feat(unstable): single checksum per JSR package in the lockfile (#22421)

This changes the lockfile to not store JSR specifiers in the "remote"
section. Instead a single JSR integrity is stored per package in the
lockfile, which is a hash of the version's `x.x.x_meta.json` file, which
contains hashes for every file in the package. The hashes in this file
are then compared against when loading.

Additionally, when using `{ "vendor": true }` in a deno.json, the files
can be modified without causing lockfile errors—the checksum is only
checked when copying into the vendor folder and not afterwards
(eventually we should add this behaviour for non-jsr specifiers as
well). As part of this change, the `vendor` folder creation is not
always automatic in the LSP and running an explicit cache command is
necessary. The code required to track checksums in the LSP would have
been too complex for this PR, so that all goes through deno_graph now.
The vendoring is still automatic when running from the CLI.

1 files changed, 165 insertions, 0 deletions

diff --git a/tests/integration/jsr_tests.rs b/tests/integration/jsr_tests.rs
index 51cfcfaac..b6e4d8a4f 100644
--- a/tests/integration/jsr_tests.rs
+++ b/tests/integration/jsr_tests.rs
@@ -1,5 +1,6 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 
+use deno_core::serde_json::json;
 use deno_core::serde_json::Value;
 use deno_lockfile::Lockfile;
 use test_util as util;
@@ -182,3 +183,167 @@ fn reload_info_not_found_cache_but_exists_remote() {
     ))
     .assert_exit_code(0);
 }
+
+#[test]
+fn lockfile_bad_package_integrity() {
+  let test_context = TestContextBuilder::for_jsr().use_temp_cwd().build();
+  let temp_dir = test_context.temp_dir();
+
+  temp_dir.write(
+    "main.ts",
+    r#"import version from "jsr:@denotest/no_module_graph@0.1";
+
+console.log(version);"#,
+  );
+  temp_dir.write("deno.json", "{}"); // to automatically create a lockfile
+
+  test_context
+    .new_command()
+    .args("run --quiet main.ts")
+    .run()
+    .assert_matches_text("0.1.1\n");
+
+  let lockfile_path = temp_dir.path().join("deno.lock");
+  let mut lockfile = Lockfile::new(lockfile_path.to_path_buf(), false).unwrap();
+  let pkg_name = "@denotest/no_module_graph@0.1.1";
+  let original_integrity = get_lockfile_pkg_integrity(&lockfile, pkg_name);
+  set_lockfile_pkg_integrity(&mut lockfile, pkg_name, "bad_integrity");
+  lockfile_path.write(lockfile.as_json_string());
+
+  let actual_integrity =
+    test_context.get_jsr_package_integrity("@denotest/no_module_graph/0.1.1");
+  let integrity_check_failed_msg = format!("error: Integrity check failed for http://127.0.0.1:4250/@denotest/no_module_graph/0.1.1_meta.json
+
+Actual: {}
+Expected: bad_integrity
+    at file:///[WILDCARD]/main.ts:1:21
+", actual_integrity);
+  test_context
+    .new_command()
+    .args("run --quiet main.ts")
+    .run()
+    .assert_matches_text(&integrity_check_failed_msg)
+    .assert_exit_code(1);
+
+  // now try with a vendor folder
+  temp_dir
+    .path()
+    .join("deno.json")
+    .write_json(&json!({ "vendor": true }));
+
+  // should fail again
+  test_context
+    .new_command()
+    .args("run --quiet main.ts")
+    .run()
+    .assert_matches_text(&integrity_check_failed_msg)
+    .assert_exit_code(1);
+
+  // now update to the correct integrity
+  set_lockfile_pkg_integrity(&mut lockfile, pkg_name, &original_integrity);
+  lockfile_path.write(lockfile.as_json_string());
+
+  // should pass now
+  test_context
+    .new_command()
+    .args("run --quiet main.ts")
+    .run()
+    .assert_matches_text("0.1.1\n")
+    .assert_exit_code(0);
+
+  // now update to a bad integrity again
+  set_lockfile_pkg_integrity(&mut lockfile, pkg_name, "bad_integrity");
+  lockfile_path.write(lockfile.as_json_string());
+
+  // shouldn't matter because we have a vendor folder
+  test_context
+    .new_command()
+    .args("run --quiet main.ts")
+    .run()
+    .assert_matches_text("0.1.1\n")
+    .assert_exit_code(0);
+
+  // now remove the vendor dir and it should fail again
+  temp_dir.path().join("vendor").remove_dir_all();
+
+  test_context
+    .new_command()
+    .args("run --quiet main.ts")
+    .run()
+    .assert_matches_text(&integrity_check_failed_msg)
+    .assert_exit_code(1);
+}
+
+#[test]
+fn bad_manifest_checksum() {
+  let test_context = TestContextBuilder::for_jsr().use_temp_cwd().build();
+  let temp_dir = test_context.temp_dir();
+
+  temp_dir.write(
+    "main.ts",
+    r#"import { add } from "jsr:@denotest/bad-manifest-checksum@1.0.0";
+console.log(add);"#,
+  );
+
+  // test it properly checks the checksum on download
+  test_context
+    .new_command()
+    .args("run  main.ts")
+    .run()
+    .assert_matches_text(
+      "Download http://127.0.0.1:4250/@denotest/bad-manifest-checksum/meta.json
+Download http://127.0.0.1:4250/@denotest/bad-manifest-checksum/1.0.0_meta.json
+Download http://127.0.0.1:4250/@denotest/bad-manifest-checksum/1.0.0/mod.ts
+error: Integrity check failed.
+
+Actual: 9a30ac96b5d5c1b67eca69e1e2cf0798817d9578c8d7d904a81a67b983b35cba
+Expected: bad-checksum
+    at file:///[WILDCARD]main.ts:1:21
+",
+    )
+    .assert_exit_code(1);
+
+  // test it properly checks the checksum when loading from the cache
+  test_context
+    .new_command()
+    .args("run  main.ts")
+    .run()
+    .assert_matches_text(
+      // ideally the two error messages would be the same... this one comes from
+      // deno_cache and the one above comes from deno_graph. The thing is, in deno_cache
+      // (source of this error) it makes sense to include the url in the error message
+      // because it's not always used in the context of deno_graph
+      "error: Integrity check failed for http://127.0.0.1:4250/@denotest/bad-manifest-checksum/1.0.0/mod.ts
+
+Actual: 9a30ac96b5d5c1b67eca69e1e2cf0798817d9578c8d7d904a81a67b983b35cba
+Expected: bad-checksum
+    at file:///[WILDCARD]main.ts:1:21
+",
+    )
+    .assert_exit_code(1);
+}
+
+fn get_lockfile_pkg_integrity(lockfile: &Lockfile, pkg_name: &str) -> String {
+  lockfile
+    .content
+    .packages
+    .jsr
+    .get(pkg_name)
+    .unwrap()
+    .integrity
+    .clone()
+}
+
+fn set_lockfile_pkg_integrity(
+  lockfile: &mut Lockfile,
+  pkg_name: &str,
+  integrity: &str,
+) {
+  lockfile
+    .content
+    .packages
+    .jsr
+    .get_mut(pkg_name)
+    .unwrap()
+    .integrity = integrity.to_string();
+}