spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 03:49:31 +00:00

History

A 7444c3bbc6 fix: verify bun installer SHA-256 before executing in install.sh (#2463 ) (#2473 ) Why: The curl\|bash pattern for bun installation was an unverified supply chain dependency. Now the installer is downloaded to a temp file and its SHA-256 hash is verified against a known-good value before execution. Falls back gracefully if sha256sum/shasum is unavailable. Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>		2026-03-10 18:39:41 -07:00
..
aws	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
cli	fix: verify bun installer SHA-256 before executing in install.sh (#2463 ) (#2473 )	2026-03-10 18:39:41 -07:00
digitalocean	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
docker	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
e2e	fix: secure curl header args and provision.sh export whitelist (fixes #2464 , fixes #2465 ) (#2471 )	2026-03-10 17:54:32 -07:00
gcp	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
hetzner	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
local	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
shared	fix(security): fail on chmod error in github-auth.sh token persistence (#2375 )	2026-03-09 08:18:07 -04:00
sprite	fix: pin bun install to v1.3.9 in all agent scripts (#2345 )	2026-03-08 12:47:18 -04:00
test	refactor: Remove dead code and stale references (#2062 )	2026-03-01 11:45:24 -05:00