feat(download): verify sha256 against GitHub Releases asset digest#83
Open
pdugas wants to merge 1 commit into
Open
feat(download): verify sha256 against GitHub Releases asset digest#83pdugas wants to merge 1 commit into
pdugas wants to merge 1 commit into
Conversation
Stream the response through a sha256 hasher and, for URLs that match the GitHub Releases download pattern, look up the asset's `digest` field on the Releases API. On mismatch, reject with ERR_CHECKSUM_MISMATCH and remove the partial file. Older assets without a published `digest` and non-GitHub URLs (e.g. nodejs.org tarballs) warn and continue, so the change is backward compatible for callers that previously relied on unverified downloads. Adds tests (test/download.test.js) covering getExpectedSha256 parsing, the happy path, mismatch detection, missing-digest and API-down fallbacks, redirect following, and multi-chunk hashing.
avcribl
reviewed
May 14, 2026
| patchFile, | ||
| assertSupportedKey, | ||
| getExpectedSha256, | ||
| __setGithubHostsForTest, |
Contributor
There was a problem hiding this comment.
The __ prefix signals intent, but shipping a test-mutation hook in the production bundle is a bit of code smell. Please consider restructuring getExpectedSha256 to accept the hosts as parameters so tests can pass them directly without needing global mutation at all.
Contributor
There was a problem hiding this comment.
If you do so, I think you would need to change the signature of download and, eventually, there would be no need to export getExpectedSha256 either.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stream the response through a sha256 hasher and, for URLs that match the GitHub Releases download pattern, look up the asset's
digestfield on the Releases API. On mismatch, reject with ERR_CHECKSUM_MISMATCH and remove the partial file. Older assets without a publisheddigestand non-GitHub URLs (e.g. nodejs.org tarballs) warn and continue, so the change is backward compatible for callers that previously relied on unverified downloads.Adds tests (test/download.test.js) covering getExpectedSha256 parsing, the happy path, mismatch detection, missing-digest and API-down fallbacks, redirect following, and multi-chunk hashing.