注册表污染与镜像投毒检测治理（来源-证书-哈希）最佳实践

核心要点来源白名单与 `https` 强制；证书指纹与 SRI 哈希校验。异常触发阻断并回退到最近可信镜像；记录审计与证据。实现示例type Source = { url: string; certSha256?: string } type Entry = { name: string; version: string; resolved: string; integrity: string } const allowOrigins = new Set<string>(['https://registry.npmjs.org','https://registry.example.com']) function isHttpsUrl(u: string): boolean { try { const url = new URL(u) return url.protocol === 'https:' && allowOrigins.has(url.origin) } catch { return false } } function parseSri(integrity: string): { alg: 'sha256'; b64: string } | null { const m = /^sha256-([A-Za-z0-9+/=]+)$/.exec(integrity) return m ? { alg: 'sha256', b64: m[1] } : null } function sourceValid(e: Entry): boolean { return isHttpsUrl(e.resolved) && !!parseSri(e.integrity) } function fallback(current: string, candidates: string[]): string | null { for (const c of candidates) { try { const u = new URL(c) if (u.protocol === 'https:' && allowOrigins.has(u.origin)) return c } catch {} } return null } 审计与运行治理审计包含来源、证据与回退镜像；异常期间采用只读令牌与哈希强制。变更来源需审批；回退结束后进行完整性复核。