Summary
agent/lsp/install.py::INSTALL_RECIPES uses @latest for some servers, e.g.:
agent/lsp/install.py:96: "gopls": {"strategy": "go", "pkg": "golang.org/x/tools/gopls@latest", "bin": "gopls"},
When lsp.install_strategy: "auto" (the current default — separately tracked in #25015 as a defaults concern), the first edit of a Go file triggers go install golang.org/x/tools/gopls@latest, fetching whatever version the upstream registry currently serves. That is the same supply-chain hygiene gap that the rest of the codebase already addresses for application dependencies via pyproject.toml upper bounds.
The risk surface depends on the deployment posture (sandboxed worker, audited environment, etc.), but the fix is mechanical and consistent with how Hermes already handles its own runtime deps.
Locations
agent/lsp/install.py:50 — INSTALL_RECIPES table.
grep -n '@latest' agent/lsp/install.py
returns the unpinned recipes. Audit each.
Proposed fix
Pin every recipe to a specific verified version, with comments noting:
- The version pinned and date verified
- Any known CVE / security advisory bounded by deployment posture (e.g.
gopls v0.21.x family — exploit gated on -listen / -port flags our default invocation does not pass)
- Upgrade cadence (manual review, similar to how
pyproject.toml deps are handled)
Example shape:
"gopls": {"strategy": "go", "pkg": "golang.org/x/tools/gopls@v0.21.1", "bin": "gopls"},Related
This issue exists so the pin work can be a small focused PR rather than part of a bundled rewrite.
Summary
agent/lsp/install.py::INSTALL_RECIPESuses@latestfor some servers, e.g.:When
lsp.install_strategy: "auto"(the current default — separately tracked in #25015 as a defaults concern), the first edit of a Go file triggersgo install golang.org/x/tools/gopls@latest, fetching whatever version the upstream registry currently serves. That is the same supply-chain hygiene gap that the rest of the codebase already addresses for application dependencies viapyproject.tomlupper bounds.The risk surface depends on the deployment posture (sandboxed worker, audited environment, etc.), but the fix is mechanical and consistent with how Hermes already handles its own runtime deps.
Locations
agent/lsp/install.py:50—INSTALL_RECIPEStable.grep -n '@latest' agent/lsp/install.pyreturns the unpinned recipes. Audit each.
Proposed fix
Pin every recipe to a specific verified version, with comments noting:
gopls v0.21.xfamily — exploit gated on-listen/-portflags our default invocation does not pass)pyproject.tomldeps are handled)Example shape:
Related
This issue exists so the pin work can be a small focused PR rather than part of a bundled rewrite.