实现示例type Req = { name: string; version: string; hash: string; url?: string }
const allowHosts = new Set<string>(['pypi.org','files.pythonhosted.org','pypi.example.com'])
function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) }
function validUrl(u?: string): boolean { if (!u) return true; try { const x = new URL(u); return x.protocol === 'https:' && allowHosts.has(x.host) } catch { return false } }
function semverLike(v: string): boolean { return /^(\d+\.\d+\.\d+)(?:[-A-Za-z0-9_.]+)?$/.test(v) }
function evaluate(list: Req[]): { ok: boolean; errors: string[] } {
const errors: string[] = []
for (const r of list) {
if (!r.name || !semverLike(r.version)) errors.push(`id:${r.name}`)
if (!hex64(r.hash)) errors.push(`hash:${r.name}`)
if (!validUrl(r.url)) errors.push(`url:${r.name}`)
}
return { ok: errors.length === 0, errors }
}
审计与运行治理审计哈希与来源;构建安装必须启用 `--require-hashes` 并拒绝缺失哈希项。来源变更需审批与记录,支持回溯。
发表评论 取消回复