spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 11:59:29 +00:00

History

A 7444c3bbc6 fix: verify bun installer SHA-256 before executing in install.sh (#2463 ) (#2473 ) Why: The curl\|bash pattern for bun installation was an unverified supply chain dependency. Now the installer is downloaded to a temp file and its SHA-256 hash is verified against a known-good value before execution. Falls back gracefully if sha256sum/shasum is unavailable. Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-10 18:39:41 -07:00
..
install.ps1	refactor: remove packages/shared, deduplicate with CLI shared (#2257 )	2026-03-06 21:58:42 -05:00
install.sh	fix: verify bun installer SHA-256 before executing in install.sh (#2463 ) (#2473 )	2026-03-10 18:39:41 -07:00

fix: verify bun installer SHA-256 before executing in install.sh (#2463 ) (#2473 )

Why: The curl|bash pattern for bun installation was an unverified supply
chain dependency. Now the installer is downloaded to a temp file and its
SHA-256 hash is verified against a known-good value before execution.
Falls back gracefully if sha256sum/shasum is unavailable.

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-10 18:39:41 -07:00

install.ps1

refactor: remove packages/shared, deduplicate with CLI shared (#2257 )

2026-03-06 21:58:42 -05:00

install.sh

fix: verify bun installer SHA-256 before executing in install.sh (#2463 ) (#2473 )

2026-03-10 18:39:41 -07:00