security(init-system): pin uv bootstrap and remove remote NodeSource scripts (#149)#179
Merged
liujuanjuan1984 merged 2 commits intomainfrom Mar 13, 2026
Merged
Conversation
liujuanjuan1984
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
背景
本 PR 基于
#149收窄后的范围,聚焦scripts/init_system.sh中仍然存在的两条“下载脚本后执行”链路:uv的远程 installer shell script相关提交:
7173d6b security(init-system): harden node and uv bootstrap paths (#149)05931f6 refactor(init-system): move uv release pins into static manifest (#149)按模块说明
1.
scripts/init_system.shNODE_MAJOR,则 fail-closed 并提示人工兜底。uv安装逻辑改为读取仓库内静态清单,执行固定官方 release tarball + SHA256 校验 + 本地解包安装。#178跟进。2.
scripts/init_system_uv_release_manifest.shuv静态清单文件。uv版本、release 基址、受信资产名与 SHA256 从主脚本中抽离。3.
scripts/init_system_readme.mduv静态清单文件和 Node.js 包管理器安装的推荐方式。4.
tests/test_init_system_security.pyuvrelease pin / checksum 的安全契约测试。回归
bash -n scripts/init_system.sh scripts/init_system_uv_release_manifest.shuv run pre-commit run --all-filesuv run pytest关联