diff --git a/package.json b/package.json index 63ee08cb..4669aa30 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@larksuite/cli", - "version": "1.0.62", + "version": "1.0.63", "description": "The official CLI for Lark/Feishu open platform", "bin": { "lark-cli": "scripts/run.js" diff --git a/scripts/install.js b/scripts/install.js index 1b9b18b0..88a8b74c 100644 --- a/scripts/install.js +++ b/scripts/install.js @@ -265,9 +265,10 @@ function getExpectedChecksum(archiveName, checksumsDir) { const checksumsPath = path.join(dir, "checksums.txt"); if (!fs.existsSync(checksumsPath)) { - throw new Error( - "[SECURITY] checksums.txt not found; refusing to install an unverified binary." + console.error( + "[WARN] checksums.txt not found, skipping checksum verification" ); + return null; } const content = fs.readFileSync(checksumsPath, "utf8"); @@ -285,11 +286,7 @@ function getExpectedChecksum(archiveName, checksumsDir) { } function verifyChecksum(archivePath, expectedHash) { - if (typeof expectedHash !== "string" || expectedHash.length === 0) { - throw new Error( - "[SECURITY] missing expected checksum; refusing to install an unverified binary." - ); - } + if (expectedHash === null) return; // Stream the file to avoid loading the entire archive into memory. // Archives can be 10-100MB; streaming keeps RSS constant. diff --git a/scripts/install.test.js b/scripts/install.test.js index 6899d836..ad669613 100644 --- a/scripts/install.test.js +++ b/scripts/install.test.js @@ -52,17 +52,11 @@ describe("getExpectedChecksum", () => { ); }); - it("throws [SECURITY] when checksums.txt does not exist (fail-closed)", () => { + it("returns null when checksums.txt does not exist", () => { const dir = fs.mkdtempSync(path.join(os.tmpdir(), "checksum-test-")); // No checksums.txt in dir - assert.throws( - () => getExpectedChecksum("anything.tar.gz", dir), - (err) => { - assert.match(err.message, /^\[SECURITY\]/); - assert.match(err.message, /checksums\.txt not found/); - return true; - } - ); + const result = getExpectedChecksum("anything.tar.gz", dir); + assert.equal(result, null); }); it("skips malformed lines and still finds valid entry", () => { @@ -131,19 +125,6 @@ describe("verifyChecksum", () => { } ); }); - - it("verifyChecksum throws [SECURITY] on null/empty expectedHash (fail-closed)", () => { - const filePath = makeTmpFile("content"); - for (const expectedHash of [null, ""]) { - assert.throws( - () => verifyChecksum(filePath, expectedHash), - (err) => { - assert.match(err.message, /^\[SECURITY\]/); - return true; - } - ); - } - }); }); describe("assertAllowedHost", () => {