fix(security): remove insecure self-update from spm.sh scripts

sunny-se · claude · sunny-se · commit 0cfc181d6ffc · 2026-05-26T14:29:41.000+05:30
F-006 / DEVA11Y-478 — script_self_update() in spm.sh scripts fetched
from a mutable branch head with no integrity verification (CWE-494).
Same pattern as F-003. Remove self-update entirely.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/scripts/bash/spm.sh b/scripts/bash/spm.sh
@@ -83,16 +83,6 @@ EOF
           scan $EXTRA_ARGS
 }
 
-script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/bash/spm.sh"
-
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
-  fi
-}
-
-script_self_update
 if [[ $SUBCOMMAND == "register-pre-commit-hook" ]]; then
   register_git_hook
   exit 0
diff --git a/scripts/fish/spm.sh b/scripts/fish/spm.sh
@@ -96,16 +96,6 @@ EOF
           scan $EXTRA_ARGS
 }
 
-script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/fish/spm.sh"
-
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
-  fi
-}
-
-script_self_update
 if [[ $SUBCOMMAND == "register-pre-commit-hook" ]]; then
   register_git_hook
   exit 0
diff --git a/scripts/zsh/spm.sh b/scripts/zsh/spm.sh
@@ -95,16 +95,6 @@ EOF
           scan $EXTRA_ARGS
 }
 
-script_self_update() {
-  local remote_url="https://raw.githubusercontent.com/browserstack/AccessibilityDevTools/refs/heads/main/scripts/zsh/spm.sh"
-
-  updated_script=$(curl -R -z "$SCRIPT_PATH" "$remote_url")
-  if [[ $updated_script =~ ^#! ]]; then
-    echo "$updated_script" > "$SCRIPT_PATH"
-  fi
-}
-
-script_self_update
 if [[ $SUBCOMMAND == "register-pre-commit-hook" ]]; then
   register_git_hook
   exit 0
