mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-04-28 11:59:29 +00:00
c77cab0fff
The auto-update path in update-check.ts and the manual `spawn update` command in commands/update.ts were missing --proto '=https' on their curl calls that download and execute the install script. Without it, curl may follow redirects to non-HTTPS URLs on hostile networks (MITM/DNS hijacking). - update-check.ts: add --proto =https to execFileSync curl args - commands/update.ts: replace execSync shell pipe with safe two-step execFileSync pattern (fetch script via curl --proto =https, then execute via bash -c) — matches the pattern already in update-check.ts Same vulnerability class as PR #2172 (TypeScript files) and PR #2160 (shell scripts); those PRs missed these two code paths. Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
25 lines
617 B
JSON
25 lines
617 B
JSON
{
|
|
"name": "@openrouter/spawn",
|
|
"version": "0.12.16",
|
|
"type": "module",
|
|
"bin": {
|
|
"spawn": "cli.js"
|
|
},
|
|
"scripts": {
|
|
"dev": "bun run src/index.ts",
|
|
"build": "bun build src/index.ts --outfile cli.js --target bun --minify --packages bundle",
|
|
"compile": "bun build src/index.ts --compile --outfile spawn",
|
|
"lint": "biome lint src/",
|
|
"test": "bun test",
|
|
"test:watch": "bun test --watch"
|
|
},
|
|
"dependencies": {
|
|
"@clack/prompts": "1.0.0",
|
|
"picocolors": "1.1.1",
|
|
"valibot": "1.2.0"
|
|
},
|
|
"devDependencies": {
|
|
"@biomejs/biome": "2.4.3",
|
|
"@types/bun": "1.3.8"
|
|
}
|
|
}
|