fix(security): resolve dependency vulns, stream I/O, harden credentials and install script by brandonrc · Pull Request #81 · artifact-keeper/artifact-keeper-cli

brandonrc · 2026-03-23T19:51:13Z

Summary

Addresses 6 security-critical audit findings:

8 known dependency vulnerabilities including 3 HIGH severity #65: Updated dependencies resolving 7 of 8 vulnerabilities (aws-lc-sys 0.39.0, quinn-proto 0.11.14, rustls-webpki 0.103.10). Note: time 0.3.45 remains pinned by ratatui-widgets, tracked separately.
File uploads and downloads read entire content into memory #66: Refactored artifact push/pull/copy to stream files instead of reading entire content into memory. Uploads use ReaderStream, downloads write chunks directly to disk. Prevents OOM on large artifacts.
Credential files written without restrictive permissions #67 + Setup commands write package manager configs without restrictive permissions #79: All credential and config file writes now set 0o600 permissions on Unix. Config directories set to 0o700. Applied to credentials.json, config.toml, and all setup command output files (.npmrc, pip.conf, etc.).
Install script continues without checksum verification #73: Install script now exits with error when no checksum tool is found instead of silently continuing.
APT setup leaks plaintext token to stderr #80: Token values in setup preview output are redacted (shows first4...last4 instead of full token).

Test Checklist

Unit tests added/updated
Integration tests added/updated (if applicable)
E2E tests added/updated (if applicable)
Manually tested locally
No regressions in existing tests (1380 passing)

API Changes

N/A - no API changes

Resolves CVEs in: - aws-lc-sys 0.37.1 -> 0.39.0 - quinn-proto 0.11.13 -> 0.11.14 - rustls-webpki 0.103.9 -> 0.103.10 Remaining: time 0.3.45 (RUSTSEC-2026-0009) is pinned by ratatui-widgets 0.3.0 which has no newer release yet. Tracked upstream.

Upload now uses ReaderStream to stream from disk. Download writes chunks directly to the output file. Cross-instance copy streams through a temp file instead of holding the full artifact in memory. Closes #66

Credential files are now written with 0o600 (owner read/write only) and the config directory with 0o700 on Unix systems. This prevents other users on a shared machine from reading tokens or config. Closes #67, closes #79

Previously the installer would skip verification with a warning if neither sha256sum nor shasum was available. Now it exits with an error, preventing installation of unverified binaries. Closes #73

The APT setup command previously printed the full authentication token to stderr when showing the config preview and manual instructions. Tokens longer than 8 characters are now displayed as first4...last4. Closes #80

sonarqubecloud · 2026-03-23T19:56:22Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

brandonrc added 5 commits March 23, 2026 14:45

fix: stream file uploads and downloads instead of buffering in memory

1e35504

Upload now uses ReaderStream to stream from disk. Download writes chunks directly to the output file. Cross-instance copy streams through a temp file instead of holding the full artifact in memory. Closes #66

fix: make install script exit on missing checksum tool

a0b2476

Previously the installer would skip verification with a warning if neither sha256sum nor shasum was available. Now it exits with an error, preventing installation of unverified binaries. Closes #73

fix: redact plaintext token in APT setup stderr output

8c64cfb

The APT setup command previously printed the full authentication token to stderr when showing the config preview and manual instructions. Tokens longer than 8 characters are now displayed as first4...last4. Closes #80

brandonrc merged commit 27633ea into main Mar 23, 2026
14 checks passed

brandonrc deleted the fix/security-critical-audit branch March 23, 2026 20:37

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(security): resolve dependency vulns, stream I/O, harden credentials and install script#81

fix(security): resolve dependency vulns, stream I/O, harden credentials and install script#81
brandonrc merged 5 commits intomainfrom
fix/security-critical-audit

brandonrc commented Mar 23, 2026

Uh oh!

sonarqubecloud bot commented Mar 23, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

brandonrc commented Mar 23, 2026

Summary

Test Checklist

API Changes

Uh oh!

sonarqubecloud bot commented Mar 23, 2026

Quality Gate passed

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant