Update Fleet-maintained apps#47563
Closed
fleet-release wants to merge 1 commit into
Closed
Conversation
Generated automatically with cmd/maintained-apps.
Contributor
Script Diff Resultsee/maintained-apps/outputs/android-studio/windows.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/audacity/windows.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/aws-cli/windows.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/codex-app/darwin.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/dropbox/windows.json=== Install Script (no changes) ===
=== Uninstall // 1035e43a -> f9913fdb ===
--- /tmp/old.4DqHH2 2026-06-13 09:03:52.211321370 +0000
+++ /tmp/new.cfYuZx 2026-06-13 09:03:52.211321370 +0000
@@ -1,4 +1,4 @@
-$product_code = '{C1BD7420-DAD0-58F1-BAD3-C58354BEE1AB}'
+$product_code = '{6D846646-9AD7-5D6C-8BB0-04B336C8EC3A}'
$timeoutSeconds = 300 # 5 minute timeout
# Fleet uninstalls app using product code that's extracted on uploadee/maintained-apps/outputs/firealpaca/darwin.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/microsoft-edge/windows.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/nextcloud-talk/darwin.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/notesnook/darwin.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/nvidia-geforce-now/darwin.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/spotify/windows.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) ===ee/maintained-apps/outputs/syncovery/darwin.json=== Install Script (no changes) ===
=== Uninstall Script (no changes) === |
Contributor
WalkthroughThis PR updates installer metadata for 12 maintained applications across Windows and macOS. Each update bumps the application version number and synchronizes the corresponding SQL version-comparison gate, installer download URL, and SHA256 checksum. Dropbox additionally updates the uninstall script reference ID from Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
ee/maintained-apps/outputs/nvidia-geforce-now/darwin.json (1)
12-12:⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoffInstaller integrity verification is disabled.
The
sha256field is set to"no_check", which disables cryptographic verification of the installer download. This creates a security gap where:
- Man-in-the-middle attacks could substitute a malicious installer
- Compromise of NVIDIA's download server would go undetected
- No guarantee that the downloaded file matches what NVIDIA intended to distribute
This is likely due to NVIDIA using a rolling release URL (line 9) without version numbers, making stable checksums impossible. However, the security risk remains real.
Consider documenting this risk in your security documentation and monitoring for:
- Alternative distribution methods from NVIDIA (versioned URLs with checksums)
- Additional validation signals (code signing verification on the DMG)
- Network-level controls to reduce MITM risk
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ee/maintained-apps/outputs/nvidia-geforce-now/darwin.json` at line 12, The "sha256" field is set to "no_check", disabling installer integrity verification; replace that value with a real SHA-256 checksum for the current macOS installer (compute the checksum for the exact DMG you download and hard-code it into the sha256 field) or, if a stable versioned URL/checksum cannot be obtained, implement a post-download verification step (e.g., validate the DMG's code signature or the app bundle signature in your installer flow and log/abort on mismatch) and update any security docs to note the residual risk and monitoring plan; ensure the change touches the sha256 entry and the download/installation verification logic so the checksum or signature check is enforced.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@ee/maintained-apps/outputs/nvidia-geforce-now/darwin.json`:
- Line 12: The "sha256" field is set to "no_check", disabling installer
integrity verification; replace that value with a real SHA-256 checksum for the
current macOS installer (compute the checksum for the exact DMG you download and
hard-code it into the sha256 field) or, if a stable versioned URL/checksum
cannot be obtained, implement a post-download verification step (e.g., validate
the DMG's code signature or the app bundle signature in your installer flow and
log/abort on mismatch) and update any security docs to note the residual risk
and monitoring plan; ensure the change touches the sha256 entry and the
download/installation verification logic so the checksum or signature check is
enforced.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: ee63df45-19e0-4646-9757-db81cb178a98
📒 Files selected for processing (12)
ee/maintained-apps/outputs/android-studio/windows.jsonee/maintained-apps/outputs/audacity/windows.jsonee/maintained-apps/outputs/aws-cli/windows.jsonee/maintained-apps/outputs/codex-app/darwin.jsonee/maintained-apps/outputs/dropbox/windows.jsonee/maintained-apps/outputs/firealpaca/darwin.jsonee/maintained-apps/outputs/microsoft-edge/windows.jsonee/maintained-apps/outputs/nextcloud-talk/darwin.jsonee/maintained-apps/outputs/notesnook/darwin.jsonee/maintained-apps/outputs/nvidia-geforce-now/darwin.jsonee/maintained-apps/outputs/spotify/windows.jsonee/maintained-apps/outputs/syncovery/darwin.json
Contributor
|
Closing in favor of #47565. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated ingestion of latest Fleet-maintained app data.
Summary by CodeRabbit