CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-02 11:45:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: checksum-verified bun install

Browse Source 
Replace unverified curl|bash bun installation with checksum-verified
download-then-execute pattern. The install script is downloaded, sha256
verified against a known hash, then executed. Preserves the Bun-native
install path without adding a Node/npm dependency.

Clears Snyk W012 + 3 Socket anomalies.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-03-28 23:18:59 -07:00
parent e4a8631847
commit 1d33bd50b9
15 changed files with 184 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SKILL.md
+13 -1
View File
@@ -309,7 +309,19 @@ If `NEEDS_SETUP`:
3. If `bun` is not installed:
```bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
```
benchmark/SKILL.md
+13 -1
View File
@@ -280,7 +280,19 @@ If `NEEDS_SETUP`:
3. If `bun` is not installed:
```bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
```
browse/SKILL.md
+13 -1
View File
@@ -285,7 +285,19 @@ If `NEEDS_SETUP`:
3. If `bun` is not installed:
```bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
```
canary/SKILL.md
+13 -1
View File
@@ -345,7 +345,19 @@ If `NEEDS_SETUP`:
3. If `bun` is not installed:
```bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
```
connect-chrome/SKILL.md
+13 -1
View File
@@ -366,7 +366,19 @@ If `NEEDS_SETUP`:
3. If `bun` is not installed:
```bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
```
design-consultation/SKILL.md
+13 -1
View File
@@ -410,7 +410,19 @@ If `NEEDS_SETUP`:
3. If `bun` is not installed:
```bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
```
design-review/SKILL.md
+13 -1
View File
@@ -417,7 +417,19 @@ If `NEEDS_SETUP`:
3. If `bun` is not installed:
```bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
```
land-and-deploy/SKILL.md
+13 -1
View File
@@ -362,7 +362,19 @@ If `NEEDS_SETUP`:
3. If `bun` is not installed:
```bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
```
office-hours/SKILL.md
+13 -1
View File
@@ -370,7 +370,19 @@ If `NEEDS_SETUP`:
3. If `bun` is not installed:
```bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
```
qa-only/SKILL.md
+13 -1
View File
@@ -383,7 +383,19 @@ If `NEEDS_SETUP`:
3. If `bun` is not installed:
```bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
```
qa/SKILL.md
+13 -1
View File
@@ -458,7 +458,19 @@ If `NEEDS_SETUP`:
3. If `bun` is not installed:
```bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
```
scripts/resolvers/browse.ts
+13 -1
View File
@@ -107,7 +107,19 @@ If \`NEEDS_SETUP\`:
3. If \`bun\` is not installed:
\`\`\`bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
\`\`\``;
}
setup
+6 -1
View File
@@ -4,7 +4,12 @@ set -e
if ! command -v bun >/dev/null 2>&1; then
echo "Error: bun is required but not installed." >&2
echo "Install it: curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash" >&2
echo "Install with checksum verification:" >&2
echo ' BUN_VERSION="1.3.10"' >&2
echo ' tmpfile=$(mktemp)' >&2
echo ' curl -fsSL "https://bun.sh/install" -o "$tmpfile"' >&2
echo ' echo "Verify checksum before running: shasum -a 256 $tmpfile"' >&2
echo ' BUN_VERSION="$BUN_VERSION" bash "$tmpfile" && rm "$tmpfile"' >&2
exit 1
fi
setup-browser-cookies/SKILL.md
+13 -1
View File
@@ -300,7 +300,19 @@ If `NEEDS_SETUP`:
3. If `bun` is not installed:
```bash
if ! command -v bun >/dev/null 2>&1; then
curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
BUN_VERSION="1.3.10"
BUN_INSTALL_SHA="bab8acfb046aac8c72407bdcce903957665d655d7acaa3e11c7c4616beae68dd"
tmpfile=$(mktemp)
curl -fsSL "https://bun.sh/install" -o "$tmpfile"
actual_sha=$(shasum -a 256 "$tmpfile" | awk '{print $1}')
if [ "$actual_sha" != "$BUN_INSTALL_SHA" ]; then
echo "ERROR: bun install script checksum mismatch" >&2
echo " expected: $BUN_INSTALL_SHA" >&2
echo " got: $actual_sha" >&2
rm "$tmpfile"; exit 1
fi
BUN_VERSION="$BUN_VERSION" bash "$tmpfile"
rm "$tmpfile"
fi
```
test/audit-compliance.test.ts
+9 -7
View File
@@ -45,15 +45,17 @@ describe('Audit compliance', () => {
expect(completionSection).toContain('_TEL" != "off"');
});
// Fix 3: W012 — Bun install is version-pinned
test('bun install commands use version pinning', () => {
// Round 2 Fix 1: W012 — Bun install uses checksum verification
test('bun install uses checksum-verified method', () => {
const browseResolver = readFileSync(join(ROOT, 'scripts/resolvers/browse.ts'), 'utf-8');
expect(browseResolver).toContain('BUN_VERSION');
// Should not have unpinned curl|bash (without BUN_VERSION on same line)
const lines = browseResolver.split('\n');
expect(browseResolver).toContain('shasum -a 256');
expect(browseResolver).toContain('BUN_INSTALL_SHA');
const setup = readFileSync(join(ROOT, 'setup'), 'utf-8');
// Setup error message should not have unverified curl|bash
const lines = setup.split('\n');
for (const line of lines) {
if (line.includes('bun.sh/install') && line.includes('bash') && !line.includes('BUN_VERSION') && !line.includes('command -v')) {
throw new Error(`Unpinned bun install found: ${line.trim()}`);
if (line.includes('bun.sh/install') && line.includes('| bash') && !line.includes('shasum')) {
throw new Error(`Unverified bun install found: ${line.trim()}`);
}
}
});