Make release:npm script more robust

jdalton · jdalton · commit 1642534c863b · 2025-09-18T17:54:32.000-04:00
diff --git a/scripts/release-npm-packages.js b/scripts/release-npm-packages.js
@@ -1,23 +1,27 @@
 'use strict'
 
+const crypto = require('node:crypto')
+const fs = require('node:fs/promises')
 const path = require('node:path')
 
 const semver = require('semver')
-const ssri = require('ssri')
 
 const constants = require('@socketregistry/scripts/constants')
 const { execScript } = require('@socketsecurity/registry/lib/agent')
 const {
+  extractPackage,
   fetchPackageManifest,
   getReleaseTag,
-  packPackage,
   readPackageJson
 } = require('@socketsecurity/registry/lib/packages')
 const { readPackageJsonSync } = require('@socketsecurity/registry/lib/packages')
+const { readFileUtf8 } = require('@socketsecurity/registry/lib/fs')
 const { pEach } = require('@socketsecurity/registry/lib/promises')
+const { toSortedObject } = require('@socketsecurity/registry/lib/objects')
 
 const {
   LATEST,
+  PACKAGE_JSON,
   SOCKET_REGISTRY_PACKAGE_NAME,
   SOCKET_REGISTRY_SCOPE,
   abortSignal,
@@ -32,6 +36,49 @@ const registryPkg = packageData({
   path: registryPkgPath
 })
 
+const EXTRACT_PACKAGE_TMP_PREFIX = 'release-npm-'
+
+async function getPackageFileHashes(spec) {
+  const fileHashes = {}
+
+  // Extract package to a temp directory and compute hashes.
+  await extractPackage(
+    spec,
+    {
+      tmpPrefix: EXTRACT_PACKAGE_TMP_PREFIX
+    },
+    async tmpDir => {
+      // Walk the directory and compute hashes for all files.
+      async function walkDir(dir, baseDir = tmpDir) {
+        const entries = await fs.readdir(dir, { withFileTypes: true })
+        for (const entry of entries) {
+          const fullPath = path.join(dir, entry.name)
+          const relativePath = path.relative(baseDir, fullPath)
+
+          if (entry.isDirectory()) {
+            // Recurse into subdirectories.
+            // eslint-disable-next-line no-await-in-loop
+            await walkDir(fullPath, baseDir)
+          } else if (entry.isFile() && entry.name !== PACKAGE_JSON) {
+            // Skip package.json files as they contain version info.
+            // eslint-disable-next-line no-await-in-loop
+            const content = await readFileUtf8(fullPath)
+            const hash = crypto
+              .createHash('sha256')
+              .update(content, 'utf8')
+              .digest('hex')
+            fileHashes[relativePath] = hash
+          }
+        }
+      }
+
+      await walkDir(tmpDir)
+    }
+  )
+
+  return toSortedObject(fileHashes)
+}
+
 async function hasPackageChanged(pkg, manifest_) {
   const manifest =
     manifest_ ?? (await fetchPackageManifest(`${pkg.name}@${pkg.tag}`))
@@ -46,22 +93,11 @@ async function hasPackageChanged(pkg, manifest_) {
   const localPkgJson = readPackageJsonSync(pkg.path)
 
   // Check if dependencies have changed.
-  const localDeps = localPkgJson.dependencies ?? {}
-  const remoteDeps = manifest.dependencies ?? {}
-
-  // Sort keys for consistent comparison.
-  const sortedLocalDeps = Object.keys(localDeps).sort().reduce((acc, key) => {
-    acc[key] = localDeps[key]
-    return acc
-  }, {})
+  const localDeps = toSortedObject(localPkgJson.dependencies ?? {})
+  const remoteDeps = toSortedObject(manifest.dependencies ?? {})
 
-  const sortedRemoteDeps = Object.keys(remoteDeps).sort().reduce((acc, key) => {
-    acc[key] = remoteDeps[key]
-    return acc
-  }, {})
-
-  const localDepsStr = JSON.stringify(sortedLocalDeps)
-  const remoteDepsStr = JSON.stringify(sortedRemoteDeps)
+  const localDepsStr = JSON.stringify(localDeps)
+  const remoteDepsStr = JSON.stringify(remoteDeps)
 
   // If dependencies changed, we need to bump.
   if (localDepsStr !== remoteDepsStr) {
@@ -78,10 +114,35 @@ async function hasPackageChanged(pkg, manifest_) {
     }
   }
 
-  // Skip tarball comparison entirely - it's too prone to false positives.
-  // If dependencies and key fields haven't changed, assume no bump is needed.
-  // The build process and manifest update will handle any actual code changes.
-  return false
+  // Compare actual file contents by extracting packages and comparing SHA hashes.
+  try {
+    const { 0: remoteHashes, 1: localHashes } = await Promise.all([
+      getPackageFileHashes(`${pkg.name}@${manifest.version}`),
+      getPackageFileHashes(pkg.path, true)
+    ])
+
+    // Compare the file hashes.
+    const remoteFiles = Object.keys(remoteHashes)
+    const localFiles = Object.keys(localHashes)
+
+    // Check if file lists are different.
+    if (JSON.stringify(remoteFiles) !== JSON.stringify(localFiles)) {
+      return true
+    }
+
+    // Check if any file content is different.
+    for (const file of remoteFiles) {
+      if (remoteHashes[file] !== localHashes[file]) {
+        return true
+      }
+    }
+
+    return false
+  } catch (e) {
+    // If comparison fails, be conservative and assume changes.
+    console.error(`Error comparing packages for ${pkg.name}:`, e?.message)
+    return true
+  }
 }
 
 async function maybeBumpPackage(pkg, options = {}) {
