1
0

npm-shim.test.ts 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253
  1. /**
  2. * npm thin-installer launcher (`scripts/npm-shim.js`) tests.
  3. *
  4. * The shim runs on the user's own Node, locates the per-platform optionalDependency
  5. * bundle, and — when a registry mirror failed to deliver it (issue #303) — falls
  6. * back to downloading the bundle from GitHub Releases. These tests exercise that
  7. * shim as a real subprocess from a temp "main package" dir (its own package.json
  8. * + node_modules), so resolution and version lookup behave hermetically.
  9. *
  10. * The download/checksum paths run against a local self-signed HTTPS server via
  11. * CODEGRAPH_DOWNLOAD_BASE — no real network, no published release needed. The
  12. * shim is launched with async `spawn` (not spawnSync), so the test's event loop
  13. * stays free to serve those requests.
  14. *
  15. * POSIX only: the fake bundle launcher is a shell script and extraction uses the
  16. * system `tar`. Skipped on Windows (where the shim's exec path differs anyway).
  17. */
  18. import { describe, it, expect, beforeAll, afterAll } from 'vitest';
  19. import { spawn, execSync } from 'child_process';
  20. import * as https from 'https';
  21. import * as fs from 'fs';
  22. import * as os from 'os';
  23. import * as path from 'path';
  24. import * as crypto from 'crypto';
  25. import type { AddressInfo } from 'net';
  26. const SHIM_SRC = path.join(__dirname, '..', 'scripts', 'npm-shim.js');
  27. const target = `${process.platform}-${process.arch}`;
  28. const asset = `codegraph-${target}.tar.gz`;
  29. const isWindows = process.platform === 'win32';
  30. function hasOpenssl(): boolean {
  31. try { execSync('openssl version', { stdio: 'ignore' }); return true; } catch { return false; }
  32. }
  33. const CAN_NET = !isWindows && hasOpenssl();
  34. function mkTmp(label: string): string {
  35. return fs.mkdtempSync(path.join(os.tmpdir(), `cg-shim-${label}-`));
  36. }
  37. // A temp dir standing in for the installed @colbymchenry/codegraph main package.
  38. function makePkg(version = '9.9.9-test'): string {
  39. const dir = mkTmp('pkg');
  40. fs.copyFileSync(SHIM_SRC, path.join(dir, 'npm-shim.js'));
  41. fs.writeFileSync(path.join(dir, 'package.json'),
  42. JSON.stringify({ name: '@colbymchenry/codegraph', version }) + '\n');
  43. return dir;
  44. }
  45. // A fake bundle launcher that prints a marker + its args, so we can prove the
  46. // shim found and exec'd it (and passed args through).
  47. function writeLauncher(binDir: string): void {
  48. fs.mkdirSync(binDir, { recursive: true });
  49. const p = path.join(binDir, 'codegraph');
  50. fs.writeFileSync(p, '#!/bin/sh\necho "FAKE_BUNDLE_RAN args:$*"\n');
  51. fs.chmodSync(p, 0o755);
  52. }
  53. // Launch the shim with async spawn so the in-process HTTPS server can respond
  54. // while it runs (spawnSync would block this event loop and deadlock).
  55. function runShim(pkgDir: string, args: string[], env: Record<string, string>) {
  56. return new Promise<{ status: number | null; stdout: string; stderr: string }>((resolve) => {
  57. const child = spawn(process.execPath, [path.join(pkgDir, 'npm-shim.js'), ...args], {
  58. env: { ...process.env, ...env },
  59. });
  60. let stdout = '', stderr = '';
  61. child.stdout.on('data', (d) => { stdout += d.toString(); });
  62. child.stderr.on('data', (d) => { stderr += d.toString(); });
  63. child.on('close', (status) => resolve({ status, stdout, stderr }));
  64. });
  65. }
  66. describe.skipIf(isWindows)('npm-shim launcher', () => {
  67. it('runs the installed optional-dependency bundle without any download', async () => {
  68. const pkg = makePkg();
  69. const platformPkg = path.join(pkg, 'node_modules', '@colbymchenry', `codegraph-${target}`);
  70. writeLauncher(path.join(platformPkg, 'bin'));
  71. fs.writeFileSync(path.join(platformPkg, 'package.json'),
  72. JSON.stringify({ name: `@colbymchenry/codegraph-${target}`, version: '9.9.9-test' }) + '\n');
  73. const cache = mkTmp('cache');
  74. const r = await runShim(pkg, ['--probe-abc'], { CODEGRAPH_INSTALL_DIR: cache });
  75. expect(r.status).toBe(0);
  76. expect(r.stdout).toContain('FAKE_BUNDLE_RAN');
  77. expect(r.stdout).toContain('--probe-abc'); // args passed through
  78. expect(r.stderr).not.toContain('downloading'); // never reached the fallback
  79. expect(fs.existsSync(path.join(cache, 'bundles'))).toBe(false);
  80. });
  81. it('uses an already-cached bundle even when downloads are disabled', async () => {
  82. const pkg = makePkg('1.2.3-cached');
  83. const cache = mkTmp('cache');
  84. writeLauncher(path.join(cache, 'bundles', `${target}-1.2.3-cached`, 'bin'));
  85. const r = await runShim(pkg, ['--probe-xyz'], {
  86. CODEGRAPH_INSTALL_DIR: cache,
  87. CODEGRAPH_NO_DOWNLOAD: '1',
  88. });
  89. expect(r.status).toBe(0);
  90. expect(r.stdout).toContain('FAKE_BUNDLE_RAN');
  91. expect(r.stdout).toContain('--probe-xyz');
  92. expect(r.stderr).toBe('');
  93. });
  94. it('prunes older cached bundles for this target, keeping the current one (#1074)', async () => {
  95. const pkg = makePkg('2.0.0-keep');
  96. const cache = mkTmp('cache');
  97. const bundles = path.join(cache, 'bundles');
  98. // current (matches pkg version) + an older bundle for the same target
  99. writeLauncher(path.join(bundles, `${target}-2.0.0-keep`, 'bin'));
  100. writeLauncher(path.join(bundles, `${target}-1.0.0-old`, 'bin'));
  101. // a different platform's bundle and an in-flight staging dir must survive
  102. const otherTarget = target === 'linux-x64' ? 'darwin-arm64' : 'linux-x64';
  103. writeLauncher(path.join(bundles, `${otherTarget}-1.0.0`, 'bin'));
  104. fs.mkdirSync(path.join(bundles, '.dl-inflight'), { recursive: true });
  105. const r = await runShim(pkg, ['--probe-prune'], {
  106. CODEGRAPH_INSTALL_DIR: cache,
  107. CODEGRAPH_NO_DOWNLOAD: '1',
  108. });
  109. expect(r.status).toBe(0);
  110. expect(r.stdout).toContain('FAKE_BUNDLE_RAN');
  111. // older same-target bundle pruned; current kept
  112. expect(fs.existsSync(path.join(bundles, `${target}-1.0.0-old`))).toBe(false);
  113. expect(fs.existsSync(path.join(bundles, `${target}-2.0.0-keep`))).toBe(true);
  114. // unrelated target + staging dir untouched
  115. expect(fs.existsSync(path.join(bundles, `${otherTarget}-1.0.0`))).toBe(true);
  116. expect(fs.existsSync(path.join(bundles, '.dl-inflight'))).toBe(true);
  117. });
  118. it('prints actionable guidance and exits 1 when disabled with no bundle', async () => {
  119. const pkg = makePkg();
  120. const r = await runShim(pkg, ['--version'], {
  121. CODEGRAPH_INSTALL_DIR: mkTmp('cache'),
  122. CODEGRAPH_NO_DOWNLOAD: '1',
  123. });
  124. expect(r.status).toBe(1);
  125. expect(r.stderr).toContain(`no prebuilt bundle for ${target}`);
  126. expect(r.stderr).toContain(`@colbymchenry/codegraph-${target}`);
  127. expect(r.stderr).toContain('--registry=https://registry.npmjs.org');
  128. expect(r.stderr).toContain('install.sh');
  129. });
  130. });
  131. describe.skipIf(!CAN_NET)('npm-shim download fallback (local HTTPS)', () => {
  132. let server: https.Server;
  133. let port = 0;
  134. let fixtureBytes: Buffer;
  135. let fixtureSha: string;
  136. let sumsBody: string | null = null; // per-test: SHA256SUMS contents, or null for 404
  137. beforeAll(async () => {
  138. // Self-signed cert for the mock release host.
  139. const cdir = mkTmp('tls');
  140. const keyP = path.join(cdir, 'key.pem');
  141. const certP = path.join(cdir, 'cert.pem');
  142. execSync(
  143. `openssl req -x509 -newkey rsa:2048 -nodes -keyout ${keyP} -out ${certP} -days 1 -subj "/CN=localhost"`,
  144. { stdio: 'ignore' },
  145. );
  146. // Build a fake bundle archive (codegraph-<target>/bin/codegraph), like a real release asset.
  147. const work = mkTmp('fixture');
  148. writeLauncher(path.join(work, `codegraph-${target}`, 'bin'));
  149. const archive = path.join(work, asset);
  150. execSync(`tar -czf ${JSON.stringify(archive)} -C ${JSON.stringify(work)} codegraph-${target}`);
  151. fixtureBytes = fs.readFileSync(archive);
  152. fixtureSha = crypto.createHash('sha256').update(fixtureBytes).digest('hex');
  153. server = https.createServer({ key: fs.readFileSync(keyP), cert: fs.readFileSync(certP) }, (req, res) => {
  154. const url = req.url || '';
  155. if (url.endsWith(`/${asset}`)) {
  156. res.writeHead(200); res.end(fixtureBytes);
  157. } else if (url.endsWith('/SHA256SUMS')) {
  158. if (sumsBody === null) { res.writeHead(404); res.end('not found'); }
  159. else { res.writeHead(200); res.end(sumsBody); }
  160. } else {
  161. res.writeHead(404); res.end('not found');
  162. }
  163. });
  164. await new Promise<void>((resolve) => server.listen(0, '127.0.0.1', resolve));
  165. port = (server.address() as AddressInfo).port;
  166. }, 30000);
  167. afterAll(() => { server?.close(); });
  168. function netEnv(cache: string): Record<string, string> {
  169. return {
  170. CODEGRAPH_INSTALL_DIR: cache,
  171. CODEGRAPH_DOWNLOAD_BASE: `https://127.0.0.1:${port}`,
  172. NODE_TLS_REJECT_UNAUTHORIZED: '0',
  173. };
  174. }
  175. it('downloads, verifies the checksum, extracts, and execs the bundle', async () => {
  176. sumsBody = `${fixtureSha} ${asset}\n`;
  177. const pkg = makePkg('5.0.0-net');
  178. const cache = mkTmp('cache');
  179. const r = await runShim(pkg, ['--probe-net'], netEnv(cache));
  180. expect(r.stderr).toContain('downloading');
  181. expect(r.stderr).toContain('checksum verified');
  182. expect(r.status).toBe(0);
  183. expect(r.stdout).toContain('FAKE_BUNDLE_RAN');
  184. expect(r.stdout).toContain('--probe-net');
  185. expect(fs.existsSync(path.join(cache, 'bundles', `${target}-5.0.0-net`, 'bin', 'codegraph'))).toBe(true);
  186. }, 20000);
  187. it('prunes older cached bundles after downloading a new one (#1074)', async () => {
  188. sumsBody = `${fixtureSha} ${asset}\n`;
  189. const pkg = makePkg('6.0.0-new');
  190. const cache = mkTmp('cache');
  191. const bundles = path.join(cache, 'bundles');
  192. // a stale bundle from a previous version (same target) left by an earlier run
  193. writeLauncher(path.join(bundles, `${target}-5.0.0-stale`, 'bin'));
  194. const r = await runShim(pkg, ['--probe-newdl'], netEnv(cache));
  195. expect(r.status).toBe(0);
  196. expect(r.stderr).toContain('downloading');
  197. expect(r.stdout).toContain('FAKE_BUNDLE_RAN');
  198. // freshly downloaded version present, stale one pruned
  199. expect(fs.existsSync(path.join(bundles, `${target}-6.0.0-new`, 'bin', 'codegraph'))).toBe(true);
  200. expect(fs.existsSync(path.join(bundles, `${target}-5.0.0-stale`))).toBe(false);
  201. }, 20000);
  202. it('aborts (exit 1) on a checksum mismatch and caches nothing', async () => {
  203. sumsBody = `${'0'.repeat(64)} ${asset}\n`;
  204. const pkg = makePkg('5.0.0-bad');
  205. const cache = mkTmp('cache');
  206. const r = await runShim(pkg, ['--version'], netEnv(cache));
  207. expect(r.status).toBe(1);
  208. expect(r.stderr).toContain('checksum mismatch');
  209. expect(r.stdout).not.toContain('FAKE_BUNDLE_RAN'); // never exec'd a tampered bundle
  210. expect(fs.existsSync(path.join(cache, 'bundles', `${target}-5.0.0-bad`))).toBe(false);
  211. }, 20000);
  212. it('proceeds when no SHA256SUMS is published (older releases)', async () => {
  213. sumsBody = null; // 404
  214. const pkg = makePkg('5.0.0-nosums');
  215. const cache = mkTmp('cache');
  216. const r = await runShim(pkg, ['--version'], netEnv(cache));
  217. expect(r.status).toBe(0);
  218. expect(r.stderr).toContain('downloading');
  219. expect(r.stderr).not.toContain('checksum verified'); // skipped, not failed
  220. expect(r.stdout).toContain('FAKE_BUNDLE_RAN');
  221. }, 20000);
  222. });