spawn

vrr/spawn

mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-01 21:30:21 +00:00

History

A cfa1ae7a08 fix(security): add --proto '=https' to all curl bun installer calls (#2138 ) * fix(security): add --proto '=https' to all curl bun installer calls Fixes #2134 All _ensure_bun() functions across aws, hetzner, gcp, local, daytona, and sprite scripts now enforce HTTPS-only downloads via --proto '=https'. This prevents MITM attacks during bun installation on remote VMs. DigitalOcean scripts were already correct and are not changed. Agent: security-auditor Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): add --proto '=https' to bun installer in TS files Address security reviewer feedback: the same MITM vulnerability existed in 5 TypeScript programmatic provisioning files. Agent: pr-maintainer Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): quote --proto '=https' in su -c curl calls The aws.ts and gcp.ts files had --proto =https without quotes inside su -c '...' blocks. Uses double quotes ("=https") to properly nest inside the single-quoted su -c argument while maintaining protocol restriction. Agent: security-auditor Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-03 11:52:54 -08:00
..
openclaw.Dockerfile	fix(security): add --proto '=https' to all curl bun installer calls (#2138 )	2026-03-03 11:52:54 -08:00

fix(security): add --proto '=https' to all curl bun installer calls (#2138 )

* fix(security): add --proto '=https' to all curl bun installer calls

Fixes #2134

All _ensure_bun() functions across aws, hetzner, gcp, local, daytona,
and sprite scripts now enforce HTTPS-only downloads via --proto '=https'.
This prevents MITM attacks during bun installation on remote VMs.
DigitalOcean scripts were already correct and are not changed.

Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(security): add --proto '=https' to bun installer in TS files

Address security reviewer feedback: the same MITM vulnerability
existed in 5 TypeScript programmatic provisioning files.

Agent: pr-maintainer
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(security): quote --proto '=https' in su -c curl calls

The aws.ts and gcp.ts files had --proto =https without quotes inside
su -c '...' blocks. Uses double quotes ("=https") to properly nest
inside the single-quoted su -c argument while maintaining protocol
restriction.

Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-03 11:52:54 -08:00

openclaw.Dockerfile

fix(security): add --proto '=https' to all curl bun installer calls (#2138 )

2026-03-03 11:52:54 -08:00