fix(security): pin SPM dependency to revision SHA instead of branch

sunny-se · claude · sunny-se · commit bd124c0edefd · 2026-05-26T14:29:37.000+05:30
F-005 / DEVA11Y-477 — The generated Package.swift pinned the
AccessibilityDevTools dependency to branch "main" (CWE-829),
allowing any push to main to execute in the plugin sandbox.
Pin to a specific revision SHA for supply-chain integrity.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/scripts/bash/spm.sh b/scripts/bash/spm.sh
@@ -60,7 +60,7 @@ import PackageDescription
 let package = Package(
     name: "Dummy",
     dependencies: [
-        .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", branch: "main")
+        .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", revision: "0428b322b00494b19e44c20c37502a0ee31af642")
     ],
     targets: []
 )
diff --git a/scripts/fish/spm.sh b/scripts/fish/spm.sh
@@ -73,7 +73,7 @@ import PackageDescription
 let package = Package(
     name: "Dummy",
     dependencies: [
-        .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", branch: "main")
+        .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", revision: "0428b322b00494b19e44c20c37502a0ee31af642")
     ],
     targets: []
 )
diff --git a/scripts/zsh/spm.sh b/scripts/zsh/spm.sh
@@ -72,7 +72,7 @@ import PackageDescription
 let package = Package(
     name: "Dummy",
     dependencies: [
-        .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", branch: "main")
+        .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", revision: "0428b322b00494b19e44c20c37502a0ee31af642")
     ],
     targets: []
 )

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ import PackageDescription`
`60`	`60`	`let package = Package(`
`61`	`61`	`name: "Dummy",`
`62`	`62`	`dependencies: [`
`63`		`- .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", branch: "main")`
	`63`	`+ .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", revision: "0428b322b00494b19e44c20c37502a0ee31af642")`
`64`	`64`	`],`
`65`	`65`	`targets: []`
`66`	`66`	`)`
Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ import PackageDescription`
`73`	`73`	`let package = Package(`
`74`	`74`	`name: "Dummy",`
`75`	`75`	`dependencies: [`
`76`		`- .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", branch: "main")`
	`76`	`+ .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", revision: "0428b322b00494b19e44c20c37502a0ee31af642")`
`77`	`77`	`],`
`78`	`78`	`targets: []`
`79`	`79`	`)`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ import PackageDescription`
`72`	`72`	`let package = Package(`
`73`	`73`	`name: "Dummy",`
`74`	`74`	`dependencies: [`
`75`		`- .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", branch: "main")`
	`75`	`+ .package(url: "https://github.com/browserstack/AccessibilityDevTools.git", revision: "0428b322b00494b19e44c20c37502a0ee31af642")`
`76`	`76`	`],`
`77`	`77`	`targets: []`
`78`	`78`	`)`