blocklet:use prompts refinement (#366)

polunzh · polunzh · web-flow · commit 3cadfd590381 · 2020-03-06T14:38:23.000+08:00
* modify blocklet:use prompts #367 * bump version * add npm package integrity verification when run blocklet:use Also fix the emtpy blocklet directory bug. Related issue: #367 * update CHANGELOG Co-authored-by: polunzh <zhenqiang@arcblock.io>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+## 1.0.14 (March 04, 2020)
+
+- add npm package integrity verification when run blocklet:use
+- modify blocklet:use prompts
+
 ## 1.0.13 (February 29, 2020)
 
 - optimizing install blocket dependencies
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@arcblock/forge-cli",
-  "version": "1.0.13",
+  "version": "1.0.14",
   "description": "a general set of CLI for arcblock Forge framework",
   "license": "Apache-2.0",
   "main": "src/index.js",
@@ -118,6 +118,7 @@
     "safe-eval": "^0.4.1",
     "semver": "^5.6.0",
     "shelljs": "^0.8.1",
+    "ssri": "^8.0.0",
     "tar": "^4.4.10",
     "update-notifier": "^3.0.1",
     "yaml": "^1.3.2"
diff --git a/src/cli/blocklet/use/use.js b/src/cli/blocklet/use/use.js
@@ -35,7 +35,7 @@ const promptTargetDirectory = async (checkEmpty = true) => {
   const { targetDir } = await inquirer.prompt({
     type: 'text',
     name: 'targetDir',
-    message: 'Please input target directory:',
+    message: 'Where do you want to put the generated project/dApp?',
     validate: input => {
       if (!input) return 'Target directory should not be empty';
 
diff --git a/src/core/util.js b/src/core/util.js
@@ -1,4 +1,5 @@
 const fs = require('fs');
+const fsExtra = require('fs-extra');
 const os = require('os');
 const path = require('path');
 const axios = require('axios');
@@ -14,6 +15,7 @@ const getPort = require('get-port');
 const prettyMilliseconds = require('pretty-ms');
 const moment = require('moment');
 const rc = require('rc');
+const ssri = require('ssri');
 const util = require('util');
 const toLower = require('lodash/toLower');
 
@@ -245,27 +247,62 @@ function getPackageConfig(filePath) {
   return packageJSON;
 }
 
+const verifyNpmPackageIntegrity = (content, packageName) => {
+  const { code, stdout: expectedIntegrity, stderr } = shell.exec(
+    `npm view ${packageName} dist.integrity`,
+    {
+      silent: true,
+    }
+  );
+
+  if (code !== 0) {
+    throw new Error(stderr);
+  }
+
+  if (ssri.checkData(content, expectedIntegrity) === false) {
+    printInfo('expected integrity', expectedIntegrity);
+    printInfo('actual integrity', ssri.fromData(content));
+    throw new Error(`${packageName} verify integrity failed`);
+  }
+
+  return true;
+};
+
 const downloadPackageFromNPM = async (name, dest, registry = '') => {
-  fs.mkdirSync(dest, { recursive: true });
+  printInfo('Downloading package...');
   debug('starter directory:', dest);
 
-  printInfo('Downloading package...');
   let packCommand = `npm pack ${name} --color`;
-  if (name) {
+  if (registry) {
     packCommand = `${packCommand} --registry=${registry}`;
   }
 
+  const tmpDir = os.tmpdir();
   const { code, stdout, stderr } = shell.exec(packCommand, {
     silent: true,
-    cwd: dest,
+    cwd: os.tmpdir(),
   });
 
   if (code !== 0) {
     throw new Error(stderr);
   }
 
   const packageName = stdout.trim();
-  await tar.x({ file: path.join(dest, packageName), C: dest, strip: 1 });
+  const tarballPath = path.join(tmpDir, packageName);
+  if (!fs.existsSync(tarballPath)) {
+    throw new Error(`download ${packageName} failed`);
+  }
+
+  verifyNpmPackageIntegrity(fs.readFileSync(tarballPath), name);
+
+  fs.mkdirSync(dest, { recursive: true });
+  await tar.x({ file: tarballPath, C: dest, strip: 1 });
+
+  try {
+    fsExtra.removeSync(tarballPath);
+  } catch (error) {
+    printWarning('remove temp tarball file failed:', tarballPath);
+  }
 
   return dest;
 };
diff --git a/version b/version
@@ -1 +1 @@
-1.0.13
+1.0.14
diff --git a/yarn.lock b/yarn.lock
@@ -4057,6 +4057,13 @@ minipass@^2.6.0, minipass@^2.8.6, minipass@^2.9.0:
     safe-buffer "^5.1.2"
     yallist "^3.0.0"
 
+minipass@^3.1.1:
+  version "3.1.1"
+  resolved "https://registry.yarnpkg.com/minipass/-/minipass-3.1.1.tgz#7607ce778472a185ad6d89082aa2070f79cedcd5"
+  integrity sha512-UFqVihv6PQgwj8/yTGvl9kPz7xIAY+R5z6XYjRInD3Gk3qx6QGSD6zEcpeG4Dy/lQnv1J6zv8ejV90hyYIKf3w==
+  dependencies:
+    yallist "^4.0.0"
+
 minizlib@^1.2.1:
   version "1.3.3"
   resolved "https://registry.yarnpkg.com/minizlib/-/minizlib-1.3.3.tgz#2290de96818a34c29551c8a8d301216bd65a861d"
@@ -5628,6 +5635,13 @@ sshpk@^1.7.0:
     safer-buffer "^2.0.2"
     tweetnacl "~0.14.0"
 
+ssri@^8.0.0:
+  version "8.0.0"
+  resolved "https://registry.yarnpkg.com/ssri/-/ssri-8.0.0.tgz#79ca74e21f8ceaeddfcb4b90143c458b8d988808"
+  integrity sha512-aq/pz989nxVYwn16Tsbj1TqFpD5LLrQxHf5zaHuieFV+R0Bbr4y8qUsOA45hXT/N4/9UNXTarBjnjVmjSOVaAA==
+  dependencies:
+    minipass "^3.1.1"
+
 stack-utils@^1.0.1:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/stack-utils/-/stack-utils-1.0.2.tgz#33eba3897788558bebfc2db059dc158ec36cebb8"
@@ -6363,6 +6377,11 @@ yallist@^3.0.0, yallist@^3.0.3:
   resolved "https://registry.yarnpkg.com/yallist/-/yallist-3.1.1.tgz#dbb7daf9bfd8bac9ab45ebf602b8cbad0d5d08fd"
   integrity sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==
 
+yallist@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/yallist/-/yallist-4.0.0.tgz#9bb92790d9c0effec63be73519e11a35019a3a72"
+  integrity sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==
+
 yaml@^1.3.2:
   version "1.7.2"
   resolved "https://registry.yarnpkg.com/yaml/-/yaml-1.7.2.tgz#f26aabf738590ab61efaca502358e48dc9f348b2"
