chore(tools): add checksum for socket-basics archive#1222
Merged
John-David Dalton (jdalton) merged 1 commit intomainfrom Apr 17, 2026
Merged
chore(tools): add checksum for socket-basics archive#1222John-David Dalton (jdalton) merged 1 commit intomainfrom
John-David Dalton (jdalton) merged 1 commit intomainfrom
Conversation
Adds a SHA-256 checksum for the socket-basics source archive in
bundle-tools.json and wires it through to the downloader so the
download now gets verified like every other bundled tool.
Previously:
- socket-basics was the only bundled tool without a checksum in
bundle-tools.json, so the download was trusted as-is.
Now:
- `bundle-tools.json` has `checksums["socket-basics-v2.0.2.tar.gz"]`.
- `downloads.mts` passes `sha256: archiveSha256` to the same
`httpDownload(...)` helper the other tools already use, and throws
if the checksum entry is missing.
Note: the archive key uses the tag-qualified filename
(`socket-basics-v<ver>.tar.gz`) to match the existing local-path
convention (`socket-basics-${version}.tar.gz`) and stay consistent
with the asset-keyed checksums elsewhere in the file.
Bill Li (billxinli)
approved these changes
Apr 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a SHA-256 checksum for the
socket-basicssource archive inbundle-tools.jsonand wires it through the downloader so it gets verified like every other bundled tool.Before
socket-basicswas the one entry inbundle-tools.jsonwithout achecksumsblock, so its download went unverified while the other tools (opengrep, trivy, trufflehog, sfw, python, etc.) all had per-asset SHA-256 entries enforced.After
bundle-tools.jsonnow has:downloads.mtspassessha256: archiveSha256into the samehttpDownload(...)helper the rest of the tools use, and throws if the checksum entry is missing (matching the existing pattern at lines 327–345 / 472–508).Notes
socket-basics-v<ver>.tar.gz) to stay consistent with the asset-keyed checksums elsewhere in the file and the local-path convention used indownloads.mts./sync-checksumsskill that already exists for the other tools.Test plan
pnpm run typegreennode scripts/validate-checksums.mtsgreenpnpm run build:clisucceedsNote
Low Risk
Small, scoped change that only tightens download verification for a bundled tool; primary risk is build failures if the checksum key/name is incorrect.
Overview
Adds a
checksumsentry for thesocket-basicsGitHub source tarball inbundle-tools.json.Updates SEA build tooling to require that checksum and pass it to
httpDownloadwhen fetching thesocket-basicsarchive; the build now fails fast with a clear error if the checksum is missing.Reviewed by Cursor Bugbot for commit f4844e9. Configure here.