Skip to content

fix(npm): verify release archive checksums#43

Merged
BunsDev merged 1 commit into
mainfrom
codex/propose-fix-for-unauthenticated-npm-binary-yfvjio
Jun 6, 2026
Merged

fix(npm): verify release archive checksums#43
BunsDev merged 1 commit into
mainfrom
codex/propose-fix-for-unauthenticated-npm-binary-yfvjio

Conversation

@BunsDev
Copy link
Copy Markdown
Member

@BunsDev BunsDev commented Jun 5, 2026

Motivation

  • The npm package previously downloaded platform-native release archives at postinstall without any independent integrity check, allowing a forged or replaced GitHub release asset to execute on users' machines.
  • The change aims to ensure npm provenance covers the native artifacts actually run by the wrapper by embedding and verifying SHA-256 digests produced at release time.

Description

  • Added release-asset checksum generation to the publish workflow by downloading built release archives and writing npm/checksums.json before running npm publish (file: .github/workflows/npm-publish.yml).
  • Included npm/checksums.json in the published package via npm/package.json so the installer can consult expected digests.
  • Hardened the installer npm/install.js to refuse non-HTTPS downloads, handle redirects safely, compute SHA-256 of the downloaded archive, and abort on missing or mismatched checksums before extraction.
  • Fixed the CLI wrapper npm/bin/coven-code to pick the correct platform-specific binary name (append .exe on Windows) and corrected the reinstall hint.

Testing

  • Static checks: ran node --check npm/install.js and node --check npm/bin/coven-code (syntax checks passed).
  • Packaging check: npm pack --dry-run --json inside npm verified checksums.json is included in the packaged files.
  • Behavioral test: ran a mocked installer where the downloaded archive had an intentionally wrong checksum and verified the installer failed with a checksum error and did not extract or execute the native binary.
  • Workflow validation: inspected and linted modified workflow YAML with a YAML loader to ensure the inserted step is valid.

Codex Task

Copilot AI review requested due to automatic review settings June 5, 2026 23:58
Copilot AI reviewed Jun 6, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the npm distribution of @opencoven/coven-code by embedding SHA-256 digests for platform-native release archives and verifying downloaded artifacts during postinstall, reducing the risk of executing tampered GitHub release assets.

Changes:

  • Add npm/checksums.json to the published package and verify archive SHA-256 before extraction in npm/install.js.
  • Update the npm publish workflow to generate npm/checksums.json from release assets prior to npm publish.
  • Fix the Node wrapper to select the correct Windows binary name (.exe) and update the reinstall hint.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
npm/package.json Ensures checksums.json is included in the published npm package.
npm/install.js Enforces HTTPS downloads, handles redirects, and verifies SHA-256 before extraction.
npm/checksums.json Adds the checksum manifest file (populated during publish).
npm/bin/coven-code Fixes platform binary path resolution and corrects reinstall guidance.
.github/workflows/npm-publish.yml Generates npm/checksums.json from GitHub Release assets before publishing to npm.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread npm/install.js
Comment on lines +132 to +134
console.log('coven-code: verifying checksum...');
verifyChecksum(tmpPath, archiveName);

Comment thread npm/install.js
Comment on lines +52 to +56
https.get(url, (res) => {
if ([301, 302, 303, 307, 308].includes(res.statusCode)) {
file.close();
try { fs.unlinkSync(dest); } catch (_) {}
download(res.headers.location, dest).then(resolve).catch(reject);
if (!res.headers.location) {
Comment thread .github/workflows/npm-publish.yml
Comment on lines +126 to +137
- name: Generate npm checksum manifest
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
TAG="${{ steps.version.outputs.tag }}"
mkdir -p release-assets
gh release download "$TAG" \
--repo "${{ github.repository }}" \
--pattern 'coven-code-*.tar.gz' \
--pattern 'coven-code-*.zip' \
--dir release-assets
Comment thread npm/install.js
Comment on lines +96 to +102
function expectedSha256(archiveName) {
const entry = checksums[archiveName];
if (!entry || typeof entry.sha256 !== 'string') {
throw new Error(`Missing SHA-256 checksum for ${archiveName} in checksums.json`);
}
return entry.sha256;
}
@BunsDev BunsDev merged commit b98e662 into main Jun 6, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BunsDev