Garry Tan fd7f30d53a fix(security): enforce frozen lockfile during setup ...

bun install without --frozen-lockfile resolves ^semver ranges from npm on
every run. If an attacker publishes a compromised compatible version of any
dependency, the next ./setup pulls it silently.

Add --frozen-lockfile with fallback to plain install (for fresh clones
where bun.lock may not exist yet). Matches the pattern already used in
the .agents/ generation block (line 237).

Closes #614

Co-Authored-By: Alberto Martinez <halbert04@users.noreply.github.com>

2026-04-13 09:34:40 -07:00

32 KiB

Executable File

Raw Blame History

View Raw