npm/postinstall.js downloads the release tarball from GitHub Releases but never validates its digest:
$ grep -in 'checksum\|sha256\|hash' npm/postinstall.js
74: console.log('optiqor: ready. Run `optiqor --version` to verify.');only match is a log line. goreleaser already produces checksums.txt in every release. nothing in the install path uses it.
result: anyone who can intercept the download (mitm, hijacked release asset, compromised mirror) ships arbitrary binaries to every npm install -g @optiqor/cli user. this is the exact supply-chain risk the README pitches against ("All release artifacts are signed with Cosign").
scope:
- fetch
checksums.txt from the same release tag
- hash the downloaded tarball:
crypto.createHash('sha256').update(buf).digest('hex')
- compare against the entry in
checksums.txt matching the archive filename
- on mismatch, delete the tarball and fail loud (
process.exit(1))
bonus: cosign-verify checksums.txt itself. cosign is already in the goreleaser pipeline, so the public key + signature exist in the release. that closes the loop the README claims.
npm/postinstall.jsdownloads the release tarball from GitHub Releases but never validates its digest:only match is a log line. goreleaser already produces
checksums.txtin every release. nothing in the install path uses it.result: anyone who can intercept the download (mitm, hijacked release asset, compromised mirror) ships arbitrary binaries to every
npm install -g @optiqor/cliuser. this is the exact supply-chain risk the README pitches against ("All release artifacts are signed with Cosign").scope:
checksums.txtfrom the same release tagcrypto.createHash('sha256').update(buf).digest('hex')checksums.txtmatching the archive filenameprocess.exit(1))bonus: cosign-verify
checksums.txtitself. cosign is already in the goreleaser pipeline, so the public key + signature exist in the release. that closes the loop the README claims.