory() {
@@ -58,10 +74,18 @@ function allAssetNames() {
   return Array.from(new Set(names));
 }
+function allReleaseAssetNames() {
+  return [...allAssetNames(), CHECKSUM_MANIFEST];
+}
 module.exports = {
   allAssetNames,
+  allReleaseAssetNames,
+  CHECKSUM_MANIFEST,
+  checksumManifestUrl,
   detectBinaryNames,
   executableName,
   releaseAssetUrl,
+  releaseBaseUrl,
   releaseBinaryDirectory,
 };

package/scripts/install.js CHANGED Viewed

@@ -1,12 +1,14 @@
 const fs = require("fs");
 const https = require("https");
 const http = require("http");
-const { mkdir, chmod, stat, rename, readFile, writeFile } = fs.promises;
+const crypto = require("crypto");
+const { mkdir, chmod, stat, rename, readFile, unlink, writeFile } = fs.promises;
 const { createWriteStream } = fs;
 const { pipeline } = require("stream/promises");
 const path = require("path");
 const {
+  checksumManifestUrl,
   detectBinaryNames,
   releaseAssetUrl,
   releaseBinaryDirectory,
@@ -69,6 +71,19 @@ async function download(url, destination) {
   await pipeline(resolved.response, createWriteStream(destination));
 }
+async function downloadText(url) {
+  const resolved = await httpGet(url);
+  if (resolved.redirect) {
+    return downloadText(resolved.redirect);
+  }
+  const chunks = [];
+  resolved.response.setEncoding("utf8");
+  for await (const chunk of resolved.response) {
+    chunks.push(chunk);
+  }
+  return chunks.join("");
+}
 async function readLocalVersion(file) {
   return readFile(file, "utf8").catch(() => "");
 }
@@ -82,7 +97,45 @@ async function fileExists(file) {
   }
 }
-async function ensureBinary(targetPath, assetName, version, repo) {
+function parseChecksumManifest(text) {
+  const checksums = new Map();
+  for (const line of text.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed) {
+      continue;
+    }
+    const match = trimmed.match(/^([a-fA-F0-9]{64})\s+\*?(.+)$/);
+    if (!match) {
+      throw new Error(`Invalid checksum manifest line: ${trimmed}`);
+    }
+    checksums.set(match[2], match[1].toLowerCase());
+  }
+  return checksums;
+}
+async function sha256File(filePath) {
+  const content = await readFile(filePath);
+  return crypto.createHash("sha256").update(content).digest("hex");
+}
+async function verifyChecksum(filePath, assetName, checksums) {
+  const expected = checksums.get(assetName);
+  if (!expected) {
+    throw new Error(`Checksum manifest is missing ${assetName}`);
+  }
+  const actual = await sha256File(filePath);
+  if (actual !== expected) {
+    throw new Error(
+      `Checksum mismatch for ${assetName}: expected ${expected}, got ${actual}`,
+    );
+  }
+}
+async function loadChecksums(version, repo) {
+  return parseChecksumManifest(await downloadText(checksumManifestUrl(version, repo)));
+}
+async function ensureBinary(targetPath, assetName, version, repo, checksums) {
   const marker = `${targetPath}.version`;
   const downloadIfNeeded =
     process.env.DEEPSEEK_TUI_FORCE_DOWNLOAD === "1" || process.env.DEEPSEEK_FORCE_DOWNLOAD === "1";
@@ -91,6 +144,7 @@ async function ensureBinary(targetPath, assetName, version, repo) {
     if (existing) {
       const markerVersion = await readLocalVersion(marker);
       if (markerVersion === String(version)) {
+        await verifyChecksum(targetPath, assetName, checksums);
         return targetPath;
       }
     }
@@ -98,6 +152,12 @@ async function ensureBinary(targetPath, assetName, version, repo) {
   const url = releaseAssetUrl(assetName, version, repo);
   const destination = `${targetPath}.download`;
   await download(url, destination);
+  try {
+    await verifyChecksum(destination, assetName, checksums);
+  } catch (error) {
+    await unlink(destination).catch(() => {});
+    throw error;
+  }
   if (process.platform !== "win32") {
     await chmod(destination, 0o755);
   }
@@ -115,10 +175,11 @@ async function run() {
   const paths = binaryPaths();
   const releaseDir = releaseBinaryDirectory();
   await mkdir(releaseDir, { recursive: true });
+  const checksums = await loadChecksums(version, repo);
   await Promise.all([
-    ensureBinary(paths.deepseek.target, paths.deepseek.asset, version, repo),
-    ensureBinary(paths.tui.target, paths.tui.asset, version, repo),
+    ensureBinary(paths.deepseek.target, paths.deepseek.asset, version, repo, checksums),
+    ensureBinary(paths.tui.target, paths.tui.asset, version, repo, checksums),
   ]);
 }

package/scripts/verify-release-assets.js CHANGED Viewed

@@ -1,6 +1,11 @@
 const https = require("https");
 const http = require("http");
-const { allAssetNames, releaseAssetUrl } = require("./artifacts");
+const {
+  allAssetNames,
+  allReleaseAssetNames,
+  checksumManifestUrl,
+  releaseAssetUrl,
+} = require("./artifacts");
 const pkg = require("../package.json");
@@ -58,10 +63,59 @@ async function verifyAsset(url, label) {
   }
 }
+async function downloadText(url) {
+  const client = url.startsWith("https:") ? https : http;
+  return new Promise((resolve, reject) => {
+    client
+      .get(
+        url,
+        {
+          headers: {
+            "User-Agent": "deepseek-tui-npm-release-check",
+          },
+        },
+        (res) => {
+          const status = res.statusCode || 0;
+          if (status >= 300 && status < 400 && res.headers.location) {
+            const next = new URL(res.headers.location, url).toString();
+            resolve(downloadText(next));
+            return;
+          }
+          if (status !== 200) {
+            reject(new Error(`Request failed with status ${status}: ${url}`));
+            res.resume();
+            return;
+          }
+          const chunks = [];
+          res.setEncoding("utf8");
+          res.on("data", (chunk) => chunks.push(chunk));
+          res.on("end", () => resolve(chunks.join("")));
+        },
+      )
+      .on("error", reject);
+  });
+}
+function parseChecksumManifest(text) {
+  const checksums = new Map();
+  for (const line of text.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed) {
+      continue;
+    }
+    const match = trimmed.match(/^([a-fA-F0-9]{64})\s+\*?(.+)$/);
+    if (!match) {
+      throw new Error(`Invalid checksum manifest line: ${trimmed}`);
+    }
+    checksums.set(match[2], match[1].toLowerCase());
+  }
+  return checksums;
+}
 async function run() {
   const version = resolveBinaryVersion();
   const repo = resolveRepo();
-  const assets = allAssetNames();
+  const assets = allReleaseAssetNames();
   console.log(`Verifying ${assets.length} release assets for ${repo}@v${version}...`);
   for (const asset of assets) {
@@ -69,6 +123,14 @@ async function run() {
     await verifyAsset(url, asset);
     console.log(`  ok ${asset}`);
   }
+  const checksums = parseChecksumManifest(
+    await downloadText(checksumManifestUrl(version, repo)),
+  );
+  for (const asset of allAssetNames()) {
+    if (!checksums.has(asset)) {
+      throw new Error(`Checksum manifest is missing ${asset}`);
+    }
+  }
   console.log("Release assets verified.");
 }