Finding
File: packages/cli/src/update-check.ts:361-378
Severity: MEDIUM
Description: Install script temp file cleanup has a race condition. The script is written to /tmp/spawn-install-${timestamp}.sh, executed, then cleaned up via tryCatchIf(isFileError, () => fs.unlinkSync(tmpFile)). If the process crashes or is killed between write and cleanup, the temp file persists indefinitely.
Impact
- Disk space accumulation over time from orphaned temp files
- Potential information disclosure if install script content is sensitive (currently it isn't, but future changes could introduce secrets)
Recommendation
Use a try-finally pattern or process exit handler to guarantee cleanup:
const tmpFile = path.join(tmpdir(), `spawn-install-${Date.now()}.sh`);
try {
fs.writeFileSync(tmpFile, scriptContent, { mode: 0o700 });
const bashResult = tryCatch(() =>
executor.execFileSync("bash", [tmpFile], { stdio: installStdio })
);
if (!bashResult.ok) throw bashResult.error;
} finally {
tryCatchIf(isFileError, () => fs.unlinkSync(tmpFile));
}Context
- Windows path (lines 336-352) has the same issue with PowerShell temp files
- This affects both auto-update code paths
Discovered by automated scan (code-scanner)
Finding
File: packages/cli/src/update-check.ts:361-378
Severity: MEDIUM
Description: Install script temp file cleanup has a race condition. The script is written to
/tmp/spawn-install-${timestamp}.sh, executed, then cleaned up viatryCatchIf(isFileError, () => fs.unlinkSync(tmpFile)). If the process crashes or is killed between write and cleanup, the temp file persists indefinitely.Impact
Recommendation
Use a try-finally pattern or process exit handler to guarantee cleanup:
Context
Discovered by automated scan (code-scanner)