Skip to content

feat(package-manager): add comprehensive hash verification for packageManager field#195

Merged
fengmk2 merged 3 commits intomainfrom
09-23-feat_pm_support_download_package_manager_with_checksum
Sep 24, 2025
Merged

feat(package-manager): add comprehensive hash verification for packageManager field#195
fengmk2 merged 3 commits intomainfrom
09-23-feat_pm_support_download_package_manager_with_checksum

Conversation

@fengmk2
Copy link
Copy Markdown
Member

@fengmk2 fengmk2 commented Sep 23, 2025

Support Corepack-style packageManager format with integrity hashes:

  • Parse format: package@version+algorithm.hash (e.g., yarn@1.22.22+sha512.abc...)
  • Support multiple hash algorithms: SHA1, SHA224, SHA256, SHA512
  • Verify downloaded package integrity against expected hash
  • Re-verify cached packages when hash is provided
  • Add proper error handling for hash mismatches

This ensures package manager binaries are authentic and haven't been tampered with,
improving security for monorepo installations.

Examples:

  • yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e
  • pnpm@8.15.0+sha256.1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
  • npm@10.5.0+sha1.abcd1234567890abcdef1234567890abcdef1234

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

Copy link
Copy Markdown
Member Author

fengmk2 commented Sep 23, 2025

This stack of pull requests is managed by Graphite. Learn more about stacking.

@fengmk2 fengmk2 self-assigned this Sep 23, 2025
@fengmk2 fengmk2 marked this pull request as ready for review September 23, 2025 08:23
Copilot AI review requested due to automatic review settings September 23, 2025 08:23
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds comprehensive hash verification for the packageManager field to improve security by ensuring package manager binaries are authentic and haven't been tampered with.

Key Changes:

  • Parse Corepack-style packageManager format with integrity hashes (e.g., yarn@1.22.22+sha512.abc...)
  • Support multiple hash algorithms: SHA1, SHA224, SHA256, SHA512
  • Verify downloaded package integrity and re-verify cached packages when hash is provided

Reviewed Changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
crates/vite_package_manager/src/request.rs Added hash verification functionality and updated download function to support optional hash validation
crates/vite_package_manager/src/package_manager.rs Enhanced package manager parsing to extract hash from packageManager field and integrated hash verification into download flow
crates/vite_package_manager/Cargo.toml Added sha1 and sha2 dependencies for hash algorithm support
crates/vite_error/src/lib.rs Added new error types for hash-related failures
crates/vite_error/Cargo.toml Minor formatting fix for dependency ordering
Cargo.toml Added sha1 dependency to workspace dependencies

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread crates/vite_package_manager/src/request.rs
Comment thread crates/vite_package_manager/src/package_manager.rs Outdated
Comment thread crates/vite_package_manager/src/request.rs
@Brooooooklyn
Copy link
Copy Markdown
Member

cursor review

@Brooooooklyn
Copy link
Copy Markdown
Member

@codex review

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codex Review: Here are some suggestions.

About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".

Comment thread crates/vite_package_manager/src/package_manager.rs Outdated
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no bugs!


Comment thread crates/vite_package_manager/src/package_manager.rs Outdated
@fengmk2 fengmk2 force-pushed the 09-23-feat_pm_support_download_package_manager_with_checksum branch from 166ceec to 446694d Compare September 23, 2025 12:09
Copilot AI review requested due to automatic review settings September 23, 2025 12:11
@fengmk2 fengmk2 force-pushed the 09-23-feat_pm_support_download_package_manager_with_checksum branch from 446694d to 2cc0ad6 Compare September 23, 2025 12:11
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.


Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread crates/vite_package_manager/src/package_manager.rs Outdated
Comment thread crates/vite_package_manager/src/request.rs Outdated
@fengmk2 fengmk2 force-pushed the 09-23-feat_pm_support_download_package_manager_with_checksum branch from 2cc0ad6 to d944bab Compare September 23, 2025 12:36
Copilot AI review requested due to automatic review settings September 23, 2025 12:44
@fengmk2 fengmk2 force-pushed the 09-23-feat_pm_support_download_package_manager_with_checksum branch from d944bab to 8f0bf47 Compare September 23, 2025 12:44
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.


Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread crates/vite_package_manager/src/request.rs
Comment thread crates/vite_package_manager/src/package_manager.rs
Comment thread crates/vite_package_manager/src/package_manager.rs Outdated
Copilot AI review requested due to automatic review settings September 23, 2025 13:01
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

crates/vite_package_manager/src/package_manager.rs:407

  • When a hash is provided, the function should not skip verification for cached packages. The current logic returns early if shim files exist, bypassing hash verification even when expected_hash is Some. This could allow compromised cached packages to be used without verification.
    package_manager_type: PackageManagerType,
    package_name: &str,
    version: &str,
    expected_hash: Option<&str>,
) -> Result<AbsolutePathBuf, Error> {
    let tgz_url = get_npm_package_tgz_url(package_name, version);
    let cache_dir = get_cache_dir()?;
    let bin_name = package_manager_type.to_string();
    // $CACHE_DIR/vite/package_manager/pnpm/10.0.0
    let target_dir = cache_dir.join(format!("package_manager/{bin_name}/{version}"));
    let install_dir = target_dir.join(&bin_name);

    // If all shims are already exists, return the target directory
    // $CACHE_DIR/vite/package_manager/pnpm/10.0.0/pnpm/bin/(pnpm|pnpm.cmd|pnpm.ps1)
    let bin_prefix = install_dir.join("bin");
    let bin_file = bin_prefix.join(&bin_name);
    if is_exists_file(&bin_file)?
        && is_exists_file(bin_file.with_extension("cmd"))?
        && is_exists_file(bin_file.with_extension("ps1"))?
    {
        return Ok(install_dir);
    }

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread crates/vite_package_manager/src/request.rs
fengmk2 and others added 2 commits September 23, 2025 21:56
…eManager field

Support Corepack-style packageManager format with integrity hashes:
- Parse format: package@version+algorithm.hash (e.g., yarn@1.22.22+sha512.abc...)
- Support multiple hash algorithms: SHA1, SHA224, SHA256, SHA512
- Verify downloaded package integrity against expected hash
- Re-verify cached packages when hash is provided
- Add proper error handling for hash mismatches

This ensures package manager binaries are authentic and haven't been tampered with,
improving security for monorepo installations.

Examples:
- yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e
- pnpm@8.15.0+sha256.1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
- npm@10.5.0+sha1.abcd1234567890abcdef1234567890abcdef1234

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@fengmk2 fengmk2 force-pushed the 09-23-feat_pm_support_download_package_manager_with_checksum branch from 04d6c36 to 306d59e Compare September 23, 2025 13:57
Copilot AI review requested due to automatic review settings September 24, 2025 02:47
@fengmk2 fengmk2 force-pushed the 09-23-feat_pm_support_download_package_manager_with_checksum branch from 306d59e to d593da1 Compare September 24, 2025 02:47
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.


Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread crates/vite_package_manager/src/package_manager.rs
Comment thread crates/vite_package_manager/src/package_manager.rs
Comment thread crates/vite_package_manager/src/request.rs
Comment thread crates/vite_error/src/lib.rs Outdated
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: MK (fengmk2) <fengmk2@gmail.com>
@fengmk2 fengmk2 force-pushed the 09-23-feat_pm_support_download_package_manager_with_checksum branch from d593da1 to 63255d6 Compare September 24, 2025 03:01
@fengmk2 fengmk2 merged commit 73cab43 into main Sep 24, 2025
9 checks passed
Copy link
Copy Markdown
Member Author

fengmk2 commented Sep 24, 2025

Merge activity

@fengmk2 fengmk2 deleted the 09-23-feat_pm_support_download_package_manager_with_checksum branch September 24, 2025 03:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants