From 729bb0c8ff7efd5c956e3e877eb4262f1d70e8d1 Mon Sep 17 00:00:00 2001
From: ghost <49853598+JSONbored@users.noreply.github.com>
Date: Tue, 5 May 2026 05:45:04 -0600
Subject: [PATCH] fix(security): verify npm bin links via install

---
 scripts/verify-npm-release.sh | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/scripts/verify-npm-release.sh b/scripts/verify-npm-release.sh
index 0148007..7d23aba 100755
--- a/scripts/verify-npm-release.sh
+++ b/scripts/verify-npm-release.sh
@@ -22,13 +22,8 @@ console.log(`${metadata.name}@${metadata.version} ${metadata.dist.integrity}`);
 ' "${metadata}" "${package}" "${version}"
 
 tarball="$(npm pack "${package}@${version}" --silent --pack-destination "${tmp_dir}")"
-tar -xzf "${tmp_dir}/${tarball}" -C "${tmp_dir}"
-package_dir="${tmp_dir}/package"
 prefix="${tmp_dir}/prefix"
-mkdir -p "${prefix}/bin"
-chmod 0755 "${package_dir}/bin/nightward.mjs"
-ln -s "${package_dir}/bin/nightward.mjs" "${prefix}/bin/nightward"
-ln -s "${package_dir}/bin/nightward.mjs" "${prefix}/bin/nw"
+npm install --global --prefix "${prefix}" --ignore-scripts --no-audit "${tmp_dir}/${tarball}"
 
 PATH="${prefix}/bin:${PATH}" nightward --version | grep -Fx "${version}"
 PATH="${prefix}/bin:${PATH}" nw --version | grep -Fx "${version}"