From 3485cc599b6a31083a876bf05007651477acbd8b Mon Sep 17 00:00:00 2001 From: mverzilli Date: Thu, 7 May 2026 13:41:22 +0000 Subject: [PATCH 1/2] include sqlite binary in npm package --- yarn-project/sqlite3mc-wasm/scripts/vendor.sh | 12 +++ .../sqlite3mc-wasm/scripts/verify-pack.sh | 91 +++++++++++++++++++ .../sqlite3mc-wasm/vendor/jswasm/.gitignore | 6 +- .../sqlite3mc-wasm/vendor/jswasm/.npmignore | 18 ++++ 4 files changed, 125 insertions(+), 2 deletions(-) create mode 100755 yarn-project/sqlite3mc-wasm/scripts/verify-pack.sh create mode 100644 yarn-project/sqlite3mc-wasm/vendor/jswasm/.npmignore diff --git a/yarn-project/sqlite3mc-wasm/scripts/vendor.sh b/yarn-project/sqlite3mc-wasm/scripts/vendor.sh index f8da2b46f383..c4abb0a2ae28 100755 --- a/yarn-project/sqlite3mc-wasm/scripts/vendor.sh +++ b/yarn-project/sqlite3mc-wasm/scripts/vendor.sh @@ -29,6 +29,7 @@ PKG_ROOT=$(cd "$SCRIPT_DIR/.." && pwd) LOCAL_DMTS="$PKG_ROOT/vendor/jswasm/sqlite3-bundler-friendly.d.mts" LOCAL_GITIGNORE="$PKG_ROOT/vendor/jswasm/.gitignore" +LOCAL_NPMIGNORE="$PKG_ROOT/vendor/jswasm/.npmignore" SHA256SUMS="$PKG_ROOT/vendor/jswasm/SHA256SUMS" PIN_FILE="$SCRIPT_DIR/vendor.pin" @@ -100,6 +101,7 @@ fi # Preserve files that aren't part of the upstream release across re-vendoring: # - sqlite3-bundler-friendly.d.mts: locally-authored TypeScript declaration # - .gitignore: allowlist that keeps upstream artifacts untracked +# - .npmignore: shadows .gitignore so npm publish keeps the artifacts DMTS_BACKUP="" if [[ -f "$LOCAL_DMTS" ]]; then DMTS_BACKUP=$(mktemp) @@ -110,6 +112,11 @@ if [[ -f "$LOCAL_GITIGNORE" ]]; then GITIGNORE_BACKUP=$(mktemp) cp "$LOCAL_GITIGNORE" "$GITIGNORE_BACKUP" fi +NPMIGNORE_BACKUP="" +if [[ -f "$LOCAL_NPMIGNORE" ]]; then + NPMIGNORE_BACKUP=$(mktemp) + cp "$LOCAL_NPMIGNORE" "$NPMIGNORE_BACKUP" +fi echo "==> Replacing vendor/jswasm/ with pristine upstream files" rm -rf "$PKG_ROOT/vendor/jswasm" @@ -127,6 +134,11 @@ if [[ -n "$GITIGNORE_BACKUP" ]]; then rm "$GITIGNORE_BACKUP" echo "==> Restored .gitignore" fi +if [[ -n "$NPMIGNORE_BACKUP" ]]; then + cp "$NPMIGNORE_BACKUP" "$LOCAL_NPMIGNORE" + rm "$NPMIGNORE_BACKUP" + echo "==> Restored .npmignore" +fi echo "==> Generating vendor/jswasm/SHA256SUMS" (cd "$PKG_ROOT/vendor/jswasm" && sha256sum -- * 2>/dev/null | sort -k2 > SHA256SUMS) diff --git a/yarn-project/sqlite3mc-wasm/scripts/verify-pack.sh b/yarn-project/sqlite3mc-wasm/scripts/verify-pack.sh new file mode 100755 index 000000000000..692d0b5bc1fd --- /dev/null +++ b/yarn-project/sqlite3mc-wasm/scripts/verify-pack.sh @@ -0,0 +1,91 @@ +#!/usr/bin/env bash +# Verify that the npm tarball this package would publish includes every +# vendored sqlite3mc artifact listed in vendor/jswasm/SHA256SUMS. +# +# Background: npm honors any `.gitignore` it finds inside directories listed +# in the `files` allowlist. The `.gitignore` in vendor/jswasm/ excludes +# everything except an allowlist (SHA256SUMS, the locally-authored .d.mts, +# and itself), which inadvertently strips the WASM/MJS artifacts from the +# published tarball even though they're present on disk after vendor.sh ran. +# +# vendor/jswasm/.npmignore shadows that .gitignore for npm pack purposes. +# This script is the guard that catches any future regression. For example: +# someone deletes the .npmignore, or a new vendored file is added but not +# captured by whatever inclusion mechanism is in place. Wired into +# `prepublishOnly` so a broken tarball aborts publish before upload. +# +# Exit codes: 0 = all expected files present, 1 = missing files, 2 = setup +# error (no SHA256SUMS, npm pack failed, etc.). + +set -euo pipefail + +SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) +PKG_ROOT=$(cd "$SCRIPT_DIR/.." && pwd) +SHA256SUMS="$PKG_ROOT/vendor/jswasm/SHA256SUMS" + +if [[ ! -f "$SHA256SUMS" ]]; then + echo "verify-pack: SHA256SUMS not found at $SHA256SUMS" >&2 + echo " Run scripts/vendor.sh first to populate vendor/jswasm/." >&2 + exit 2 +fi + +# Parse SHA256SUMS for the list of files that MUST appear in the tarball. +# Each line is " ". We want the filename, prefixed with +# the package-relative path that npm uses inside the tarball. +expected=() +while IFS= read -r line; do + fname=$(awk '{print $2}' <<<"$line") + [[ -n "$fname" ]] || continue + expected+=("vendor/jswasm/$fname") +done < "$SHA256SUMS" + +if [[ ${#expected[@]} -eq 0 ]]; then + echo "verify-pack: SHA256SUMS contained no entries, nothing to verify" >&2 + exit 2 +fi + +WORK_DIR=$(mktemp -d) +trap 'rm -rf "$WORK_DIR"' EXIT + +# Build the same tarball `npm publish` would upload, then list its contents. +# `--dry-run --json` output format varies across npm versions; running real +# `npm pack` and untarring is stable across npm 7+. +echo "==> Running npm pack to build a candidate tarball" +(cd "$PKG_ROOT" && npm pack --pack-destination "$WORK_DIR" >/dev/null) +TARBALL=$(find "$WORK_DIR" -maxdepth 1 -name '*.tgz' | head -n 1) +if [[ -z "$TARBALL" ]]; then + echo "verify-pack: npm pack produced no tarball in $WORK_DIR" >&2 + exit 2 +fi + +# Tarball entries are prefixed with "package/" — strip for comparison. +tar tzf "$TARBALL" | sed 's|^package/||' > "$WORK_DIR/listing" + +missing=0 +for f in "${expected[@]}"; do + if ! grep -Fxq "$f" "$WORK_DIR/listing"; then + echo "verify-pack: missing from tarball: $f" >&2 + missing=1 + fi +done + +if [[ "$missing" -eq 1 ]]; then + cat >&2 <&1 | grep vendor/jswasm + + Tarball file listing (for reference): $WORK_DIR/listing +EOF + # Don't auto-clean WORK_DIR on failure so the operator can inspect. + trap - EXIT + echo "verify-pack: leaving $WORK_DIR for inspection" >&2 + exit 1 +fi + +echo "verify-pack: all ${#expected[@]} vendored files present in tarball" diff --git a/yarn-project/sqlite3mc-wasm/vendor/jswasm/.gitignore b/yarn-project/sqlite3mc-wasm/vendor/jswasm/.gitignore index 915a8050440b..732bd806851d 100644 --- a/yarn-project/sqlite3mc-wasm/vendor/jswasm/.gitignore +++ b/yarn-project/sqlite3mc-wasm/vendor/jswasm/.gitignore @@ -1,9 +1,11 @@ # Upstream sqlite3mc-wasm release artifacts are fetched at build time by # scripts/vendor.sh (driven by scripts/vendor.pin). Don't commit them. # -# Allowlist: keep this .gitignore, the integrity manifest, and our -# locally-authored TypeScript declaration tracked in git. +# Allowlist: keep this .gitignore, the .npmignore that shadows it for npm +# pack, the integrity manifest, and our locally-authored TypeScript +# declaration tracked in git. * !.gitignore +!.npmignore !SHA256SUMS !sqlite3-bundler-friendly.d.mts diff --git a/yarn-project/sqlite3mc-wasm/vendor/jswasm/.npmignore b/yarn-project/sqlite3mc-wasm/vendor/jswasm/.npmignore new file mode 100644 index 000000000000..bd143d02c3f3 --- /dev/null +++ b/yarn-project/sqlite3mc-wasm/vendor/jswasm/.npmignore @@ -0,0 +1,18 @@ +# Empty allowlist override for `npm publish`. +# +# The sibling .gitignore is structured to keep upstream-fetched binary +# artifacts (sqlite3mc WASM/MJS files) out of git: they're regenerated by +# scripts/vendor.sh on every checkout/build. +# +# But: when `files` in package.json lists `vendor/`, npm's tarball builder +# also honors any nested .gitignore, and would strip those same artifacts +# from the published tarball, leaving downstream consumers with an +# unbuildable package (`dest/index.js` re-exports from +# `../vendor/jswasm/sqlite3-bundler-friendly.mjs`). +# +# An .npmignore in a directory shadows the sibling .gitignore for npm pack. +# Empty contents = "include everything in this directory." +# +# Guard: scripts/verify-pack.sh runs at prepublishOnly and asserts every +# file in SHA256SUMS appears in the produced tarball. If this file gets +# deleted by accident, that check fires before the broken tarball ships. From 7857955889b6bb5e3a974d1bd650d34e96f5ac2c Mon Sep 17 00:00:00 2001 From: mverzilli Date: Thu, 7 May 2026 14:00:21 +0000 Subject: [PATCH 2/2] commit missing file --- yarn-project/sqlite3mc-wasm/package.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/yarn-project/sqlite3mc-wasm/package.json b/yarn-project/sqlite3mc-wasm/package.json index a7644570650b..5f25ccd6b535 100644 --- a/yarn-project/sqlite3mc-wasm/package.json +++ b/yarn-project/sqlite3mc-wasm/package.json @@ -18,7 +18,8 @@ "build": "yarn clean && ../scripts/tsc.sh", "clean": "rm -rf ./dest .tsbuildinfo", "test": "NODE_NO_WARNINGS=1 node --experimental-vm-modules ../node_modules/.bin/jest --passWithNoTests --maxWorkers=${JEST_MAX_WORKERS:-8}", - "build:dev": "../scripts/tsc.sh --watch" + "build:dev": "../scripts/tsc.sh --watch", + "prepublishOnly": "./scripts/verify-pack.sh" }, "devDependencies": { "@jest/globals": "^30.0.0",