Update Fleet-maintained apps#47849
Conversation
Generated automatically with cmd/maintained-apps.
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
WalkthroughVersion metadata was updated across 20 maintained app JSON manifests in Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@ee/maintained-apps/outputs/alt-tab/darwin.json`:
- Around line 9-12: The darwin.json file for alt-tab references version v11.3.1
which does not exist; the latest available version is v11.3.0. Update the
installer_url field to reference v11.3.0 instead of v11.3.1, and then obtain and
update the corresponding install_script_ref, uninstall_script_ref, and sha256
values from the v11.3.0 release page on GitHub at
https://github.com/lwouis/alt-tab-macos/releases/tag/v11.3.0 to ensure all
configuration values accurately reflect the actual v11.3.0 release.
In `@ee/maintained-apps/outputs/claude/darwin.json`:
- Around line 9-12: In the darwin.json file, locate the entry containing the
installer_url with version 1.14271.0 and the associated metadata fields
(installer_url, install_script_ref, uninstall_script_ref, sha256). Either remove
this entire entry block completely, or if you believe this is a legitimate
release, verify it against official Anthropic download sources and update all
fields (version number, installer_url, install_script_ref, uninstall_script_ref,
and sha256) to match the officially documented release information from
Anthropic's official channels.
In `@ee/maintained-apps/outputs/clockify/windows.json`:
- Around line 4-12: The installer_url for Clockify does not include the version
number (2.2.1) while the sha256 checksum is pinned to a specific version. Update
the installer_url field to include the version identifier in the URL (for
example, modify the URL to incorporate 2.2.1 similar to how 1Password and 7-Zip
include version numbers in their filenames), or alternatively remove the
specific sha256 checksum value and replace it with "no_check" if the URL is
guaranteed to be a floating endpoint maintained by the publisher. Choose one
approach consistently with other applications in the codebase to prevent sha256
verification failures when new versions are released.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 884de8e8-9491-456e-9be0-b1c5def8939e
📒 Files selected for processing (21)
ee/maintained-apps/outputs/alt-tab/darwin.jsonee/maintained-apps/outputs/apidog/darwin.jsonee/maintained-apps/outputs/arc/darwin.jsonee/maintained-apps/outputs/aws-cli/windows.jsonee/maintained-apps/outputs/bezel/darwin.jsonee/maintained-apps/outputs/boom-3d/darwin.jsonee/maintained-apps/outputs/claude/darwin.jsonee/maintained-apps/outputs/clockify/windows.jsonee/maintained-apps/outputs/cursor/darwin.jsonee/maintained-apps/outputs/cyberduck/darwin.jsonee/maintained-apps/outputs/deezer/darwin.jsonee/maintained-apps/outputs/firefox/darwin.jsonee/maintained-apps/outputs/godot/darwin.jsonee/maintained-apps/outputs/granola/darwin.jsonee/maintained-apps/outputs/insomnia/darwin.jsonee/maintained-apps/outputs/insomnia/windows.jsonee/maintained-apps/outputs/pgadmin4/darwin.jsonee/maintained-apps/outputs/smultron/darwin.jsonee/maintained-apps/outputs/spokenly/darwin.jsonee/maintained-apps/outputs/tuple/darwin.jsonee/maintained-apps/outputs/whatsapp/darwin.json
| "installer_url": "https://github.com/lwouis/alt-tab-macos/releases/download/v11.3.1/AltTab-11.3.1.zip", | ||
| "install_script_ref": "b04664c1", | ||
| "uninstall_script_ref": "2cc2914b", | ||
| "sha256": "5b28c3b26d29c1ccbd1f110736d6100378a89d242fd7c797a3603592cc92c8aa", | ||
| "sha256": "5f9f6c1505ae4fdcb7fd819f1bf945a179a8795fc18c73e788365ecb93e16f8c", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify AltTab installer URL and checksum
URL="https://github.com/lwouis/alt-tab-macos/releases/download/v11.3.1/AltTab-11.3.1.zip"
EXPECTED_SHA256="5f9f6c1505ae4fdcb7fd819f1bf945a179a8795fc18c73e788365ecb93e16f8c"
echo "Checking URL accessibility..."
if curl -s -f -I "$URL" > /dev/null; then
echo "✓ URL is accessible"
else
echo "✗ URL is not accessible"
exit 1
fi
echo "Downloading and verifying checksum..."
ACTUAL_SHA256=$(curl -sL "$URL" | shasum -a 256 | cut -d' ' -f1)
if [ "$ACTUAL_SHA256" = "$EXPECTED_SHA256" ]; then
echo "✓ Checksum matches"
else
echo "✗ Checksum mismatch"
echo " Expected: $EXPECTED_SHA256"
echo " Actual: $ACTUAL_SHA256"
exit 1
fiRepository: fleetdm/fleet
Length of output: 319
🏁 Script executed:
#!/bin/bash
# Verify AltTab installer URL and checksum with alternative tools
URL="https://github.com/lwouis/alt-tab-macos/releases/download/v11.3.1/AltTab-11.3.1.zip"
EXPECTED_SHA256="5f9f6c1505ae4fdcb7fd819f1bf945a179a8795fc18c73e788365ecb93e16f8c"
echo "Checking URL accessibility..."
if curl -s -f -I "$URL" > /dev/null 2>&1; then
echo "✓ URL is accessible"
else
echo "✗ URL is not accessible"
exit 1
fi
echo "Downloading and verifying checksum..."
ACTUAL_SHA256=$(curl -sL "$URL" 2>/dev/null | sha256sum | cut -d' ' -f1)
if [ -z "$ACTUAL_SHA256" ]; then
echo "✗ Failed to compute checksum (tool not available)"
exit 1
elif [ "$ACTUAL_SHA256" = "$EXPECTED_SHA256" ]; then
echo "✓ Checksum matches"
else
echo "✗ Checksum mismatch"
echo " Expected: $EXPECTED_SHA256"
echo " Actual: $ACTUAL_SHA256"
exit 1
fiRepository: fleetdm/fleet
Length of output: 262
🌐 Web query:
AltTab v11.3.1 GitHub release sha256 checksum
💡 Result:
As of June 18, 2026, there is no AltTab release version 11.3.1. The latest version available on the official GitHub repository for AltTab is v11.3.0, which was published on June 4, 2026 [1]. GitHub automatically computes and exposes SHA256 checksums (digests) for all release assets [2]. You can find the SHA256 checksum for the assets associated with v11.3.0 by visiting the official releases page on GitHub: https://github.com/lwouis/alt-tab-macos/releases/tag/v11.3.0 [1]. The checksums are typically displayed in the UI next to each downloadable file [2].
Citations:
- 1: https://github.com/lwouis/alt-tab-macos/releases/tag/v11.3.0
- 2: https://github.blog/changelog/2025-06-03-releases-now-expose-digests-for-release-assets/
Update AltTab version to v11.3.0 — v11.3.1 does not exist.
The referenced release v11.3.1 does not exist. The latest available version is v11.3.0 (released June 4, 2026). Update the installer URL, install_script_ref, uninstall_script_ref, and sha256 to match the v11.3.0 release from https://github.com/lwouis/alt-tab-macos/releases/tag/v11.3.0.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@ee/maintained-apps/outputs/alt-tab/darwin.json` around lines 9 - 12, The
darwin.json file for alt-tab references version v11.3.1 which does not exist;
the latest available version is v11.3.0. Update the installer_url field to
reference v11.3.0 instead of v11.3.1, and then obtain and update the
corresponding install_script_ref, uninstall_script_ref, and sha256 values from
the v11.3.0 release page on GitHub at
https://github.com/lwouis/alt-tab-macos/releases/tag/v11.3.0 to ensure all
configuration values accurately reflect the actual v11.3.0 release.
| "installer_url": "https://downloads.claude.ai/releases/darwin/universal/1.14271.0/Claude-c8f4d811b076f6d3bb0a320ac9da463cd82a6a11.zip", | ||
| "install_script_ref": "8b957973", | ||
| "uninstall_script_ref": "421baa98", | ||
| "sha256": "acd06011a3431f7c33ee6975b4aeee900e6cbfc1d3e653dbe82b8a29393d62e1", | ||
| "sha256": "7904c96db6e583f199b6178386f5081621d0fb07e8a6b3b20834d96b063b44b2", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify Claude installer URL and checksum
URL="https://downloads.claude.ai/releases/darwin/universal/1.14271.0/Claude-c8f4d811b076f6d3bb0a320ac9da463cd82a6a11.zip"
EXPECTED_SHA256="7904c96db6e583f199b6178386f5081621d0fb07e8a6b3b20834d96b063b44b2"
echo "Checking URL accessibility..."
if curl -s -f -I "$URL" > /dev/null; then
echo "✓ URL is accessible"
else
echo "✗ URL is not accessible"
exit 1
fi
echo "Downloading and verifying checksum..."
ACTUAL_SHA256=$(curl -sL "$URL" | shasum -a 256 | cut -d' ' -f1)
if [ "$ACTUAL_SHA256" = "$EXPECTED_SHA256" ]; then
echo "✓ Checksum matches"
else
echo "✗ Checksum mismatch"
echo " Expected: $EXPECTED_SHA256"
echo " Actual: $ACTUAL_SHA256"
exit 1
fiRepository: fleetdm/fleet
Length of output: 319
🏁 Script executed:
#!/bin/bash
# Try alternative method to verify checksum
URL="https://downloads.claude.ai/releases/darwin/universal/1.14271.0/Claude-c8f4d811b076f6d3bb0a320ac9da463cd82a6a11.zip"
EXPECTED_SHA256="7904c96db6e583f199b6178386f5081621d0fb07e8a6b3b20834d96b063b44b2"
echo "Attempting checksum verification with sha256sum..."
ACTUAL_SHA256=$(curl -sL "$URL" 2>/dev/null | sha256sum | cut -d' ' -f1)
if [ -z "$ACTUAL_SHA256" ]; then
echo "Failed to compute checksum with sha256sum"
exit 1
fi
if [ "$ACTUAL_SHA256" = "$EXPECTED_SHA256" ]; then
echo "✓ Checksum matches: $ACTUAL_SHA256"
else
echo "✗ Checksum mismatch"
echo " Expected: $EXPECTED_SHA256"
echo " Actual: $ACTUAL_SHA256"
exit 1
fiRepository: fleetdm/fleet
Length of output: 216
🏁 Script executed:
# Check for any references to this Claude version in the repository
rg "1.14271.0\|c8f4d811b076f6d3\|7904c96db6e583f1" --max-count=10Repository: fleetdm/fleet
Length of output: 39
🌐 Web query:
Claude 1.14271.0 release download installer checksum verification
💡 Result:
There is no official release of any Anthropic product (such as Claude Desktop or Claude Code) identified by the version number 1.14271.0 as of June 18, 2026 [1][2][3]. Anthropic software versioning typically follows different schemas (e.g., v2.1.xxx for Claude Code) [3][4]. For legitimate Anthropic software, checksum verification and installation procedures are handled through official channels: 1. Official Downloads: Always obtain software directly from the official domain at claude.com/download [5] or official documentation sites like code.claude.com [2]. 2. Checksum Verification: For tools like Claude Code, Anthropic provides a manifest.json file containing SHA256 checksums for each platform binary [2][6]. Official releases (since v2.1.89) also include a detached GPG signature for this manifest, which allows you to verify the integrity of the binaries transitively by verifying the signature against the signed manifest [2]. 3. Security Warning: Be cautious of unofficial sites or repositories claiming to offer specific versions of Claude. Always verify downloads using official cryptographic signatures and checksums provided by Anthropic rather than trusting third-party installers [2][7]. If you are seeing a prompt for a version like 1.14271.0, ensure you are interacting with an official source, as this may be an indicator of an unofficial or unauthorized package [2].
Citations:
- 1: https://support.claude.com/en/articles/12138966-release-notes
- 2: https://code.claude.com/docs/en/setup
- 3: https://github.com/anthropics/claude-code/releases/tag/v2.1.142
- 4: https://newreleases.io/project/github/anthropics/claude-code/release/v2.1.142
- 5: https://www.threads.com/@claudeai/post/DXH5RoCkebQ/download-or-update-the-claude-desktop-app-to-get-started-claude-com-download
- 6: https://aiengineerhelper.com/posts/install-claude-code-without-internet/
- 7: Cannot update Claude CLI - update commands fail silently anthropics/claude-code#5494
🏁 Script executed:
# Check if openssl is available as fallback
which openssl && echo "openssl available"
# Also check available hash tools
ls /usr/bin/*sum* 2>/dev/null || echo "No *sum tools found"
ls /usr/bin/*hash* 2>/dev/null || echo "No *hash tools found"Repository: fleetdm/fleet
Length of output: 156
Remove or verify this Claude installer entry — version 1.14271.0 does not exist as an official Anthropic release.
The version 1.14271.0 is not a recognized official release. Anthropic uses different versioning schemes (e.g., v2.1.xxx for Claude Code). Official Claude releases are available only through official channels (claude.com/download), and legitimate releases include manifest.json with SHA256 checksums and GPG signatures. This metadata appears to reference an unauthorized package and must be corrected or removed to maintain data integrity.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@ee/maintained-apps/outputs/claude/darwin.json` around lines 9 - 12, In the
darwin.json file, locate the entry containing the installer_url with version
1.14271.0 and the associated metadata fields (installer_url, install_script_ref,
uninstall_script_ref, sha256). Either remove this entire entry block completely,
or if you believe this is a legitimate release, verify it against official
Anthropic download sources and update all fields (version number, installer_url,
install_script_ref, uninstall_script_ref, and sha256) to match the officially
documented release information from Anthropic's official channels.
| "version": "2.2.1", | ||
| "queries": { | ||
| "exists": "SELECT 1 FROM programs WHERE name = 'Clockify' AND publisher = 'CAKE.com Inc.';", | ||
| "patched": "SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM programs WHERE name = 'Clockify' AND publisher = 'CAKE.com Inc.' AND version_compare(version, '2.2.0') < 0);" | ||
| "patched": "SELECT 1 WHERE NOT EXISTS (SELECT 1 FROM programs WHERE name = 'Clockify' AND publisher = 'CAKE.com Inc.' AND version_compare(version, '2.2.1') < 0);" | ||
| }, | ||
| "installer_url": "https://clockify.me/downloads/clockify-setup.msi", | ||
| "install_script_ref": "8959087b", | ||
| "uninstall_script_ref": "f7f14087", | ||
| "sha256": "420f7dddcaa69a3275c01057687783b69495cdaf86e191dbb94ed58ef6f770d5", | ||
| "sha256": "478da3fd0a16d9e4dda9c9087378243eb82975f30cd5063f6aa27ed348859973", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify Clockify installer URL and checksum stability
URL="https://clockify.me/downloads/clockify-setup.msi"
EXPECTED_SHA256="478da3fd0a16d9e4dda9c9087378243eb82975f30cd5063f6aa27ed348859973"
echo "Checking URL accessibility..."
if curl -s -f -I "$URL" > /dev/null; then
echo "✓ URL is accessible"
else
echo "✗ URL is not accessible"
exit 1
fi
echo "Downloading and verifying checksum..."
ACTUAL_SHA256=$(curl -sL "$URL" | shasum -a 256 | cut -d' ' -f1)
if [ "$ACTUAL_SHA256" = "$EXPECTED_SHA256" ]; then
echo "✓ Checksum matches (URL is currently serving version 2.2.1)"
else
echo "✗ Checksum mismatch - URL may have been updated to a newer version"
echo " Expected (2.2.1): $EXPECTED_SHA256"
echo " Actual: $ACTUAL_SHA256"
exit 1
fi
# Check if there are version-specific URLs available
echo -e "\nChecking for version-specific URL patterns..."
curl -sL "https://clockify.me/downloads/clockify-setup-2.2.1.msi" -I | head -n 1
curl -sL "https://clockify.me/downloads/Clockify-2.2.1.msi" -I | head -n 1Repository: fleetdm/fleet
Length of output: 382
🏁 Script executed:
#!/bin/bash
# Verify Clockify installer URL and checksum using Python
URL="https://clockify.me/downloads/clockify-setup.msi"
EXPECTED_SHA256="478da3fd0a16d9e4dda9c9087378243eb82975f30cd5063f6aa27ed348859973"
python3 << 'PY'
import urllib.request
import hashlib
url = "https://clockify.me/downloads/clockify-setup.msi"
expected = "478da3fd0a16d9e4dda9c9087378243eb82975f30cd5063f6aa27ed348859973"
try:
print("Downloading and computing SHA256...")
with urllib.request.urlopen(url, timeout=10) as response:
sha256_hash = hashlib.sha256()
while True:
chunk = response.read(8192)
if not chunk:
break
sha256_hash.update(chunk)
actual = sha256_hash.hexdigest()
print(f"Expected: {expected}")
print(f"Actual: {actual}")
if actual == expected:
print("✓ Checksum MATCHES - URL serves version 2.2.1")
else:
print("✗ Checksum MISMATCH - URL may serve different version")
except Exception as e:
print(f"Error: {e}")
PYRepository: fleetdm/fleet
Length of output: 228
🏁 Script executed:
#!/bin/bash
# Find Boom 3D config to understand the pattern mentioned in review
find . -name "*.json" -type f | xargs grep -l "Boom 3D" | head -5Repository: fleetdm/fleet
Length of output: 1159
🏁 Script executed:
#!/bin/bash
# Search for other Windows app configs to see versioning patterns
fd -e json "windows.json" | head -20Repository: fleetdm/fleet
Length of output: 1160
🏁 Script executed:
#!/bin/bash
# Check for Boom 3D example mentioned in the review
find . -path "*/boom*" -name "*.json" -type f 2>/dev/null | head -10Repository: fleetdm/fleet
Length of output: 156
🏁 Script executed:
#!/bin/bash
# Examine Boom 3D pattern mentioned in review
cat -n ./ee/maintained-apps/outputs/boom-3d/darwin.json | head -30Repository: fleetdm/fleet
Length of output: 9160
🏁 Script executed:
#!/bin/bash
# Examine Clockify windows.json for comparison
cat -n ./ee/maintained-apps/outputs/clockify/windows.json | head -30Repository: fleetdm/fleet
Length of output: 2510
🏁 Script executed:
#!/bin/bash
# Check a few other windows.json files to understand general patterns
echo "=== Example 1: 1password ===" && cat -n ./ee/maintained-apps/outputs/1password/windows.json | head -20
echo -e "\n=== Example 2: 7-zip ===" && cat -n ./ee/maintained-apps/outputs/7-zip/windows.json | head -20Repository: fleetdm/fleet
Length of output: 3579
Installer URL lacks version identifier but specifies concrete checksum.
The installer URL does not include the version number (2.2.1), but a specific sha256 checksum is provided. This creates a timing hazard: when Clockify releases version 2.2.2, the upstream URL will serve new content with a different sha256, causing installation verification to fail.
Other applications in the codebase use version-pinned URLs to address this: 1Password includes the version in the filename (1PasswordSetup-8.12.24.msi), and 7-Zip encodes the version in the filename (7z2601-x64.msi). Both pair this with specific sha256 checksums, ensuring stability across releases.
Either version the URL or use "no_check" if the URL is guaranteed to be floating and updated by the publisher.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@ee/maintained-apps/outputs/clockify/windows.json` around lines 4 - 12, The
installer_url for Clockify does not include the version number (2.2.1) while the
sha256 checksum is pinned to a specific version. Update the installer_url field
to include the version identifier in the URL (for example, modify the URL to
incorporate 2.2.1 similar to how 1Password and 7-Zip include version numbers in
their filenames), or alternatively remove the specific sha256 checksum value and
replace it with "no_check" if the URL is guaranteed to be a floating endpoint
maintained by the publisher. Choose one approach consistently with other
applications in the codebase to prevent sha256 verification failures when new
versions are released.
Automated ingestion of latest Fleet-maintained app data.
Summary by CodeRabbit