spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-18 06:20:35 +00:00

History

B 433036b978 fix(install): add SHA-256 verification for cli.js download The install script downloads cli.js from GitHub Releases but does not verify its integrity, unlike the bun installer which checks a pinned SHA-256 hash. This adds checksum verification using a companion cli.js.sha256 release artifact (same pattern as the bun hash check). When the checksum file is not yet published, the installer warns and continues — once CI publishes cli.js.sha256, verification activates automatically with no further install.sh changes needed. Fixes #3327 Agent: security-auditor Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-05-14 14:52:11 +00:00
..
install.ps1	refactor: remove packages/shared, deduplicate with CLI shared (#2257 )	2026-03-06 21:58:42 -05:00
install.sh	fix(install): add SHA-256 verification for cli.js download	2026-05-14 14:52:11 +00:00

B 433036b978 fix(install): add SHA-256 verification for cli.js download

The install script downloads cli.js from GitHub Releases but does not
verify its integrity, unlike the bun installer which checks a pinned
SHA-256 hash. This adds checksum verification using a companion
cli.js.sha256 release artifact (same pattern as the bun hash check).

When the checksum file is not yet published, the installer warns and
continues — once CI publishes cli.js.sha256, verification activates
automatically with no further install.sh changes needed.

Fixes #3327

Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-05-14 14:52:11 +00:00

install.ps1

refactor: remove packages/shared, deduplicate with CLI shared (#2257 )

2026-03-06 21:58:42 -05:00

install.sh

fix(install): add SHA-256 verification for cli.js download

2026-05-14 14:52:11 +00:00