Skip to content

fix(security): pin SPM dependency to revision SHA [DEVA11Y-477]#17

Open
sunny-se wants to merge 1 commit into
mainfrom
fix/DEVA11Y-477-pin-spm-dependency
Open

fix(security): pin SPM dependency to revision SHA [DEVA11Y-477]#17
sunny-se wants to merge 1 commit into
mainfrom
fix/DEVA11Y-477-pin-spm-dependency

Conversation

@sunny-se
Copy link
Copy Markdown
Collaborator

@sunny-se sunny-se commented May 26, 2026
edited by atlassian Bot
Loading

Summary

  • DEVA11Y-477 / F-005 — The setup() function in scripts/{bash,zsh,fish}/spm.sh generated a temporary Package.swift pinning the AccessibilityDevTools dependency to branch: "main" (mutable ref, CWE-829). Any push to main could execute arbitrary code in the SPM plugin sandbox.
  • Changed all 3 scripts to pin to revision: "0428b322b00494b19e44c20c37502a0ee31af642" (current main HEAD) for supply-chain integrity.

Files changed

  • scripts/bash/spm.sh
  • scripts/zsh/spm.sh
  • scripts/fish/spm.sh

Note

The pinned revision SHA should be updated whenever a new release is cut, to track the latest verified commit.

Jira

DEVA11Y-477

🤖 Generated with Claude Code

@sunny-se @claude
fix(security): pin SPM dependency to revision SHA instead of branch
bd124c0 
F-005 / DEVA11Y-477 — The generated Package.swift pinned the
AccessibilityDevTools dependency to branch "main" (CWE-829),
allowing any push to main to execute in the plugin sandbox.
Pin to a specific revision SHA for supply-chain integrity.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@sunny-se sunny-se requested a review from a team as a code owner May 26, 2026 09:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sunny-se