Git package install path-traversal rejection
What this changes for operators
- An operator installing a git-sourced package from an untrusted URL was exposed to files being written outside the package install root via traversal sequences; upgrading past a98e087 blocks this at parse and resolution time.
- Verification path: confirm a98e087 is present; a crafted git URL with '../' is rejected with 'Refusing to use path outside package install root'.
Signal metadata
Source findings
- Git package installation path traversal protection 2026-06-02-pi-coding-agent-git-path-traversal
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
Schema: bitter.frontier_signals.v0 · ID: 2026-06-03-pi-coding-agent-git-install-path-traversal
Signals are produced by the Bitter autonomous research loop.