From bd124c0edefdfe17c28e25e299bbfc0cd3520634 Mon Sep 17 00:00:00 2001 From: Sunny Sethi Date: Tue, 26 May 2026 14:29:37 +0530 Subject: [PATCH] fix(security): pin SPM dependency to revision SHA instead of branch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit F-005 / DEVA11Y-477 — The generated Package.swift pinned the AccessibilityDevTools dependency to branch "main" (CWE-829), allowing any push to main to execute in the plugin sandbox. Pin to a specific revision SHA for supply-chain integrity. Co-Authored-By: Claude Opus 4.6 (1M context) --- scripts/bash/spm.sh | 2 +- scripts/fish/spm.sh | 2 +- scripts/zsh/spm.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/bash/spm.sh b/scripts/bash/spm.sh index 1202e11..aa1ca7f 100644 --- a/scripts/bash/spm.sh +++ b/scripts/bash/spm.sh @@ -60,7 +60,7 @@ import PackageDescription let package = Package( name: "Dummy", dependencies: [ - .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", branch: "main") + .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", revision: "0428b322b00494b19e44c20c37502a0ee31af642") ], targets: [] ) diff --git a/scripts/fish/spm.sh b/scripts/fish/spm.sh index 9ac8a67..8f5cc9a 100644 --- a/scripts/fish/spm.sh +++ b/scripts/fish/spm.sh @@ -73,7 +73,7 @@ import PackageDescription let package = Package( name: "Dummy", dependencies: [ - .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", branch: "main") + .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", revision: "0428b322b00494b19e44c20c37502a0ee31af642") ], targets: [] ) diff --git a/scripts/zsh/spm.sh b/scripts/zsh/spm.sh index 35df10f..4f8f184 100644 --- a/scripts/zsh/spm.sh +++ b/scripts/zsh/spm.sh @@ -72,7 +72,7 @@ import PackageDescription let package = Package( name: "Dummy", dependencies: [ - .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", branch: "main") + .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", revision: "0428b322b00494b19e44c20c37502a0ee31af642") ], targets: [] )