From fd7f30d53aa996cbc11d27220d71829c44b586b5 Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Mon, 13 Apr 2026 09:34:40 -0700
Subject: [PATCH] fix(security): enforce frozen lockfile during setup

bun install without --frozen-lockfile resolves ^semver ranges from npm on
every run. If an attacker publishes a compromised compatible version of any
dependency, the next ./setup pulls it silently.

Add --frozen-lockfile with fallback to plain install (for fresh clones
where bun.lock may not exist yet). Matches the pattern already used in
the .agents/ generation block (line 237).

Closes #614

Co-Authored-By: Alberto Martinez <halbert04@users.noreply.github.com>
---
 setup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup b/setup
index f71f4552..1611a454 100755
--- a/setup
+++ b/setup
@@ -208,7 +208,7 @@ if [ "$NEEDS_BUILD" -eq 1 ]; then
   log "Building browse binary..."
   (
     cd "$SOURCE_GSTACK_DIR"
-    bun install
+    bun install --frozen-lockfile 2>/dev/null || bun install
     bun run build
   )
   # Safety net: write .version if build script didn't (e.g., git not available during build)