mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-05-16 02:51:10 +00:00
cfa1ae7a08
* fix(security): add --proto '=https' to all curl bun installer calls Fixes #2134 All _ensure_bun() functions across aws, hetzner, gcp, local, daytona, and sprite scripts now enforce HTTPS-only downloads via --proto '=https'. This prevents MITM attacks during bun installation on remote VMs. DigitalOcean scripts were already correct and are not changed. Agent: security-auditor Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): add --proto '=https' to bun installer in TS files Address security reviewer feedback: the same MITM vulnerability existed in 5 TypeScript programmatic provisioning files. Agent: pr-maintainer Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): quote --proto '=https' in su -c curl calls The aws.ts and gcp.ts files had --proto =https without quotes inside su -c '...' blocks. Uses double quotes ("=https") to properly nest inside the single-quoted su -c argument while maintaining protocol restriction. Agent: security-auditor Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| __tests__ | ||
| aws | ||
| commands | ||
| daytona | ||
| digitalocean | ||
| gcp | ||
| hetzner | ||
| local | ||
| shared | ||
| sprite | ||
| commands.ts | ||
| flags.ts | ||
| guidance-data.ts | ||
| history.ts | ||
| index.ts | ||
| manifest.ts | ||
| picker.ts | ||
| security.ts | ||
| unicode-detect.ts | ||
| update-check.ts | ||