herozion 1.1.4 → 1.1.6

package/install.js

@@ -33,8 +33,11 @@ const crypto = require("crypto");
 const { execSync } = require("child_process");
 
 const VERSION = require("./package.json").version;
+// BINARY_VERSION may differ from VERSION when npm patches (install.js fixes, etc.)
+// are published without new binaries. Update this when new binaries are released.
+const BINARY_VERSION = "1.1.5";
 const BASE_URL =
-  `https://github.com/Herozion/scanner-releases/releases/download/v${VERSION}`;
+  `https://github.com/Herozion/scanner-releases/releases/download/v${BINARY_VERSION}`;
 
 // ── Platform detection ────────────────────────────────────────────────────────
 
@@ -111,7 +114,8 @@ function sha256File(filePath) {
 async function main() {
   const binaryName = getBinaryName();
   const url = `${BASE_URL}/${binaryName}`;
-  const checksumUrl = `${BASE_URL}/${binaryName}.sha256`;
+  // The release ships a combined CHECKSUMS.sha256 file, not per-binary .sha256 files.
+  const checksumUrl = `${BASE_URL}/CHECKSUMS.sha256`;
 
   // Store the binary inside this package directory (node_modules/herozion/)
   const binDir = path.join(__dirname, "bin");
@@ -122,10 +126,10 @@ async function main() {
   const destPath = path.join(binDir, destName);
   const tmpPath = destPath + ".tmp";
 
-  // Skip download if binary already exists and matches version
-  const markerPath = path.join(binDir, `.version-${VERSION}`);
+  // Skip download if binary already exists and matches binary version
+  const markerPath = path.join(binDir, `.version-${BINARY_VERSION}`);
   if (fs.existsSync(destPath) && fs.existsSync(markerPath)) {
-    console.log(`herozion: binary v${VERSION} already present, skipping download.`);
+    console.log(`herozion: binary v${BINARY_VERSION} already present, skipping download.`);
     return;
   }
 
@@ -137,7 +141,7 @@ async function main() {
     bundledHash = (bundled[binaryName] || "").toLowerCase().trim();
   } catch (_) {}
 
-  console.log(`herozion: downloading ${binaryName} v${VERSION}...`);
+  console.log(`herozion: downloading ${binaryName} v${BINARY_VERSION}...`);
   try {
     // Download binary to a temporary path first, then verify checksum before placing
     await download(url, tmpPath);
@@ -158,10 +162,19 @@ async function main() {
       }
     }
 
-    // ── Secondary check: .sha256 from GitHub Releases ─────────────────────────
+    // ── Secondary check: CHECKSUMS.sha256 from GitHub Releases ────────────────
     try {
       const checksumData = await downloadText(checksumUrl);
-      const remoteHash = checksumData.trim().split(/\s+/)[0].toLowerCase();
+      // Parse the combined checksum file: each line is "<hash>  <filename>"
+      const remoteHash = (() => {
+        for (const line of checksumData.split(/\n/)) {
+          const parts = line.trim().split(/\s+/);
+          if (parts.length >= 2 && parts[1] === binaryName) {
+            return parts[0].toLowerCase();
+          }
+        }
+        return "";
+      })();
       if (remoteHash && actualHash !== remoteHash) {
         fs.unlinkSync(tmpPath);
         throw new Error(
@@ -194,8 +207,8 @@ async function main() {
     try { fs.unlinkSync(tmpPath); } catch (_) {}
     // Non-fatal: warn and continue — the bin shim will give a clear error at runtime
     console.warn(`herozion: WARNING — could not download binary: ${err.message}`);
-    console.warn("You can download it manually from:");
-    console.warn(`  ${url}`);
+    console.warn(`You can download it manually from:`);
+    console.warn(`  ${BASE_URL}/${binaryName}`);
   }
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "herozion",
-  "version": "1.1.4",
+  "version": "1.1.6",
   "description": "Security audit and performance analysis CLI tool for developers",
   "keywords": [
     "security",