fix: audit fixes across verify, pack, security, and performance

- fix KeyError in compute_coverage (generate_readme, generate_site) - fix comma-separated MD5 handling in generate_pack check_inside_zip - fix _verify_file_hash to handle multi-MD5 for large files - fix external downloads not tracked in seen_destinations/file_status - fix tar path traversal in _is_safe_tar_member (refresh_data_dirs) - fix predictable tmp path in download.py - fix _sanitize_path to filter "." components - remove blanket data_dir suppression in find_undeclared_files - remove blanket data_dir suppression in cross_reference - add status_counts to verify_platform return value - add md5_composite cache for repeated ZIP hashing
2026-04-16 05:42:31 -05:00 · 2026-03-19 14:04:34 +01:00
parent e1410ef4a6
commit 38d605c7d5
9 changed files with 68 additions and 45 deletions
--- a/scripts/download.py
+++ b/scripts/download.py
@@ -233,7 +233,8 @@ Examples:
        sys.exit(1)

    import tempfile
-    zip_path = os.path.join(tempfile.gettempdir(), asset["name"])
+    fd, zip_path = tempfile.mkstemp(suffix=".zip")
+    os.close(fd)

    print(f"Downloading {asset['name']} ({asset['size']:,} bytes)...")
    download_file(asset["browser_download_url"], zip_path, asset["size"])