vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-12 06:00:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
spawn/sh/shared
History
A 1097f055c3
fix(security): add --proto '=https' to all curl executable downloads (#2160) 
42 curl calls downloading JS bundles, CLI binaries, and gh CLI tarballs
were missing --proto '=https', allowing protocol downgrade attacks on
hostile networks. PR #2138 fixed bun installer calls; this closes the
remaining gap for executable downloads.

Fixes applied:
- sh/{sprite,aws,gcp,hetzner,daytona,local}/{claude,codex,openclaw,opencode,kilocode,hermes,zeroclaw}.sh (42 files)
- sh/cli/install.sh (cli.js download)
- sh/shared/github-auth.sh (keyring, API, tarball downloads)

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-03 23:38:03 -05:00
..
github-auth.sh fix(security): add --proto '=https' to all curl executable downloads (#2160) 2026-03-03 23:38:03 -05:00
key-request.sh fix(security): remove space from token validation charset in key-request.sh (#2074) 2026-03-01 17:10:22 -05:00