Vendoring关键依赖与差异审计治理（签名-diff-更新门禁）最佳实践

实现示例type Vendor = { name: string; version: string; files: { path: string; sha256: string }[] } function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) } function valid(v: Vendor): boolean { return !!v.name && !!v.version && v.files.length > 0 && v.files.every(f => !!f.path && hex64(f.sha256)) } function diffVendor(prev: Vendor, next: Vendor): { added: string[]; removed: string[]; changed: string[] } { const mp = new Map(prev.files.map(f => [f.path, f.sha256])) const mn = new Map(next.files.map(f => [f.path, f.sha256])) const added: string[] = [] const removed: string[] = [] const changed: string[] = [] for (const p of mn.keys()) if (!mp.has(p)) added.push(p) for (const p of mp.keys()) if (!mn.has(p)) removed.push(p) for (const p of mn.keys()) { const a = mp.get(p) const b = mn.get(p) if (a && b && a.toLowerCase() !== b.toLowerCase()) changed.push(p) } return { added, removed, changed } } 审计与更新门禁变更必须通过差异审计与签名校验；高风险变更需双人审批。发布产线使用 vendoring 版本；外部源更新需入库与审计。