vrr/qwen-code
2
0
Fork 0
mirror of https://github.com/QwenLM/qwen-code.git synced 2026-05-18 14:49:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 13
qwen-code/scripts/tests/install-script.test.js

2207 lines
74 KiB
JavaScript
Raw Blame History

/**
* @license
* Copyright 2025 Qwen Team
* SPDX-License-Identifier: Apache-2.0
*/
import { describe, expect, it, vi } from 'vitest';
const {
appendFileSync,
chmodSync,
existsSync,
lstatSync,
mkdirSync,
mkdtempSync,
readFileSync,
rmSync,
symlinkSync,
writeFileSync,
} = await vi.importActual('node:fs');
const { execFileSync } = await vi.importActual('node:child_process');
const crypto = await vi.importActual('node:crypto');
const { tmpdir } = await vi.importActual('node:os');
const path = await vi.importActual('node:path');
const { pathToFileURL } = await vi.importActual('node:url');
const readScript = (path) => readFileSync(path, 'utf8');
const standaloneReleaseScriptUrl = pathToFileURL(
path.resolve('scripts/build-standalone-release.js'),
).href;
const hostedInstallationScriptUrl = pathToFileURL(
path.resolve('scripts/build-hosted-installation-assets.js'),
).href;
const installationReleaseVerificationScriptUrl = pathToFileURL(
path.resolve('scripts/verify-installation-release.js'),
).href;
const releaseScriptUtilsUrl = pathToFileURL(
path.resolve('scripts/release-script-utils.js'),
).href;
// These E2E cases execute the Unix shell installer and POSIX symlink behavior.
// Windows batch behavior has separate Windows-only E2E coverage below.
const itOnUnix = process.platform === 'win32' ? it.skip : it;
const itOnWindows = process.platform === 'win32' ? it : it.skip;
vi.setConfig({ testTimeout: 30_000 });
describe('installation scripts', () => {
it('keeps the Linux/macOS installer lightweight', () => {
const script = readScript(
'scripts/installation/install-qwen-standalone.sh',
);
expect(script).not.toContain('install_nvm');
expect(script).not.toContain('install_nvm.sh');
expect(script).not.toContain('nvm install');
expect(script).not.toContain('NVM_NODEJS_ORG_MIRROR');
expect(script).not.toContain('npm config set prefix');
expect(script).not.toContain('clean_npmrc_conflict');
expect(script).not.toContain('.npmrc');
expect(script).not.toContain('.npm-global');
expect(script).not.toMatch(/^\s*exec\s+qwen\s*$/m);
expect(script).not.toContain('--print-env');
expect(script).not.toMatch(/brew install node@\d+/);
expect(script).toContain('brew install node');
expect(script).toContain(
'--source may only contain letters, numbers, dot, underscore, or dash',
);
expect(script).toContain('Node.js 22 or newer is required');
expect(script).toContain(
'npm install -g @qwen-code/qwen-code@latest --registry',
);
expect(script).toContain('You can now run: qwen');
});
it('supports code-server-style standalone install on Linux/macOS', () => {
const script = readScript(
'scripts/installation/install-qwen-standalone.sh',
);
expect(script).toContain('--method METHOD');
expect(script).toContain('--mirror MIRROR');
expect(script).toContain('--base-url URL');
expect(script).toContain('--archive PATH');
expect(script).toContain('install_standalone()');
expect(script).toContain('install_npm()');
expect(script).toContain('detect_target()');
expect(script).toContain('verify_checksum()');
expect(script).toContain('SHA256SUMS not found; cannot verify archive');
expect(script).toContain('awk -v archive_name');
expect(script).not.toContain(
'grep -E "(^|[[:space:]])[*]?${archive_name}$"',
);
expect(script).toContain('validate_archive_contents()');
expect(script).toContain('Archive contains unsafe path');
expect(script).toContain('qwen-code-${target}');
expect(script).toContain('*.tar.xz)');
expect(script).toContain('METHOD="${METHOD:-detect}"');
expect(script).toContain('must start with https://');
expect(script).toContain('Falling back to npm installation');
expect(script).toContain('standalone_status=$?');
expect(script).toContain('[[ "${standalone_status}" -eq 2 ]]');
expect(script).toContain(
'Standalone install failed. Retry with --method npm',
);
expect(script).not.toContain('ln -sf "${INSTALL_LIB_DIR}/bin/qwen"');
expect(script).toContain('shell_quote()');
expect(script).toContain('exec ${quoted_qwen_bin} "\\$@"');
expect(script).toContain('validate_version()');
expect(script).toContain('validate_install_path');
expect(script).toContain('validate_https_url "${NPM_REGISTRY}"');
expect(script).toContain('qwen-code/node/bin/node');
expect(script).toContain('Archive contains symlinks; refusing to install');
expect(script).toContain('not a Qwen Code standalone install');
expect(script).toContain(
'Return 2 only when a standalone archive is unavailable',
);
expect(script).toContain('npm fallback also failed');
expect(script).toContain(
'unzip -q "${archive_path}" -d "${destination}" || return 1',
);
expect(script).toContain(
'tar -xzf "${archive_path}" -C "${destination}" || return 1',
);
expect(script).toContain('wget -q --tries=3 "${url}" -O "${destination}"');
expect(script).toContain('TEMP_DIRS+=');
expect(script).toContain('validate_github_repo()');
expect(script).toContain(
'QWEN_INSTALL_GITHUB_REPO must be in owner/repo format',
);
expect(script).toContain('set -gx PATH ${quoted_install_bin_dir} \\$PATH');
expect(script).toContain('export PATH=${quoted_install_bin_dir}:\\$PATH');
expect(script).toContain('curl -fsIL -m "${timeout}"');
expect(script).not.toContain('-print -quit');
});
it('keeps the Windows installer lightweight', () => {
const script = readScript(
'scripts/installation/install-qwen-standalone.bat',
);
expect(script).not.toContain('InstallNodeJSDirectly');
expect(script).not.toContain('node-v!NODE_VERSION!');
expect(script).not.toContain('msiexec');
expect(script).toContain('Invoke-WebRequest');
expect(script).not.toContain('PowerShell (Administrator)');
expect(script).not.toContain('echo INFO: Installation source: %SOURCE%');
expect(script).not.toMatch(/^\s*call\s+qwen\s*$/m);
expect(script).toContain(':ValidateSource');
expect(script).toContain(':PrintUsage');
expect(script).toContain('findstr /R');
expect(script).toContain(
'--source may only contain letters, numbers, dot, underscore, or dash',
);
expect(script).toContain('Node.js 22 or newer is required');
expect(script).toContain('Please install Node.js');
expect(script).toContain(
'npm install -g @qwen-code/qwen-code@latest --registry',
);
expect(script).toContain('You can now run: qwen');
});
it('supports code-server-style standalone install on Windows', () => {
const script = readScript(
'scripts/installation/install-qwen-standalone.bat',
);
expect(script).toContain('--method METHOD');
expect(script).toContain('--mirror MIRROR');
expect(script).toContain('--base-url URL');
expect(script).toContain('--archive PATH');
expect(script).toContain(':InstallStandalone');
expect(script).toContain(':InstallNpm');
expect(script).toContain(':VerifyChecksum');
expect(script).toContain('SHA256SUMS not found; cannot verify archive');
expect(script).toContain('Get-FileHash -Algorithm SHA256');
expect(script).toContain('tokens=1,2');
expect(script).toContain('CHECKSUM_NAME');
expect(script).toContain('if "!CHECKSUM_NAME!"=="!ARCHIVE_NAME!"');
expect(script).not.toContain('findstr /C:"!ARCHIVE_NAME!"');
expect(script).not.toContain('certutil -hashfile');
expect(script).toContain('qwen-code-win-x64.zip');
expect(script).toContain('Expand-Archive');
expect(script).toContain('$env:QWEN_DOWNLOAD_URL');
expect(script).toContain('$env:QWEN_ARCHIVE_FILE');
expect(script).toContain(
'if defined QWEN_INSTALL_ROOT set "INSTALL_BASE=!QWEN_INSTALL_ROOT!"',
);
expect(script).not.toContain('%QWEN_INSTALL_ROOT%');
expect(script).toContain('set "QWEN_VALIDATE_INSTALL_BASE=!INSTALL_BASE!"');
expect(script).toContain(
'installer options contain unsafe command characters',
);
expect(script).not.toContain('-EncodedCommand');
expect(script).toContain('QWEN_VALIDATE_OPTIONS_SCRIPT');
expect(script).toContain('$unsafe = [char[]](10,13,33,34');
expect(script).toContain(
'powershell -NoProfile -ExecutionPolicy Bypass -File "!QWEN_VALIDATE_OPTIONS_SCRIPT!"',
);
expect(script).toContain('if "!INSTALL_BASE:~1,2!"==":/"');
expect(script).toContain('if "!INSTALL_DIR:~1,2!"==":/"');
expect(script).toContain('if "!INSTALL_BIN_DIR:~1,2!"==":/"');
expect(script).toContain(':ValidateVersion');
expect(script).toContain(
'call :ValidateHttpsUrlVar "NPM_REGISTRY" "--registry"',
);
expect(script).toContain("$ErrorActionPreference = 'Stop'; try");
expect(script).toContain(
'[Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13',
);
expect(script).toContain(
'$request = [Net.WebRequest]::Create($env:QWEN_CHECK_URL)',
);
expect(script).toContain('must start with https://');
expect(script).toContain('Falling back to npm installation');
expect(script).toContain('set "STANDALONE_STATUS=!ERRORLEVEL!"');
expect(script).toContain('if !STANDALONE_STATUS! EQU 2');
expect(script).toContain('set "ARG_KEY=%~1"');
expect(script).toContain('set "ARG_HAS_INLINE_VALUE=0"');
expect(script).toContain('if "!ARG_HAS_INLINE_VALUE!"=="1"');
expect(script).toContain('if /i "!ARG_KEY!"=="--version"');
expect(script).toContain('$value -match');
expect(script).toContain('QWEN_INSTALL_GITHUB_REPO');
expect(script).toContain(
'QWEN_INSTALL_GITHUB_REPO must be in owner/repo format',
);
expect(script).toContain(
'Standalone install failed. Retry with --method npm',
);
expect(script).toContain('qwen-code\\node\\node.exe');
expect(script).toContain('Archive contains symlinks or reparse points');
expect(script).toContain('unsafe path with control character');
expect(script).toContain('Failed to update user PATH');
expect(script).toContain('QWEN_INSTALL_ROOT');
expect(script).toContain('npm fallback also failed');
expect(script).toContain(':CreateTempFile');
expect(script).not.toContain('%RANDOM%');
});
it('checks out the Windows standalone batch installer with CRLF line endings', () => {
const attrs = execFileSync(
'git',
[
'check-attr',
'eol',
'--',
'scripts/installation/install-qwen-standalone.bat',
],
{ encoding: 'utf8' },
);
expect(attrs).toContain(
'scripts/installation/install-qwen-standalone.bat: eol: crlf',
);
});
});
describe('release-script-utils', () => {
it('parses SHA256SUMS with BOM, empty lines, and CRLF', async () => {
const { parseSha256Sums } = await import(releaseScriptUtilsUrl);
const checksums = parseSha256Sums(
`\uFEFF${'a'.repeat(64)} install-qwen-standalone.sh\n\n${'b'.repeat(64)} *install-qwen-standalone.bat\r\n${'c'.repeat(64)} install-qwen-standalone.ps1\n`,
);
expect(checksums.get('install-qwen-standalone.sh')).toBe('a'.repeat(64));
expect(checksums.get('install-qwen-standalone.bat')).toBe('b'.repeat(64));
expect(checksums.get('install-qwen-standalone.ps1')).toBe('c'.repeat(64));
});
it('rejects malformed SHA256SUMS entries', async () => {
const { parseSha256Sums } = await import(releaseScriptUtilsUrl);
expect(() =>
parseSha256Sums('short-hash install-qwen-standalone.sh\n'),
).toThrow(/Malformed SHA256SUMS line 1/);
});
it('supports --key=value form in parseArgs', async () => {
const { parseArgs } = await import(releaseScriptUtilsUrl);
const defs = {
'--out-dir': { key: 'outDir', type: 'value' },
'--verbose': { key: 'verbose', type: 'flag' },
};
const args = parseArgs(['--out-dir=/tmp/build', '--verbose'], defs);
expect(args.outDir).toBe('/tmp/build');
expect(args.verbose).toBe(true);
expect(args.help).toBe(false);
});
it('supports --key value form in parseArgs', async () => {
const { parseArgs } = await import(releaseScriptUtilsUrl);
const defs = { '--out-dir': { key: 'outDir', type: 'value' } };
const args = parseArgs(['--out-dir', '/tmp/build'], defs);
expect(args.outDir).toBe('/tmp/build');
});
it('rejects unknown options and missing values', async () => {
const { parseArgs } = await import(releaseScriptUtilsUrl);
const defs = { '--out-dir': { key: 'outDir', type: 'value' } };
expect(() => parseArgs(['--unknown'], defs)).toThrow(
/Unknown option: --unknown/,
);
expect(() => parseArgs(['--out-dir'], defs)).toThrow(
/--out-dir requires a value/,
);
expect(() => parseArgs(['--out-dir='], defs)).toThrow(
/--out-dir requires a value/,
);
expect(() => parseArgs(['--out-dir', '--help'], defs)).toThrow(
/--out-dir requires a value/,
);
});
it('rejects --key=value for flag-type options', async () => {
const { parseArgs } = await import(releaseScriptUtilsUrl);
const defs = { '--verbose': { key: 'verbose', type: 'flag' } };
expect(() => parseArgs(['--verbose=true'], defs)).toThrow(
/--verbose does not accept a value/,
);
});
it('recognises -h and --help without definitions', async () => {
const { parseArgs } = await import(releaseScriptUtilsUrl);
expect(parseArgs(['--help'], {}).help).toBe(true);
expect(parseArgs(['-h'], {}).help).toBe(true);
});
it('fail() wraps messages with ERROR: prefix', async () => {
const { fail } = await import(releaseScriptUtilsUrl);
expect(() => fail('something went wrong')).toThrow(
'ERROR: something went wrong',
);
});
});
describe('standalone release packaging', () => {
it('defines a standalone packaging script', () => {
const packageJson = JSON.parse(readScript('package.json'));
expect(packageJson.scripts['package:standalone']).toBe(
'node scripts/create-standalone-package.js',
);
expect(packageJson.scripts['package:standalone:release']).toBe(
'node scripts/build-standalone-release.js',
);
expect(packageJson.scripts['package:hosted-installation']).toBe(
'node scripts/build-hosted-installation-assets.js',
);
expect(packageJson.scripts['verify:installation-release']).toBe(
'node scripts/verify-installation-release.js',
);
expect(packageJson.scripts['package:installation-assets']).toBeUndefined();
expect(existsSync('scripts/create-standalone-package.js')).toBe(true);
expect(existsSync('scripts/build-standalone-release.js')).toBe(true);
expect(existsSync('scripts/build-hosted-installation-assets.js')).toBe(
true,
);
expect(existsSync('scripts/verify-installation-release.js')).toBe(true);
expect(existsSync('scripts/build-installation-assets.js')).toBe(false);
const packageScript = readScript('scripts/create-standalone-package.js');
expect(packageScript).toContain('Copyright 2025 Qwen Team');
expect(packageScript).toContain("'bundled/qc-helper/docs'");
expect(packageScript).toContain('DIST_ALLOWED_ENTRIES');
expect(packageScript).toContain('Unexpected dist asset');
expect(packageScript).toContain('topLevelDistEntryForPath(outDir)');
expect(packageScript).toContain("path.join(packageRoot, 'package.json')");
expect(packageScript).toContain('validateNodeRuntime');
expect(packageScript).toContain('copyNodeRuntimeEntry');
expect(packageScript).toContain('symlink cycle');
expect(packageScript).toContain('refusing to write empty SHA256SUMS');
expect(packageScript).toContain('--skip-checksums');
expect(packageScript).toContain('dereference: true');
expect(packageScript).toContain('fs.createReadStream');
expect(packageScript).toContain('Expand-Archive');
expect(packageScript).toContain('Compress-Archive');
const releaseScript = readScript('scripts/build-standalone-release.js');
expect(releaseScript).toContain('Copyright 2025 Qwen Team');
expect(releaseScript).toContain('https://nodejs.org/dist/v${nodeVersion}');
expect(releaseScript).toContain('SHASUMS256.txt');
expect(releaseScript).toContain('verifyNodeArchive');
expect(releaseScript).toContain(
'EXPECTED_ARCHIVE_COUNT = RELEASE_TARGETS.length',
);
expect(releaseScript).toContain('nodeArchiveExtension');
expect(releaseScript).toContain('fs.createReadStream');
expect(releaseScript).toContain('expectedArchiveNames');
expect(releaseScript).toContain('qwen-code-${qwenTarget}');
expect(releaseScript).toContain('scripts/create-standalone-package.js');
expect(releaseScript).toContain('--skip-checksums');
expect(releaseScript).toContain('writeSha256Sums(outDir)');
const hostedInstallScript = readScript(
'scripts/build-hosted-installation-assets.js',
);
expect(hostedInstallScript).toContain('Copyright 2025 Qwen Team');
expect(hostedInstallScript).toContain('buildHostedInstallationAssets');
expect(hostedInstallScript).toContain('HOSTED_INSTALLATION_ASSETS');
expect(hostedInstallScript).toContain(
"output: 'install-qwen-standalone.sh'",
);
expect(hostedInstallScript).toContain(
"output: 'install-qwen-standalone.bat'",
);
expect(hostedInstallScript).toContain(
"output: 'install-qwen-standalone.ps1'",
);
expect(hostedInstallScript).not.toContain("output: 'install'");
const releaseVerifyScript = readScript(
'scripts/verify-installation-release.js',
);
expect(releaseVerifyScript).toContain('Copyright 2025 Qwen Team');
expect(releaseVerifyScript).toContain('verifyReleaseDirectory');
expect(releaseVerifyScript).toContain('verifyReleaseBaseUrl');
expect(releaseVerifyScript).toContain('EXPECTED_RELEASE_ASSET_NAMES');
expect(releaseVerifyScript).toContain('EXPECTED_STANDALONE_ARCHIVE_NAMES');
expect(releaseVerifyScript).not.toContain('INSTALLATION_ASSET_NAMES');
expect(releaseVerifyScript).not.toContain('assertInstallAliasMatches');
});
it('loads the standalone release packaging helper', () => {
const output = execFileSync(
process.execPath,
['scripts/build-standalone-release.js', '--help'],
{ encoding: 'utf8' },
);
expect(output).toContain('package:standalone:release');
expect(output).toContain('--node-version VERSION');
});
it('loads the hosted installation release helpers', () => {
const hostedOutput = execFileSync(
process.execPath,
['scripts/build-hosted-installation-assets.js', '--help'],
{ encoding: 'utf8' },
);
const verifierOutput = execFileSync(
process.execPath,
['scripts/verify-installation-release.js', '--help'],
{ encoding: 'utf8' },
);
expect(hostedOutput).toContain('package:hosted-installation');
expect(hostedOutput).toContain('--out-dir PATH');
expect(verifierOutput).toContain('verify:installation-release');
expect(verifierOutput).toContain('--dir PATH');
expect(verifierOutput).toContain('--base-url URL');
});
it('rejects invalid installation release verification CLI arguments', () => {
const expectFail = (args, expectedOutput) => {
let caughtError;
try {
execFileSync(process.execPath, args, {
encoding: 'utf8',
stdio: 'pipe',
});
} catch (error) {
caughtError = error;
}
expect(caughtError).toBeTruthy();
expect(
[
caughtError?.message,
caughtError?.stdout?.toString(),
caughtError?.stderr?.toString(),
].join('\n'),
).toMatch(expectedOutput);
};
expectFail(
['scripts/verify-installation-release.js', '--unknown'],
/Unknown option: --unknown/,
);
expectFail(
['scripts/verify-installation-release.js', '--dir'],
/--dir requires a value/,
);
expectFail(
[
'scripts/verify-installation-release.js',
'--dir',
'/tmp',
'--base-url',
'https://example.com/r/',
],
/Pass --dir or --base-url, not both/,
);
expectFail(
[
'scripts/verify-installation-release.js',
'--dir=/tmp',
'--base-url=https://example.com/r/',
],
/Pass --dir or --base-url, not both/,
);
expectFail(
['scripts/verify-installation-release.js', '--unknown=foo'],
/Unknown option: --unknown/,
);
});
it('parses Node.js SHASUMS entries', async () => {
const { parseChecksums } = await import(standaloneReleaseScriptUrl);
const checksums = parseChecksums(
[
'a'.repeat(64) + ' node-v22.0.0-linux-x64.tar.xz',
'b'.repeat(64) + ' *node-v22.0.0-win-x64.zip',
'',
].join('\n'),
);
expect(checksums.get('node-v22.0.0-linux-x64.tar.xz')).toBe('a'.repeat(64));
expect(checksums.get('node-v22.0.0-win-x64.zip')).toBe('b'.repeat(64));
});
it('validates standalone release checksum output', async () => {
const { assertStandaloneOutput, RELEASE_TARGETS } = await import(
standaloneReleaseScriptUrl
);
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-release-test-'));
try {
const lines = RELEASE_TARGETS.map(({ qwenTarget }) => {
const extension = qwenTarget === 'win-x64' ? 'zip' : 'tar.gz';
return `${'a'.repeat(64)} qwen-code-${qwenTarget}.${extension}`;
});
writeFileSync(path.join(tmpDir, 'SHA256SUMS'), `${lines.join('\n')}\n`);
expect(() => assertStandaloneOutput(tmpDir)).not.toThrow();
writeFileSync(
path.join(tmpDir, 'SHA256SUMS'),
`${lines.join('\n')}\n${'b'.repeat(64)} qwen-code-extra.tar.gz\n`,
);
expect(() => assertStandaloneOutput(tmpDir)).toThrow(/Extra/);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
});
it('installer scripts honor --version for hosted entrypoints', () => {
const installShellSource = readScript(
'scripts/installation/install-qwen-standalone.sh',
);
expect(installShellSource).toContain(
'VERSION="${QWEN_INSTALL_VERSION:-latest}"',
);
expect(installShellSource).toContain('--version)');
expect(installShellSource).toContain('--version requires a value');
const installBatchSource = readScript(
'scripts/installation/install-qwen-standalone.bat',
);
expect(installBatchSource).toContain('set "VERSION=latest"');
expect(installBatchSource).toContain(
'if defined QWEN_INSTALL_VERSION set "VERSION=!QWEN_INSTALL_VERSION!"',
);
expect(installBatchSource).toContain('!ARG_KEY!"=="--version"');
expect(installBatchSource).toContain('--version requires a value');
const installPowerShellSource = readScript(
'scripts/installation/install-qwen-standalone.ps1',
);
expect(installPowerShellSource).toContain('install-qwen-standalone.bat');
expect(installPowerShellSource).toContain('Invoke-WebRequest');
expect(installPowerShellSource).toContain('QWEN_INSTALL_VERSION');
expect(installPowerShellSource).toContain('--version vX.Y.Z');
expect(installPowerShellSource).toContain('SHA256SUMS');
expect(installPowerShellSource).toContain('Get-FileHash');
expect(installPowerShellSource).toContain('Checksum verification failed');
expect(installPowerShellSource).toContain('@args');
});
it('stages hosted installation assets with checksums', async () => {
const {
HOSTED_INSTALLATION_ASSET_NAMES,
HOSTED_INSTALLATION_ASSETS,
assertHostedInstallationAssetChecksums,
buildHostedInstallationAssets,
} = await import(hostedInstallationScriptUrl);
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-hosted-install-'));
try {
await buildHostedInstallationAssets(tmpDir);
const installSh = path.join(tmpDir, 'install-qwen-standalone.sh');
const installBat = path.join(tmpDir, 'install-qwen-standalone.bat');
const installPs1 = path.join(tmpDir, 'install-qwen-standalone.ps1');
const checksums = readScript(path.join(tmpDir, 'SHA256SUMS'));
const checksumLines = checksums.trim().split('\n');
expect(HOSTED_INSTALLATION_ASSET_NAMES).toEqual([
'install-qwen-standalone.sh',
'install-qwen-standalone.bat',
'install-qwen-standalone.ps1',
]);
expect(HOSTED_INSTALLATION_ASSETS.map(({ output }) => output)).toEqual(
HOSTED_INSTALLATION_ASSET_NAMES,
);
expect(readScript(installSh)).toBe(
readScript('scripts/installation/install-qwen-standalone.sh'),
);
expect(readScript(installBat)).toBe(
readScript('scripts/installation/install-qwen-standalone.bat').replace(
/\r?\n/g,
'\r\n',
),
);
expect(readScript(installPs1)).toBe(
readScript('scripts/installation/install-qwen-standalone.ps1'),
);
expect(existsSync(path.join(tmpDir, 'install'))).toBe(false);
expect(checksumLines.map((line) => line.split(' ')[1])).toEqual([
'install-qwen-standalone.bat',
'install-qwen-standalone.ps1',
'install-qwen-standalone.sh',
]);
expect(checksums).toMatch(
/^[0-9a-f]{64} {2}install-qwen-standalone\.sh$/m,
);
expect(checksums).toMatch(
/^[0-9a-f]{64} {2}install-qwen-standalone\.bat$/m,
);
expect(checksums).toMatch(
/^[0-9a-f]{64} {2}install-qwen-standalone\.ps1$/m,
);
if (process.platform !== 'win32') {
expect(lstatSync(installSh).mode & 0o111).not.toBe(0);
}
writeFileSync(installSh, 'tampered');
await expect(
assertHostedInstallationAssetChecksums(tmpDir),
).rejects.toThrow(
/Checksum verification failed for install-qwen-standalone\.sh/,
);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
});
it('rejects hosted installer sources without pinned hosted behavior', async () => {
const { buildHostedInstallationAssets } = await import(
hostedInstallationScriptUrl
);
const tmpRoot = mkdtempSync(path.join(tmpdir(), 'qwen-hosted-root-'));
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-hosted-install-'));
const sourceDir = path.join(tmpRoot, 'scripts', 'installation');
try {
mkdirSync(sourceDir, { recursive: true });
writeFileSync(
path.join(sourceDir, 'install-qwen-standalone.sh'),
'#!/usr/bin/env bash\n' +
'VERSION="${QWEN_INSTALL_VERSION:-stable}"\n' +
'case "$1" in --version) shift; VERSION="$1" ;; esac\n',
);
writeFileSync(
path.join(sourceDir, 'install-qwen-standalone.bat'),
'@echo off\r\nset "VERSION=latest"\r\n',
);
writeFileSync(
path.join(sourceDir, 'install-qwen-standalone.ps1'),
"# --version vX.Y.Z\n$env:QWEN_INSTALL_VERSION = 'latest'\n",
);
await expect(
buildHostedInstallationAssets(tmpDir, { root: tmpRoot }),
).rejects.toThrow(
/install-qwen-standalone\.sh default install version must be 'latest'/,
);
} finally {
rmSync(tmpRoot, { recursive: true, force: true });
rmSync(tmpDir, { recursive: true, force: true });
}
});
it('rejects hosted installer sources without real version parsing', async () => {
const { buildHostedInstallationAssets } = await import(
hostedInstallationScriptUrl
);
const tmpRoot = mkdtempSync(path.join(tmpdir(), 'qwen-hosted-root-'));
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-hosted-install-'));
const sourceDir = path.join(tmpRoot, 'scripts', 'installation');
try {
mkdirSync(sourceDir, { recursive: true });
writeFileSync(
path.join(sourceDir, 'install-qwen-standalone.sh'),
'#!/usr/bin/env bash\n' +
'VERSION="${QWEN_INSTALL_VERSION:-latest}"\n' +
'echo "Usage: --version VERSION"\n',
);
writeFileSync(
path.join(sourceDir, 'install-qwen-standalone.bat'),
'@echo off\r\nset "VERSION=latest"\r\n',
);
writeFileSync(
path.join(sourceDir, 'install-qwen-standalone.ps1'),
'& $qwenInstallerPath @args\n# QWEN_INSTALL_VERSION\n',
);
await expect(
buildHostedInstallationAssets(tmpDir, { root: tmpRoot }),
).rejects.toThrow(/install-qwen-standalone\.sh.*--version parser/);
} finally {
rmSync(tmpRoot, { recursive: true, force: true });
rmSync(tmpDir, { recursive: true, force: true });
}
});
it('rejects stale hosted installation assets in the output directory', async () => {
const { buildHostedInstallationAssets } = await import(
hostedInstallationScriptUrl
);
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-hosted-install-'));
try {
writeFileSync(path.join(tmpDir, 'install'), 'stale alias');
await expect(buildHostedInstallationAssets(tmpDir)).rejects.toThrow(
/Unexpected hosted installer asset: install/,
);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
});
it('verifies release asset directory contents and checksums', async () => {
const { EXPECTED_STANDALONE_ARCHIVE_NAMES, verifyReleaseDirectory } =
await import(installationReleaseVerificationScriptUrl);
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-release-verify-'));
try {
writeStandaloneReleaseAssets(tmpDir, EXPECTED_STANDALONE_ARCHIVE_NAMES);
await expect(verifyReleaseDirectory(tmpDir)).resolves.not.toThrow();
appendFileSync(
path.join(tmpDir, EXPECTED_STANDALONE_ARCHIVE_NAMES[0]),
'tamper',
);
await expect(verifyReleaseDirectory(tmpDir)).rejects.toThrow(
new RegExp(
`Checksum verification failed for ${escapeRegExp(EXPECTED_STANDALONE_ARCHIVE_NAMES[0])}`,
),
);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
});
it('rejects missing release archives and unexpected checksum entries', async () => {
const { EXPECTED_STANDALONE_ARCHIVE_NAMES, verifyReleaseDirectory } =
await import(installationReleaseVerificationScriptUrl);
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-release-verify-'));
try {
writeStandaloneReleaseAssets(tmpDir, EXPECTED_STANDALONE_ARCHIVE_NAMES);
rmSync(path.join(tmpDir, EXPECTED_STANDALONE_ARCHIVE_NAMES[0]));
await expect(verifyReleaseDirectory(tmpDir)).rejects.toThrow(
/Missing release asset: qwen-code-/,
);
writeStandaloneReleaseAssets(tmpDir, EXPECTED_STANDALONE_ARCHIVE_NAMES);
writeStandaloneReleaseChecksums(tmpDir, [
...EXPECTED_STANDALONE_ARCHIVE_NAMES,
'qwen-code-extra.tar.gz',
]);
await expect(verifyReleaseDirectory(tmpDir)).rejects.toThrow(
/Unexpected release asset checksum: qwen-code-extra\.tar\.gz/,
);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
});
it('verifies release asset URLs from SHA256SUMS', async () => {
const { EXPECTED_STANDALONE_ARCHIVE_NAMES, verifyReleaseBaseUrl } =
await import(installationReleaseVerificationScriptUrl);
const checksumContent = placeholderChecksumContent(
EXPECTED_STANDALONE_ARCHIVE_NAMES,
);
const fetchedUrls = [];
const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
try {
await expect(
verifyReleaseBaseUrl('https://example.com/qwen-code/v0.0.0', {
fetchImpl: async (url, options = {}) => {
fetchedUrls.push([url, options.method || 'GET', !!options.signal]);
if (url.endsWith('/SHA256SUMS')) {
return new Response(checksumContent);
}
return new Response(null, { status: 200 });
},
}),
).resolves.not.toThrow();
} finally {
warnSpy.mockRestore();
}
expect(fetchedUrls).toContainEqual([
'https://example.com/qwen-code/v0.0.0/SHA256SUMS',
'GET',
true,
]);
for (const assetName of EXPECTED_STANDALONE_ARCHIVE_NAMES) {
expect(fetchedUrls).toContainEqual([
`https://example.com/qwen-code/v0.0.0/${assetName}`,
'HEAD',
true,
]);
}
for (const [url] of fetchedUrls) {
expect(url).not.toMatch(/install-qwen\.(sh|bat|ps1)$/);
expect(url).not.toMatch(/\/install$/);
}
});
it('rejects a release base URL that is not https', async () => {
const { verifyReleaseBaseUrl } = await import(
installationReleaseVerificationScriptUrl
);
await expect(verifyReleaseBaseUrl('file:///tmp/release/')).rejects.toThrow(
/--base-url must use https/,
);
await expect(
verifyReleaseBaseUrl('http://example.com/release/'),
).rejects.toThrow(/--base-url must use https/);
});
it('falls back to a ranged GET when a release asset HEAD fails', async () => {
const { EXPECTED_STANDALONE_ARCHIVE_NAMES, verifyReleaseBaseUrl } =
await import(installationReleaseVerificationScriptUrl);
const checksumContent = placeholderChecksumContent(
EXPECTED_STANDALONE_ARCHIVE_NAMES,
);
const fetchedUrls = [];
const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
try {
await expect(
verifyReleaseBaseUrl('https://example.com/qwen-code/v0.0.0', {
fetchImpl: async (url, options = {}) => {
const method = options.method || 'GET';
const range = options.headers?.Range || '';
fetchedUrls.push([url, method, range]);
if (url.endsWith('/SHA256SUMS')) {
return new Response(checksumContent);
}
// Simulate an object-storage host that disables HEAD: the verifier
// must retry with a 1-byte ranged GET before treating the asset as
// unavailable.
if (method === 'HEAD') {
return new Response(null, { status: 405 });
}
if (range === 'bytes=0-0') {
return new Response('a', { status: 206 });
}
return new Response(null, { status: 500 });
},
}),
).resolves.not.toThrow();
} finally {
warnSpy.mockRestore();
}
for (const assetName of EXPECTED_STANDALONE_ARCHIVE_NAMES) {
const assetUrl = `https://example.com/qwen-code/v0.0.0/${assetName}`;
expect(fetchedUrls).toContainEqual([assetUrl, 'HEAD', '']);
expect(fetchedUrls).toContainEqual([assetUrl, 'GET', 'bytes=0-0']);
}
});
it('reports each unavailable asset with its reason', async () => {
const { EXPECTED_STANDALONE_ARCHIVE_NAMES, verifyReleaseBaseUrl } =
await import(installationReleaseVerificationScriptUrl);
const checksumContent = placeholderChecksumContent(
EXPECTED_STANDALONE_ARCHIVE_NAMES,
);
const unavailableAsset = EXPECTED_STANDALONE_ARCHIVE_NAMES[0];
const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
try {
await expect(
verifyReleaseBaseUrl('https://example.com/qwen-code/v0.0.0', {
fetchImpl: async (url) => {
if (url.endsWith('/SHA256SUMS')) {
return new Response(checksumContent);
}
// The first asset always fails (HEAD and Range); the rest succeed
// on HEAD. Verifier should list only the failing one in the error.
if (url.endsWith(`/${unavailableAsset}`)) {
return new Response(null, { status: 404 });
}
return new Response(null, { status: 200 });
},
}),
).rejects.toThrow(
new RegExp(
`Unavailable release asset URL\\(s\\): ${escapeRegExp(unavailableAsset)} \\(.*\\)`,
),
);
} finally {
warnSpy.mockRestore();
}
});
it('reports a single error when every asset URL is unavailable', async () => {
const { EXPECTED_STANDALONE_ARCHIVE_NAMES, verifyReleaseBaseUrl } =
await import(installationReleaseVerificationScriptUrl);
const checksumContent = placeholderChecksumContent(
EXPECTED_STANDALONE_ARCHIVE_NAMES,
);
const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
try {
await expect(
verifyReleaseBaseUrl('https://example.com/qwen-code/v0.0.0', {
fetchImpl: async (url) => {
if (url.endsWith('/SHA256SUMS')) {
return new Response(checksumContent);
}
return new Response(null, { status: 503 });
},
}),
).rejects.toThrow(
new RegExp(
`All ${EXPECTED_STANDALONE_ARCHIVE_NAMES.length} release asset URLs are unavailable; check --base-url: https://example\\.com/qwen-code/v0\\.0\\.0/`,
),
);
} finally {
warnSpy.mockRestore();
}
});
it('parses SHA256SUMS even when the file starts with a UTF-8 BOM', async () => {
const { EXPECTED_STANDALONE_ARCHIVE_NAMES, verifyReleaseBaseUrl } =
await import(installationReleaseVerificationScriptUrl);
const checksumContent =
'\uFEFF' + placeholderChecksumContent(EXPECTED_STANDALONE_ARCHIVE_NAMES);
const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
try {
await expect(
verifyReleaseBaseUrl('https://example.com/qwen-code/v0.0.0', {
fetchImpl: async (url) => {
if (url.endsWith('/SHA256SUMS')) {
return new Response(checksumContent);
}
return new Response(null, { status: 200 });
},
}),
).resolves.not.toThrow();
} finally {
warnSpy.mockRestore();
}
});
it('rejects a runtime archive without a Node executable', () => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-package-test-'));
try {
const target = process.platform === 'win32' ? 'win-x64' : 'linux-x64';
const fakeRuntimeArchive =
process.platform === 'win32'
? createBadWindowsNodeArchive(tmpDir)
: createBadUnixNodeArchive(tmpDir);
expect(() =>
execFileSync(
'node',
[
'scripts/create-standalone-package.js',
'--target',
target,
'--node-archive',
fakeRuntimeArchive,
'--out-dir',
path.join(tmpDir, 'out'),
'--version',
'0.0.0-test',
],
{ stdio: 'pipe' },
),
).toThrow(/Node\.js runtime for .* must contain/);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
}
}
});
it('packages a win-x64 standalone archive', () => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-package-test-'));
try {
const outDir = path.join(tmpDir, 'out');
execFileSync(
'node',
[
'scripts/create-standalone-package.js',
'--target',
'win-x64',
'--node-archive',
createFakeWindowsNodeArchive(tmpDir),
'--out-dir',
outDir,
'--version',
'0.0.0-test',
],
{ stdio: 'pipe' },
);
const archive = path.join(outDir, 'qwen-code-win-x64.zip');
const extractDir = path.join(tmpDir, 'extract');
mkdirSync(extractDir, { recursive: true });
extractZipForTest(archive, extractDir);
expect(existsSync(path.join(extractDir, 'qwen-code'))).toBe(true);
expect(
existsSync(path.join(extractDir, 'qwen-code', 'bin', 'qwen.cmd')),
).toBe(true);
expect(
existsSync(path.join(extractDir, 'qwen-code', 'node', 'node.exe')),
).toBe(true);
expect(readScript(path.join(outDir, 'SHA256SUMS'))).toContain(
'qwen-code-win-x64.zip',
);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
}
}
}, 30_000);
itOnUnix('dereferences safe Node.js runtime symlinks', () => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-package-test-'));
try {
const archive = packageFakeStandalone(tmpDir, {
withSafeNodeSymlink: true,
});
const installRoot = path.join(tmpDir, 'install');
runUnixInstaller(archive, installRoot, path.join(tmpDir, 'home'));
const npmShim = path.join(
installRoot,
'lib',
'qwen-code',
'node',
'bin',
'npm',
);
expect(existsSync(npmShim)).toBe(true);
expect(lstatSync(npmShim).isSymbolicLink()).toBe(false);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
}
}
});
itOnUnix('rejects Node.js runtime symlinks that escape the archive', () => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-package-test-'));
try {
expect(() =>
execFileSync(
'node',
[
'scripts/create-standalone-package.js',
'--target',
'linux-x64',
'--node-archive',
createFakeNodeArchive(tmpDir, {
withEscapingNodeSymlink: true,
}),
'--out-dir',
path.join(tmpDir, 'out'),
'--version',
'0.0.0-test',
],
{ stdio: 'pipe' },
),
).toThrow(/symlink escapes the archive/);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
}
}
});
itOnUnix('rejects Node.js runtime symlink cycles', () => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-package-test-'));
try {
expect(() =>
execFileSync(
'node',
[
'scripts/create-standalone-package.js',
'--target',
'linux-x64',
'--node-archive',
createFakeNodeArchive(tmpDir, {
withNodeSymlinkCycle: true,
}),
'--out-dir',
path.join(tmpDir, 'out'),
'--version',
'0.0.0-test',
],
{ stdio: 'pipe' },
),
).toThrow(/symlink cycle/);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
}
}
});
it('rejects unexpected dist assets', () => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-package-test-'));
try {
writeFileSync('dist/debug-cache.tmp', 'debug\n');
expect(() =>
execFileSync(
'node',
[
'scripts/create-standalone-package.js',
'--target',
'win-x64',
'--node-archive',
createFakeWindowsNodeArchive(tmpDir),
'--out-dir',
path.join(tmpDir, 'out'),
'--version',
'0.0.0-test',
],
{ stdio: 'pipe' },
),
).toThrow(/Unexpected dist asset/);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
} else {
rmSync('dist/debug-cache.tmp', { force: true });
}
}
});
it('syncs standalone and hosted installation assets during release', () => {
const workflow = readScript('.github/workflows/release.yml');
expect(workflow).toContain('npm run package:standalone:release --');
expect(workflow).toContain(
'npm run package:hosted-installation -- --out-dir dist/installation',
);
expect(workflow).not.toContain('package:installation-assets');
expect(workflow).not.toContain('verify_node_checksum()');
expect(workflow).not.toContain('download_node()');
expect(workflow).toContain('dist/standalone/qwen-code-*.tar.gz');
expect(workflow).toContain('dist/standalone/qwen-code-*.zip');
expect(workflow).toContain('dist/standalone/SHA256SUMS');
expect(workflow).toContain(
'npm run verify:installation-release -- --dir dist/standalone',
);
expect(workflow).toContain('secrets.ALIYUN_OSS_ACCESS_KEY_ID');
expect(workflow).toContain('secrets.ALIYUN_OSS_ACCESS_KEY_SECRET');
expect(workflow).toContain('vars.ALIYUN_OSS_BUCKET');
expect(workflow).toContain('vars.ALIYUN_OSS_ENDPOINT');
expect(workflow).toContain('releases/qwen-code/${RELEASE_TAG}');
expect(workflow).toContain('releases/qwen-code/latest');
expect(workflow).toContain('installation/install-qwen-standalone.sh');
expect(workflow).toContain('installation/install-qwen-standalone.bat');
expect(workflow).toContain('installation/install-qwen-standalone.ps1');
expect(workflow).toContain('--acl public-read');
expect(workflow).toContain(
'npm run verify:installation-release -- --base-url "${ALIYUN_OSS_PUBLIC_BASE_URL}/releases/qwen-code/${RELEASE_TAG}"',
);
});
it('does not whitelist internal planning documents in gitignore', () => {
const gitignore = readScript('.gitignore');
expect(gitignore).not.toContain('!.qwen/design/');
expect(gitignore).not.toContain('!.qwen/e2e-tests/');
});
it('documents optional native module parity for standalone installs', () => {
const guide = readScript('scripts/installation/INSTALLATION_GUIDE.md');
expect(guide).toContain('Optional Native Modules');
expect(guide).toContain('package:hosted-installation');
expect(guide).toContain('installation/install-qwen-standalone.sh');
expect(guide).toContain('installation/install-qwen-standalone.bat');
expect(guide).toContain('installation/install-qwen-standalone.ps1');
expect(guide).toContain('ALIYUN_OSS_ACCESS_KEY_ID');
expect(guide).toContain('ALIYUN_OSS_ACCESS_KEY_SECRET');
expect(guide).toContain('ALIYUN_OSS_BUCKET');
expect(guide).toContain('ALIYUN_OSS_ENDPOINT');
expect(guide).toContain('Public installation documentation');
expect(guide).toContain('node-pty');
expect(guide).toContain('clipboard');
});
});
describe('Linux/macOS installer end-to-end', () => {
itOnUnix(
'installs a local standalone archive with checksum verification',
() => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const archive = packageFakeStandalone(tmpDir);
const installRoot = path.join(tmpDir, 'install');
const home = path.join(tmpDir, 'home');
runUnixInstaller(archive, installRoot, home);
expect(existsSync(path.join(installRoot, 'bin', 'qwen'))).toBe(true);
expect(
existsSync(
path.join(installRoot, 'lib', 'qwen-code', 'node', 'bin', 'node'),
),
).toBe(true);
expect(readScript(path.join(home, '.qwen', 'source.json'))).toContain(
'"source": "smoke"',
);
const version = execFileSync(path.join(installRoot, 'bin', 'qwen'), [
'--version',
])
.toString()
.trim();
expect(version).toBe('0.0.0-smoke');
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
}
}
},
);
itOnUnix('shell-quotes custom install paths in the generated wrapper', () => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const archive = packageFakeStandalone(tmpDir);
const installRoot = path.join(tmpDir, 'install');
const home = path.join(tmpDir, 'home');
const installLibDir = path.join(
installRoot,
'lib',
'qwen-code$(touch qwen-pwned)',
);
runUnixInstaller(archive, installRoot, home, 'standalone', {
QWEN_INSTALL_LIB_DIR: installLibDir,
});
const version = execFileSync(
path.join(installRoot, 'bin', 'qwen'),
['--version'],
{
cwd: tmpDir,
},
)
.toString()
.trim();
expect(version).toBe('0.0.0-smoke');
expect(existsSync(path.join(tmpDir, 'qwen-pwned'))).toBe(false);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
}
}
});
itOnUnix(
'shell-quotes PATH updates written to shell rc files',
() => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const archive = packageFakeStandalone(tmpDir);
const fakeBin = path.join(tmpDir, 'shadow-bin');
const installRoot = path.join(tmpDir, 'install');
const home = path.join(tmpDir, 'home');
const marker = path.join(tmpDir, 'qwen-pwned');
const unsafeBinDir = path.join(
installRoot,
'bin path $(touch qwen-pwned)',
);
mkdirSync(fakeBin, { recursive: true });
writeFileSync(path.join(fakeBin, 'qwen'), '#!/usr/bin/env sh\n');
chmodSync(path.join(fakeBin, 'qwen'), 0o755);
runUnixInstaller(archive, installRoot, home, 'standalone', {
PATH: `${fakeBin}:${process.env.PATH}`,
SHELL: '/bin/bash',
QWEN_INSTALL_BIN_DIR: unsafeBinDir,
});
const bashrc = path.join(home, '.bashrc');
expect(readScript(bashrc)).toContain(
`export PATH='${unsafeBinDir}':$PATH`,
);
execFileSync('bash', ['-c', `source "${bashrc}"`], {
cwd: tmpDir,
stdio: 'pipe',
});
expect(existsSync(marker)).toBe(false);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
}
}
},
15000,
);
itOnUnix('rejects a tampered local archive', () => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const archive = packageFakeStandalone(tmpDir);
appendFileSync(archive, 'tamper');
expect(() =>
runUnixInstaller(
archive,
path.join(tmpDir, 'install'),
path.join(tmpDir, 'home'),
),
).toThrow(/Checksum verification failed/);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
}
}
});
itOnUnix('rejects a local archive when SHA256SUMS is missing', () => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const archive = packageFakeStandalone(tmpDir);
rmSync(path.join(path.dirname(archive), 'SHA256SUMS'), { force: true });
expect(() =>
runUnixInstaller(
archive,
path.join(tmpDir, 'install'),
path.join(tmpDir, 'home'),
),
).toThrow(/SHA256SUMS not found/);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
}
}
});
itOnUnix('rejects standalone archives containing symlinks', () => {
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const archive = createSymlinkStandaloneArchive(tmpDir);
expect(() =>
runUnixInstaller(
archive,
path.join(tmpDir, 'install'),
path.join(tmpDir, 'home'),
),
).toThrow(/Archive contains symlinks/);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
});
itOnUnix(
'rejects standalone archives containing path traversal entries',
() => {
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const archive = createTraversalStandaloneArchive(tmpDir);
expect(() =>
runUnixInstaller(
archive,
path.join(tmpDir, 'install'),
path.join(tmpDir, 'home'),
),
).toThrow(/Archive contains unsafe path/);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
},
);
itOnUnix('refuses to overwrite a non-managed install directory', () => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const archive = packageFakeStandalone(tmpDir);
const installRoot = path.join(tmpDir, 'install');
const installDir = path.join(installRoot, 'lib', 'qwen-code');
mkdirSync(installDir, { recursive: true });
writeFileSync(path.join(installDir, 'important.txt'), 'keep me\n');
expect(() =>
runUnixInstaller(archive, installRoot, path.join(tmpDir, 'home')),
).toThrow(/not a Qwen Code standalone install/);
expect(readScript(path.join(installDir, 'important.txt'))).toBe(
'keep me\n',
);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
}
}
});
itOnUnix('does not fall back to npm when detect finds a bad archive', () => {
const createdDist = ensureMinimalDist();
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const archive = packageFakeStandalone(tmpDir);
appendFileSync(archive, 'tamper');
let failureMessage = '';
try {
runUnixInstaller(
archive,
path.join(tmpDir, 'install'),
path.join(tmpDir, 'home'),
'detect',
);
} catch (error) {
failureMessage = error.message;
}
expect(failureMessage).toContain('Checksum verification failed');
expect(failureMessage).toContain('Standalone install failed');
expect(failureMessage).not.toContain('Falling back to npm installation');
} finally {
rmSync(tmpDir, { recursive: true, force: true });
if (createdDist) {
rmSync('dist', { recursive: true, force: true });
}
}
});
itOnUnix(
'falls back to npm in detect mode when archive is unavailable',
() => {
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const fakeBin = path.join(tmpDir, 'bin');
const home = path.join(tmpDir, 'home');
const npmLog = path.join(tmpDir, 'npm-args.txt');
mkdirSync(fakeBin, { recursive: true });
mkdirSync(home, { recursive: true });
writeFileSync(
path.join(fakeBin, 'curl'),
'#!/usr/bin/env sh\nexit 22\n',
);
writeFileSync(
path.join(fakeBin, 'node'),
[
'#!/usr/bin/env sh',
'if [ "$1" = "-p" ]; then',
' case "$2" in',
' *split*) echo 22 ;;',
' *) echo 22.0.0 ;;',
' esac',
' exit 0',
'fi',
'exit 0',
'',
].join('\n'),
);
writeFileSync(
path.join(fakeBin, 'npm'),
[
'#!/usr/bin/env sh',
'case "$1" in',
' -v) echo 10.0.0 ;;',
' prefix) echo "$QWEN_FAKE_NPM_PREFIX" ;;',
' install) printf "%s\\n" "$*" > "$QWEN_FAKE_NPM_LOG" ;;',
'esac',
'exit 0',
'',
].join('\n'),
);
writeFileSync(
path.join(fakeBin, 'qwen'),
'#!/usr/bin/env sh\necho 0.0.0-npm\n',
);
for (const command of ['curl', 'node', 'npm', 'qwen']) {
chmodSync(path.join(fakeBin, command), 0o755);
}
const output = execFileSync(
'bash',
[
'scripts/installation/install-qwen-standalone.sh',
'--method',
'detect',
'--base-url',
'https://example.invalid/qwen-code',
'--source',
'smoke',
],
{
env: {
...process.env,
HOME: home,
PATH: `${fakeBin}:${process.env.PATH}`,
QWEN_FAKE_NPM_LOG: npmLog,
QWEN_FAKE_NPM_PREFIX: path.join(tmpDir, 'npm-prefix'),
},
stdio: 'pipe',
},
).toString();
expect(output).toContain('Falling back to npm installation');
expect(readScript(npmLog)).toContain(
'install -g @qwen-code/qwen-code@latest --registry',
);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
},
);
itOnUnix('preserves context when npm fallback also fails', () => {
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const fakeBin = path.join(tmpDir, 'bin');
mkdirSync(fakeBin, { recursive: true });
writeFileSync(path.join(fakeBin, 'curl'), '#!/usr/bin/env sh\nexit 22\n');
chmodSync(path.join(fakeBin, 'curl'), 0o755);
let failureMessage = '';
try {
execFileSync(
'bash',
[
'scripts/installation/install-qwen-standalone.sh',
'--method',
'detect',
'--base-url',
'https://example.invalid/qwen-code',
'--source',
'smoke',
],
{
env: {
HOME: path.join(tmpDir, 'home'),
PATH: `${fakeBin}:/usr/bin:/bin`,
},
stdio: 'pipe',
},
);
} catch (error) {
failureMessage = [
error.message,
error.stdout?.toString() || '',
error.stderr?.toString() || '',
].join('\n');
}
expect(failureMessage).toContain('Falling back to npm installation');
expect(failureMessage).toMatch(
/Node\.js was not found|Unable to determine Node\.js version/,
);
expect(failureMessage).toContain('npm fallback also failed');
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
});
});
describe('Windows installer end-to-end', () => {
itOnWindows(
'installs a local standalone archive with checksum verification',
() => {
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const archive = createFakeWindowsStandaloneArchive(tmpDir);
const installRoot = path.join(tmpDir, 'install');
const home = path.join(tmpDir, 'home');
runWindowsInstaller(archive, installRoot, home);
expect(existsSync(path.join(installRoot, 'bin', 'qwen.cmd'))).toBe(
true,
);
expect(
existsSync(path.join(installRoot, 'qwen-code', 'node', 'node.exe')),
).toBe(true);
expect(readScript(path.join(home, '.qwen', 'source.json'))).toContain(
'"source": "smoke"',
);
const version = runWindowsCommand(
`call "${path.join(installRoot, 'bin', 'qwen.cmd')}" --version`,
{ USERPROFILE: home },
)
.toString()
.trim();
expect(version).toBe('0.0.0-smoke');
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
},
);
itOnWindows('rejects a tampered local archive', () => {
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const archive = createFakeWindowsStandaloneArchive(tmpDir);
appendFileSync(archive, 'tamper');
expect(() =>
runWindowsInstaller(
archive,
path.join(tmpDir, 'install'),
path.join(tmpDir, 'home'),
),
).toThrow(/Checksum verification failed/);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
});
itOnWindows('rejects unsafe environment-derived install paths', () => {
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const archive = createFakeWindowsStandaloneArchive(tmpDir);
const marker = path.join(tmpDir, 'pwned.txt');
expect(() =>
runWindowsInstaller(
archive,
path.join(tmpDir, 'install'),
path.join(tmpDir, 'home'),
'standalone',
{
QWEN_INSTALL_ROOT: `${path.join(tmpDir, 'install')}" & echo pwned > "${marker}" & "`,
},
),
).toThrow(/unsafe command characters/);
expect(existsSync(marker)).toBe(false);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
});
itOnWindows(
'falls back to npm in detect mode when archive is unavailable',
() => {
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const fakeBin = path.join(tmpDir, 'bin');
const npmLog = path.join(tmpDir, 'npm-install.log');
createFakeWindowsNpmTools(fakeBin);
const output = runWindowsCommand(
[
`call "${path.resolve('scripts/installation/install-qwen-standalone.bat')}"`,
'--method',
'detect',
'--source',
'smoke',
].join(' '),
{
USERPROFILE: path.join(tmpDir, 'home'),
QWEN_INSTALL_ROOT: path.join(tmpDir, 'install'),
QWEN_FAKE_NPM_LOG: npmLog,
QWEN_FAKE_NPM_PREFIX: path.join(tmpDir, 'npm-prefix'),
...prependWindowsPath(fakeBin),
PROCESSOR_ARCHITECTURE: 'ARM64',
PROCESSOR_ARCHITEW6432: '',
},
).toString();
expect(output).toContain('Falling back to npm installation');
expect(readScript(npmLog)).toContain(
'install -g @qwen-code/qwen-code@latest --registry',
);
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
},
);
itOnWindows('preserves context when npm fallback also fails', () => {
const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
try {
const fakeBin = path.join(tmpDir, 'bin');
mkdirSync(fakeBin, { recursive: true });
writeFileSync(
path.join(fakeBin, 'node.cmd'),
['@echo off', 'exit /b 1', ''].join('\r\n'),
);
let failureMessage = '';
try {
runWindowsCommand(
[
`call "${path.resolve('scripts/installation/install-qwen-standalone.bat')}"`,
'--method',
'detect',
'--source',
'smoke',
].join(' '),
{
USERPROFILE: path.join(tmpDir, 'home'),
QWEN_INSTALL_ROOT: path.join(tmpDir, 'install'),
...prependWindowsPath(fakeBin),
PROCESSOR_ARCHITECTURE: 'ARM64',
PROCESSOR_ARCHITEW6432: '',
},
);
} catch (error) {
failureMessage = [
error.message,
error.stdout?.toString() || '',
error.stderr?.toString() || '',
].join('\n');
}
expect(failureMessage).toContain('Falling back to npm installation');
expect(failureMessage).toContain('Unable to determine Node.js version');
expect(failureMessage).toContain('npm fallback also failed');
} finally {
rmSync(tmpDir, { recursive: true, force: true });
}
});
});
function ensureMinimalDist() {
if (existsSync('dist')) {
return false;
}
mkdirSync('dist/vendor', { recursive: true });
mkdirSync('dist/bundled/qc-helper/docs', { recursive: true });
writeFileSync('dist/cli.js', 'console.log("qwen");\n');
writeFileSync(
'dist/package.json',
JSON.stringify({ name: '@qwen-code/qwen-code', version: '0.0.0' }),
);
return true;
}
function createFakeNodeArchive(tmpDir, options = {}) {
const fakeNodeDir = path.join(tmpDir, 'node-v22.0.0-linux-x64');
mkdirSync(path.join(fakeNodeDir, 'bin'), { recursive: true });
writeFileSync(
path.join(fakeNodeDir, 'bin', 'node'),
'#!/usr/bin/env sh\necho 0.0.0-smoke\n',
);
chmodSync(path.join(fakeNodeDir, 'bin', 'node'), 0o755);
if (options.withSafeNodeSymlink) {
mkdirSync(path.join(fakeNodeDir, 'lib'), { recursive: true });
writeFileSync(path.join(fakeNodeDir, 'lib', 'npm-cli.js'), 'npm cli\n');
symlinkSync('../lib/npm-cli.js', path.join(fakeNodeDir, 'bin', 'npm'));
}
if (options.withEscapingNodeSymlink) {
const outsideTarget = path.join(tmpDir, 'outside-node-helper.js');
writeFileSync(outsideTarget, 'outside\n');
symlinkSync(outsideTarget, path.join(fakeNodeDir, 'bin', 'npm'));
}
if (options.withNodeSymlinkCycle) {
symlinkSync('../bin', path.join(fakeNodeDir, 'bin', 'cycle'));
}
const archive = path.join(tmpDir, 'node-v22.0.0-linux-x64.tar.gz');
execFileSync(
'tar',
['-czf', archive, '-C', tmpDir, path.basename(fakeNodeDir)],
{
env: { ...process.env, LC_ALL: 'C' },
stdio: 'ignore',
},
);
return archive;
}
function createBadUnixNodeArchive(tmpDir) {
const fakeRuntimeDir = path.join(tmpDir, 'not-node');
mkdirSync(fakeRuntimeDir, { recursive: true });
writeFileSync(path.join(fakeRuntimeDir, 'README.txt'), 'not node\n');
const archive = path.join(tmpDir, 'bad-runtime.tar.gz');
execFileSync('tar', ['-czf', archive, '-C', tmpDir, 'not-node'], {
env: { ...process.env, LC_ALL: 'C' },
stdio: 'ignore',
});
return archive;
}
function createBadWindowsNodeArchive(tmpDir) {
const fakeRuntimeDir = path.join(tmpDir, 'not-node');
mkdirSync(fakeRuntimeDir, { recursive: true });
writeFileSync(path.join(fakeRuntimeDir, 'README.txt'), 'not node\n');
const archive = path.join(tmpDir, 'bad-runtime.zip');
createZipForTest(archive, tmpDir, path.basename(fakeRuntimeDir));
return archive;
}
function createFakeWindowsNodeArchive(tmpDir) {
const fakeNodeDir = path.join(tmpDir, 'node-v22.0.0-win-x64');
mkdirSync(fakeNodeDir, { recursive: true });
writeFileSync(path.join(fakeNodeDir, 'node.exe'), 'fake node.exe\n');
const archive = path.join(tmpDir, 'node-v22.0.0-win-x64.zip');
createZipForTest(archive, tmpDir, path.basename(fakeNodeDir));
return archive;
}
function createFakeWindowsStandaloneArchive(tmpDir) {
const packageRoot = path.join(tmpDir, 'qwen-code');
const outDir = path.join(tmpDir, 'out');
mkdirSync(path.join(packageRoot, 'bin'), { recursive: true });
mkdirSync(path.join(packageRoot, 'node'), { recursive: true });
mkdirSync(outDir, { recursive: true });
writeFileSync(
path.join(packageRoot, 'bin', 'qwen.cmd'),
['@echo off', 'echo 0.0.0-smoke', ''].join('\r\n'),
);
writeFileSync(path.join(packageRoot, 'node', 'node.exe'), 'fake node.exe\n');
writeFileSync(
path.join(packageRoot, 'manifest.json'),
JSON.stringify({ name: '@qwen-code/qwen-code', target: 'win-x64' }),
);
const archive = path.join(outDir, 'qwen-code-win-x64.zip');
createZipForTest(archive, tmpDir, path.basename(packageRoot));
writeChecksumFile(outDir, path.basename(archive));
return archive;
}
function createFakeWindowsNpmTools(fakeBin) {
mkdirSync(fakeBin, { recursive: true });
writeFileSync(
path.join(fakeBin, 'node.cmd'),
['@echo off', 'if "%~1"=="-p" echo 22.0.0', 'exit /b 0', ''].join('\r\n'),
);
writeFileSync(
path.join(fakeBin, 'npm.cmd'),
[
'@echo off',
'if "%~1"=="-v" echo 10.0.0 & exit /b 0',
'if "%~1"=="prefix" echo %QWEN_FAKE_NPM_PREFIX% & exit /b 0',
'if "%~1"=="install" echo %* > "%QWEN_FAKE_NPM_LOG%" & exit /b 0',
'exit /b 0',
'',
].join('\r\n'),
);
writeFileSync(
path.join(fakeBin, 'qwen.cmd'),
['@echo off', 'echo 0.0.0-npm', ''].join('\r\n'),
);
}
function prependWindowsPath(directory) {
const pathKey =
Object.keys(process.env).find((key) => key.toLowerCase() === 'path') ||
'Path';
return {
[pathKey]: `${directory};${process.env[pathKey] || ''}`,
};
}
function createZipForTest(archive, cwd, entry) {
if (process.platform === 'win32') {
execFileSync(
'powershell',
[
'-NoProfile',
'-ExecutionPolicy',
'Bypass',
'-Command',
'Compress-Archive -LiteralPath $env:QWEN_TEST_ZIP_ENTRY -DestinationPath $env:QWEN_TEST_ZIP_ARCHIVE -Force',
],
{
env: {
...process.env,
QWEN_TEST_ZIP_ENTRY: path.join(cwd, entry),
QWEN_TEST_ZIP_ARCHIVE: archive,
},
stdio: 'ignore',
},
);
return;
}
execFileSync('zip', ['-qr', archive, entry], {
cwd,
stdio: 'ignore',
});
}
function extractZipForTest(archive, destination) {
if (process.platform === 'win32') {
execFileSync(
'powershell',
[
'-NoProfile',
'-ExecutionPolicy',
'Bypass',
'-Command',
'Expand-Archive -LiteralPath $env:QWEN_TEST_ZIP_ARCHIVE -DestinationPath $env:QWEN_TEST_ZIP_DESTINATION -Force',
],
{
env: {
...process.env,
QWEN_TEST_ZIP_ARCHIVE: archive,
QWEN_TEST_ZIP_DESTINATION: destination,
},
stdio: 'ignore',
},
);
return;
}
execFileSync('unzip', ['-q', archive, '-d', destination], {
stdio: 'ignore',
});
}
function packageFakeStandalone(tmpDir, nodeArchiveOptions = {}) {
const outDir = path.join(tmpDir, 'out');
mkdirSync(outDir, { recursive: true });
execFileSync(
'node',
[
'scripts/create-standalone-package.js',
'--target',
'linux-x64',
'--node-archive',
createFakeNodeArchive(tmpDir, nodeArchiveOptions),
'--out-dir',
outDir,
'--version',
'0.0.0-smoke',
],
{ stdio: 'pipe' },
);
return path.join(outDir, 'qwen-code-linux-x64.tar.gz');
}
function runUnixInstaller(
archive,
installRoot,
home,
method = 'standalone',
extraEnv = {},
) {
mkdirSync(home, { recursive: true });
try {
return execFileSync(
'bash',
[
'scripts/installation/install-qwen-standalone.sh',
'--method',
method,
'--archive',
archive,
'--source',
'smoke',
],
{
env: {
...process.env,
HOME: home,
QWEN_INSTALL_ROOT: installRoot,
...extraEnv,
},
stdio: 'pipe',
},
);
} catch (error) {
const processError = error;
throw new Error(
[
processError.message,
processError.stdout?.toString() || '',
processError.stderr?.toString() || '',
].join('\n'),
);
}
}
function runWindowsInstaller(
archive,
installRoot,
home,
method = 'standalone',
extraEnv = {},
) {
mkdirSync(home, { recursive: true });
try {
return runWindowsCommand(
[
`call "${path.resolve('scripts/installation/install-qwen-standalone.bat')}"`,
'--method',
method,
'--archive',
`"${archive}"`,
'--source',
'smoke',
].join(' '),
{
USERPROFILE: home,
QWEN_INSTALL_ROOT: installRoot,
...extraEnv,
},
);
} catch (error) {
const processError = error;
throw new Error(
[
processError.message,
processError.stdout?.toString() || '',
processError.stderr?.toString() || '',
].join('\n'),
);
}
}
function runWindowsCommand(command, env = {}) {
return execFileSync(process.env.ComSpec || 'cmd.exe', ['/d', '/c', command], {
env: {
...process.env,
...env,
},
stdio: 'pipe',
// cmd.exe parses the command string itself; preserve quoted paths.
windowsVerbatimArguments: true,
});
}
function createSymlinkStandaloneArchive(tmpDir) {
const packageRoot = path.join(tmpDir, 'malicious', 'qwen-code');
mkdirSync(path.join(packageRoot, 'bin'), { recursive: true });
mkdirSync(path.join(packageRoot, 'node', 'bin'), { recursive: true });
symlinkSync('/usr/bin/env', path.join(packageRoot, 'bin', 'qwen'));
writeFileSync(
path.join(packageRoot, 'node', 'bin', 'node'),
'#!/usr/bin/env sh\necho 0.0.0-smoke\n',
);
chmodSync(path.join(packageRoot, 'node', 'bin', 'node'), 0o755);
writeFileSync(
path.join(packageRoot, 'manifest.json'),
JSON.stringify({ name: '@qwen-code/qwen-code', target: 'linux-x64' }),
);
const outDir = path.join(tmpDir, 'out');
mkdirSync(outDir, { recursive: true });
const archive = path.join(outDir, 'qwen-code-linux-x64.tar.gz');
execFileSync(
'tar',
['-czf', archive, '-C', path.dirname(packageRoot), 'qwen-code'],
{
env: { ...process.env, LC_ALL: 'C' },
stdio: 'ignore',
},
);
writeChecksumFile(outDir, path.basename(archive));
return archive;
}
function createTraversalStandaloneArchive(tmpDir) {
const maliciousRoot = path.join(tmpDir, 'malicious');
const packageRoot = path.join(maliciousRoot, 'qwen-code');
mkdirSync(path.join(packageRoot, 'bin'), { recursive: true });
mkdirSync(path.join(packageRoot, 'node', 'bin'), { recursive: true });
writeFileSync(
path.join(packageRoot, 'bin', 'qwen'),
'#!/usr/bin/env sh\necho 0.0.0-smoke\n',
);
chmodSync(path.join(packageRoot, 'bin', 'qwen'), 0o755);
writeFileSync(
path.join(packageRoot, 'node', 'bin', 'node'),
'#!/usr/bin/env sh\necho 0.0.0-smoke\n',
);
chmodSync(path.join(packageRoot, 'node', 'bin', 'node'), 0o755);
writeFileSync(
path.join(packageRoot, 'manifest.json'),
JSON.stringify({ name: '@qwen-code/qwen-code', target: 'linux-x64' }),
);
writeFileSync(path.join(tmpDir, 'qwen-slip'), 'path traversal\n');
const outDir = path.join(tmpDir, 'out');
mkdirSync(outDir, { recursive: true });
const archive = path.join(outDir, 'qwen-code-linux-x64.zip');
execFileSync('zip', ['-qr', archive, 'qwen-code', '../qwen-slip'], {
cwd: maliciousRoot,
stdio: 'ignore',
});
writeChecksumFile(outDir, path.basename(archive));
return archive;
}
function writeChecksumFile(outDir, archiveName) {
const archive = path.join(outDir, archiveName);
const hash = crypto
.createHash('sha256')
.update(readFileSync(archive))
.digest('hex');
writeFileSync(path.join(outDir, 'SHA256SUMS'), `${hash} ${archiveName}\n`);
}
function writeStandaloneReleaseAssets(outDir, archiveNames) {
mkdirSync(outDir, { recursive: true });
for (const assetName of archiveNames) {
writeFileSync(path.join(outDir, assetName), `${assetName}\n`);
}
writeStandaloneReleaseChecksums(outDir, archiveNames);
}
function writeStandaloneReleaseChecksums(outDir, archiveNames) {
const lines = archiveNames.map((assetName) => {
const filePath = path.join(outDir, assetName);
const hash = existsSync(filePath)
? crypto.createHash('sha256').update(readFileSync(filePath)).digest('hex')
: 'a'.repeat(64);
return `${hash} ${assetName}`;
});
writeFileSync(path.join(outDir, 'SHA256SUMS'), `${lines.join('\n')}\n`);
}
function placeholderChecksumContent(archiveNames) {
return `${archiveNames
.map(
(assetName) =>
`${crypto
.createHash('sha256')
.update(`${assetName}\n`)
.digest('hex')} ${assetName}`,
)
.join('\n')}\n`;
}
function escapeRegExp(value) {
return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}
Reference in a new issue View git blame Copy permalink