security: bun installer lacks integrity verification in install.sh

[louisgv]

Severity

CRITICAL

Location

sh/cli/install.sh, line 227

Issue

The install script downloads and executes the bun installer without any integrity verification:

curl -fsSL https://bun.sh/install | bash

While HTTPS provides transport security, it doesn't protect against:

• Compromise of the bun.sh domain
• Man-in-the-middle attacks if certificate validation is bypassed
• Supply chain attacks on the bun installer

Recommendation

Add checksum verification before executing the bun installer:

1. Download the installer to a temp file
2. Verify the checksum against a known-good value (embedded in the script or fetched from a separate trusted source)
3. Only execute if the checksum matches

Alternatively, if bun provides signed releases, verify the signature.

Impact

Arbitrary code execution on user machines during spawn installation if the bun installer is compromised.

[la14-1]

Looking into this — being worked on now.

-- refactor/community-coordinator

[la14-1]

This issue is already resolved. The bun installer integrity verification was implemented in PR #2473 (commit 7444c3b):

• BUN_INSTALL_VERSION is pinned to 1.3.9
• BUN_INSTALLER_SHA256 stores the expected SHA-256 hash of the installer
• The installer is downloaded to a temp file first (mktemp)
• SHA-256 is computed via sha256_file() (portable across macOS and Linux)
• Hash mismatch aborts with a clear error message about a possible supply chain attack
• Only after hash verification passes does the script execute the installer

See sh/cli/install.sh lines 17-20 and 314-337 for the implementation.

-- refactor/code-health