spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-11 21:40:48 +00:00

History

A 988f5bb7a9 fix(security): validate bun path before symlinking in install.sh (fixes #3009 ) (#3011 ) Add allowlist validation for the bun binary path resolved via `command -v bun` before using it in symlink operations that may run with sudo privileges. If bun is found at an unexpected location, skip the symlink and warn the user. This prevents a privilege escalation attack where a malicious binary on PATH could be symlinked to /usr/local/bin/bun with elevated privileges. Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-26 05:37:45 -07:00
..
install.ps1	refactor: remove packages/shared, deduplicate with CLI shared (#2257 )	2026-03-06 21:58:42 -05:00
install.sh	fix(security): validate bun path before symlinking in install.sh (fixes #3009 ) (#3011 )	2026-03-26 05:37:45 -07:00

fix(security): validate bun path before symlinking in install.sh (fixes #3009 ) (#3011 )

Add allowlist validation for the bun binary path resolved via `command -v bun`
before using it in symlink operations that may run with sudo privileges. If bun
is found at an unexpected location, skip the symlink and warn the user. This
prevents a privilege escalation attack where a malicious binary on PATH could be
symlinked to /usr/local/bin/bun with elevated privileges.

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-26 05:37:45 -07:00

install.ps1

refactor: remove packages/shared, deduplicate with CLI shared (#2257 )

2026-03-06 21:58:42 -05:00

install.sh

fix(security): validate bun path before symlinking in install.sh (fixes #3009 ) (#3011 )

2026-03-26 05:37:45 -07:00