Skip to content

ci: pin wasm-pack with SHA256 verification#5

Merged
chrismerck merged 4 commits into
mainfrom
security/pin-wasm-pack
Apr 28, 2026
Merged

ci: pin wasm-pack with SHA256 verification#5
chrismerck merged 4 commits into
mainfrom
security/pin-wasm-pack

Conversation

@chrismerck

@chrismerck chrismerck commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Closes [SBoM] Replace wasm-pack curl | sh with SHA256-verified release binary (CRITICAL) #4 (CRITICAL supply-chain finding from March 2026 audit).
  • Replaces curl https://rustwasm.github.io/wasm-pack/installer/init.sh | sh in .github/workflows/deploy.yml with a pinned GitHub release tarball.
  • SHA256 of wasm-pack-v0.13.1-x86_64-unknown-linux-musl.tar.gz is hardcoded in the workflow (c539d91ccab2591a7e975bcf82c82e1911b03335c80aa83d67ad25ed2ad06539) and verified via sha256sum -c - before extraction.

Why this and not cargo install?

cargo install does verify the crate tarball against the SHA256 in the crates.io git index, but that index is the trust root — there's no flag to pass cargo your own out-of-band SHA for the top-level crate, and --locked only pins transitive versions. Anchoring the hash in our own repo gives an independent, auditable check that survives a registry compromise. (Issue body has the full reasoning.)

Test plan

  • CI deploy workflow passes on this branch
  • wasm-pack --version step shows 0.13.1 in the job log
  • No remaining curl | sh / wget | sh in any workflow

🤖 Generated with Claude Code

chrismerck and others added 4 commits April 28, 2026 18:20
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace `curl | sh` install with a pinned GitHub release tarball and
in-workflow SHA256 check. Closes a CRITICAL supply-chain finding from the
March 2026 audit (#4).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@chrismerck chrismerck merged commit ad4163c into main Apr 28, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

[SBoM] Replace wasm-pack curl | sh with SHA256-verified release binary (CRITICAL)

1 participant