feat(package-manager): add comprehensive hash verification for packageManager field

[fengmk2]

Support Corepack-style packageManager format with integrity hashes:

• Parse format: package@version+algorithm.hash (e.g., yarn@1.22.22+sha512.abc...)
• Support multiple hash algorithms: SHA1, SHA224, SHA256, SHA512
• Verify downloaded package integrity against expected hash
• Re-verify cached packages when hash is provided
• Add proper error handling for hash mismatches

This ensures package manager binaries are authentic and haven't been tampered with,
improving security for monorepo installations.

Examples:

• yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e
• pnpm@8.15.0+sha256.1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
• npm@10.5.0+sha1.abcd1234567890abcdef1234567890abcdef1234

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

[fengmk2]

• feat(package-manager): add comprehensive hash verification for packageManager field #195 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[Copilot]

Pull Request Overview

This PR adds comprehensive hash verification for the packageManager field to improve security by ensuring package manager binaries are authentic and haven't been tampered with.

Key Changes:

• Parse Corepack-style packageManager format with integrity hashes (e.g., yarn@1.22.22+sha512.abc...)
• Support multiple hash algorithms: SHA1, SHA224, SHA256, SHA512
• Verify downloaded package integrity and re-verify cached packages when hash is provided

Reviewed Changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
crates/vite_package_manager/src/request.rs	Added hash verification functionality and updated download function to support optional hash validation
crates/vite_package_manager/src/package_manager.rs	Enhanced package manager parsing to extract hash from packageManager field and integrated hash verification into download flow
crates/vite_package_manager/Cargo.toml	Added sha1 and sha2 dependencies for hash algorithm support
crates/vite_error/src/lib.rs	Added new error types for hash-related failures
crates/vite_error/Cargo.toml	Minor formatting fix for dependency ordering
Cargo.toml	Added sha1 dependency to workspace dependencies

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Brooooooklyn]

cursor review

[Brooooooklyn]

@codex review

[chatgpt-codex-connector]

Codex Review: Here are some suggestions.

About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".

[cursor]

✅ Bugbot reviewed your changes and found no bugs!

---

[Copilot]

Pull Request Overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Pull Request Overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Pull Request Overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

crates/vite_package_manager/src/package_manager.rs:407

• When a hash is provided, the function should not skip verification for cached packages. The current logic returns early if shim files exist, bypassing hash verification even when expected_hash is Some. This could allow compromised cached packages to be used without verification.

    package_manager_type: PackageManagerType,
    package_name: &str,
    version: &str,
    expected_hash: Option<&str>,
) -> Result<AbsolutePathBuf, Error> {
    let tgz_url = get_npm_package_tgz_url(package_name, version);
    let cache_dir = get_cache_dir()?;
    let bin_name = package_manager_type.to_string();
    // $CACHE_DIR/vite/package_manager/pnpm/10.0.0
    let target_dir = cache_dir.join(format!("package_manager/{bin_name}/{version}"));
    let install_dir = target_dir.join(&bin_name);

    // If all shims are already exists, return the target directory
    // $CACHE_DIR/vite/package_manager/pnpm/10.0.0/pnpm/bin/(pnpm|pnpm.cmd|pnpm.ps1)
    let bin_prefix = install_dir.join("bin");
    let bin_file = bin_prefix.join(&bin_name);
    if is_exists_file(&bin_file)?
        && is_exists_file(bin_file.with_extension("cmd"))?
        && is_exists_file(bin_file.with_extension("ps1"))?
    {
        return Ok(install_dir);
    }

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Pull Request Overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[fengmk2]

Merge activity

• Sep 24, 3:07 AM UTC: @fengmk2 merged this pull request with Graphite.