From 1483c93215595e3789c8a2d8dcd5e15e844360a9 Mon Sep 17 00:00:00 2001
From: Sunny Sethi <sunny.se@browserstack.com>
Date: Tue, 26 May 2026 14:28:03 +0530
Subject: [PATCH] fix(security): use HTTPS for CLI binary download URL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

F-001 / DEVA11Y-473 — The default download URL used plaintext HTTP
(CWE-319), allowing MitM to substitute a malicious binary.
Switch to HTTPS to enforce TLS.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../BrowserStackAccessibilityLint.swift                         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Plugins/BrowserStackAccessibilityLint/BrowserStackAccessibilityLint.swift b/Plugins/BrowserStackAccessibilityLint/BrowserStackAccessibilityLint.swift
index 117e362..1f54216 100644
--- a/Plugins/BrowserStackAccessibilityLint/BrowserStackAccessibilityLint.swift
+++ b/Plugins/BrowserStackAccessibilityLint/BrowserStackAccessibilityLint.swift
@@ -339,7 +339,7 @@ private struct BrowserStackCLIDownloader {
     private func defaultDownloadURL() throws -> URL {
         let os = try currentOSName()
         let arch = try currentArchName()
-        guard let url = URL(string: "http://api.browserstack.com/sdk/v1/download_cli?os=\(os)&os_arch=\(arch)") else {
+        guard let url = URL(string: "https://api.browserstack.com/sdk/v1/download_cli?os=\(os)&os_arch=\(arch)") else {
             throw PluginError("Failed to create download URL for \(os) \(arch).")
         }
         return url