Skip to content

Commit 166ceec

Browse files
fengmk2claude
fengmk2
and
claude
committed
feat(package-manager): add comprehensive hash verification for packageManager field
Support Corepack-style packageManager format with integrity hashes: - Parse format: package@version+algorithm.hash (e.g., yarn@1.22.22+sha512.abc...) - Support multiple hash algorithms: SHA1, SHA224, SHA256, SHA512 - Verify downloaded package integrity against expected hash - Re-verify cached packages when hash is provided - Add proper error handling for hash mismatches This ensures package manager binaries are authentic and haven't been tampered with, improving security for monorepo installations. Examples: - yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e - pnpm@8.15.0+sha256.1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef - npm@10.5.0+sha1.abcd1234567890abcdef1234567890abcdef1234 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
1 parent 6b163db commit 166ceec

7 files changed

Lines changed: 466 additions & 48 deletions

File tree

Cargo.lock

Lines changed: 13 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,7 @@ serde = "1.0.219"
7777
serde_json = "1.0.140"
7878
serde_yml = "0.0.12"
7979
serial_test = "3.2.0"
80+
sha1 = "0.10.6"
8081
sha2 = "0.10.9"
8182
shell-escape = "0.1.5"
8283
supports-color = "3.0.1"

crates/vite_error/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,6 @@ serde_json = { workspace = true }
2121
serde_yml = { workspace = true }
2222
thiserror = { workspace = true }
2323
tokio = { workspace = true }
24-
wax = { workspace = true }
2524
vite_path = { workspace = true }
2625
vite_str = { workspace = true }
26+
wax = { workspace = true }

crates/vite_error/src/lib.rs

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,15 @@ pub enum Error {
153153
#[error("User cancelled by Ctrl+C")]
154154
UserCancelled,
155155

156+
#[error("Hash mismatch: expected {expected}, got {actual}")]
157+
HashMismatch { expected: String, actual: String },
158+
159+
#[error("Invalid hash format: {0}")]
160+
InvalidHashFormat(String),
161+
162+
#[error("Unsupported hash algorithm: {0}")]
163+
UnsupportedHashAlgorithm(String),
164+
156165
#[error(transparent)]
157166
AnyhowError(#[from] anyhow::Error),
158167
}

crates/vite_package_manager/Cargo.toml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,8 @@ serde = { workspace = true, features = ["derive"] }
2323
# use `preserve_order` feature to preserve the order of the fields in `package.json`
2424
serde_json = { workspace = true, features = ["preserve_order"] }
2525
serde_yml = { workspace = true }
26+
sha1 = { workspace = true }
27+
sha2 = { workspace = true }
2628
tar = { workspace = true }
2729
tempfile = { workspace = true }
2830
tokio = { workspace = true, features = ["full"] }

0 commit comments

Comments
 (0)