Skip to content

Commit 73cab43

Browse files
fengmk2claude
fengmk2
and
claude
authored
feat(package-manager): add comprehensive hash verification for packageManager field (#195)
Support Corepack-style packageManager format with integrity hashes: - Parse format: package@version+algorithm.hash (e.g., yarn@1.22.22+sha512.abc...) - Support multiple hash algorithms: SHA1, SHA224, SHA256, SHA512 - Verify downloaded package integrity against expected hash - Re-verify cached packages when hash is provided - Add proper error handling for hash mismatches This ensures package manager binaries are authentic and haven't been tampered with, improving security for monorepo installations. Examples: - yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e - pnpm@8.15.0+sha256.1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef - npm@10.5.0+sha1.abcd1234567890abcdef1234567890abcdef1234 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
1 parent fd0ea8b commit 73cab43

7 files changed

Lines changed: 430 additions & 46 deletions

File tree

Cargo.lock

Lines changed: 20 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,7 @@ fspy_shared_unix = { path = "crates/fspy_shared_unix" }
5656
futures = "0.3.31"
5757
futures-core = "0.3.31"
5858
futures-util = "0.3.31"
59+
hex = "0.4.3"
5960
httpmock = "0.7"
6061
indoc = "2.0.5"
6162
itertools = "0.14.0"
@@ -77,6 +78,7 @@ serde = "1.0.219"
7778
serde_json = "1.0.140"
7879
serde_yml = "0.0.12"
7980
serial_test = "3.2.0"
81+
sha1 = "0.10.6"
8082
sha2 = "0.10.9"
8183
shell-escape = "0.1.5"
8284
supports-color = "3.0.1"

crates/vite_error/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,6 @@ serde_json = { workspace = true }
2121
serde_yml = { workspace = true }
2222
thiserror = { workspace = true }
2323
tokio = { workspace = true }
24-
wax = { workspace = true }
2524
vite_path = { workspace = true }
2625
vite_str = { workspace = true }
26+
wax = { workspace = true }

crates/vite_error/src/lib.rs

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,15 @@ pub enum Error {
153153
#[error("User cancelled by Ctrl+C")]
154154
UserCancelled,
155155

156+
#[error("Hash mismatch: expected {expected}, got {actual}")]
157+
HashMismatch { expected: Str, actual: Str },
158+
159+
#[error("Invalid hash format: {0}")]
160+
InvalidHashFormat(Str),
161+
162+
#[error("Unsupported hash algorithm: {0}")]
163+
UnsupportedHashAlgorithm(Str),
164+
156165
#[error(transparent)]
157166
AnyhowError(#[from] anyhow::Error),
158167
}

crates/vite_package_manager/Cargo.toml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ backon = { workspace = true }
1313
directories = { workspace = true }
1414
flate2 = { workspace = true }
1515
futures-util = { workspace = true }
16+
hex = { workspace = true }
1617
indoc = { workspace = true }
1718
pathdiff = { workspace = true }
1819
petgraph = { workspace = true, features = ["serde-1"] }
@@ -23,6 +24,8 @@ serde = { workspace = true, features = ["derive"] }
2324
# use `preserve_order` feature to preserve the order of the fields in `package.json`
2425
serde_json = { workspace = true, features = ["preserve_order"] }
2526
serde_yml = { workspace = true }
27+
sha1 = { workspace = true }
28+
sha2 = { workspace = true }
2629
tar = { workspace = true }
2730
tempfile = { workspace = true }
2831
tokio = { workspace = true, features = ["full"] }

0 commit comments

Comments
 (0)