Skip to content

security: resolve two security findings#6

Merged
bitwise-fast-forward-merge[bot] merged 4 commits into
bitwise-media-group:mainfrom
dmccaffery:fix/security-reports
Jun 16, 2026
Merged

security: resolve two security findings#6
bitwise-fast-forward-merge[bot] merged 4 commits into
bitwise-media-group:mainfrom
dmccaffery:fix/security-reports

Conversation

@dmccaffery

Copy link
Copy Markdown
Collaborator

No description provided.

Replace the redundant fs.access existence probe with a direct fs.readFile of
the extracted binary. The separate check-then-use was a time-of-check/
time-of-use race (CodeQL js/file-system-race, CWE-367); readFile already
throws ENOENT if extraction did not produce the binary, so behaviour is
preserved and the flagged data flow is removed. Rebuilt dist/ to match src/.

Resolves: code-scanning alert bitwise-media-group#3
Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor

Note

Merging this PR: this repository merges by fast-forward so every
commit keeps its original signature. The GitHub merge button is not used.
Once this PR is approved and all checks pass, a maintainer merges it by
commenting /merge on the PR.

The branch must be up to date with main (rebased and re-signed) to
fast-forward. If /merge reports it is not fast-forwardable, rebase onto
main and comment /merge again.

…itwise-media-group#3

integration code downloading a fixed trusted release URL into a throwaway temp
dir purely to exercise signature verification. bitwise-media-group#3 (js/file-system-race)
recorded as remediated by the accompanying install fix.

Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
@dmccaffery dmccaffery force-pushed the fix/security-reports branch from 3904d4d to 4f6b725 Compare June 16, 2026 16:34
Add an 'npm run pr' script (check:fix + format + all) as the single pre-commit
gate, and an AGENTS.md instructing agents to always run it before committing so
the tree is formatted, typed, tested, and dist/ stays reproducible from src/.

Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
@codecov

codecov Bot commented Jun 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

Add unit coverage for the TOCTOU fix in downloadAndVerify: the extracted
binary is read directly (no fs.access probe) and its bytes are fed to cosign
verification, and a missing binary fails fast with ENOENT before the signature
bundle is downloaded. Asserts fs.access is never called, so the removed
check-then-use pattern cannot regress.

Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
@dmccaffery

Copy link
Copy Markdown
Collaborator Author

/auto-merge

@bitwise-fast-forward-merge bitwise-fast-forward-merge Bot added the auto-merge Fast-forward this PR once it is approved and all required checks pass label Jun 16, 2026
@bitwise-fast-forward-merge

Copy link
Copy Markdown

Note

Auto-merge armed. Once this PR is approved and every required check
passes, it will be fast-forwarded into the base branch automatically,
preserving every commit signature.

Remove the auto-merge label to cancel. If the branch is not
fast-forwardable, rebase onto the base branch and re-sign — CI re-runs
and the merge retries.

@bitwise-fast-forward-merge

Copy link
Copy Markdown

Cannot /merge this PR yet:

  • review decision is REVIEW_REQUIRED, need APPROVED

@dmccaffery

Copy link
Copy Markdown
Collaborator Author

/merge

@bitwise-fast-forward-merge

Copy link
Copy Markdown

Fast-forwarded main to beb2e9077751 — original signature preserved, no re-sign.

@bitwise-fast-forward-merge bitwise-fast-forward-merge Bot merged commit beb2e90 into bitwise-media-group:main Jun 16, 2026
29 of 32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

auto-merge Fast-forward this PR once it is approved and all required checks pass

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants