Add automatic update checks for security tools (zizmor, SFW)#1186
Add automatic update checks for security tools (zizmor, SFW)#1186John-David Dalton (jdalton) wants to merge 1 commit intomainfrom
Conversation
Checks for new zizmor and SFW releases, respects pnpm minimumReleaseAge cooldown for third-party tools, updates embedded checksums. Also adds Claude Code version sync phase.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issues.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 2f74030. Configure here.
| logger.log(` ${assetName}: ${oldHash.slice(0, 12)}... -> ${newHash.slice(0, 12)}...`) | ||
| } else if (oldHash === newHash) { | ||
| logger.log(` ${assetName}: unchanged`) | ||
| } |
There was a problem hiding this comment.
Missing guard allows version bump with incomplete checksums
Medium Severity
In the zizmor update loop, when newHash is defined (e.g. from checksumMap) but oldHash is undefined (the entry doesn't exist in the source file), neither the if nor the else if branch executes, and allFound is never set to false. This allows the code to reach the version bump at line 298 even though a checksum entry was not actually updated in the source. The version constant gets incremented while the source is missing or has a stale checksum for that asset, leaving index.mts in an inconsistent state.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 2f74030. Configure here.
| newChecksums[platform] = currentChecksums[platform] ?? '' | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Duplicated download-and-hash logic in SFW checker
Low Severity
The if (!asset) and else branches in fetchSfwChecksums contain ~15 lines of nearly identical code (log, try/catch around downloadAndHash, set newChecksums, compare for changes, handle errors). The only difference is the URL passed to downloadAndHash. Computing the URL once before the shared try/catch block would eliminate this duplication and reduce the risk of the two branches diverging during future maintenance.
Reviewed by Cursor Bugbot for commit 2f74030. Configure here.
1 participant
What this adds
A version checker that runs as part of the
/updateworkflow:minimumReleaseAgecooldown (reads frompnpm-workspace.yaml)@anthropic-ai/claude-codecatalog version from installed binaryWhen new versions are found, the script updates the embedded checksums in
setup-security-tools/index.mtsin-place.Files
.claude/hooks/setup-security-tools/update.mts— the version checker.claude/skills/updating/SKILL.md— adds phases 3b (security tools) and 3c (Claude Code sync)Depends on
PR #1185 (setup-security-tools) must be merged first — update.mts modifies files created by that PR.
Note
Medium Risk
Medium risk because it introduces a new automated updater that calls the GitHub API/CLI, downloads release assets, and rewrites embedded checksums in-place; failures or parsing mismatches could break the
setup-security-toolshook or make updates flaky in CI.Overview
Adds a new
.claude/hooks/setup-security-tools/update.mtsscript that checks GitHub releases forzizmorand Socket Firewall (sfw-freeand enterprise), computes SHA-256 checksums for platform binaries, and updates the embedded version/checksum constants insetup-security-tools/index.mts.The updater respects pnpm’s
minimumReleaseAgecooldown (read frompnpm-workspace.yaml) for third-party tools (zizmor) while bypassing cooldown for Socket-owned tools, and it emits a simple per-tool update/skip summary.Updates the
updatingskill docs to run this security-tools updater (and to sync Claude Code versions), and adjusts.gitignoreto keep.claude/hooks/and.claude/settings.jsontracked instead of blanket-ignoring all.claudecontent.Reviewed by Cursor Bugbot for commit 2f74030. Configure here.