The fetch service only stripped the four X-Weircon-* control headers, so
any forwarding header injected upstream (X-Forwarded-For, X-Real-IP, Via,
CDN client-IP headers, …) passed straight through to the target — leaking
the caller's IP and proxy chain.
- Replace stripWeircon with stripIdentifying: removes the control headers
plus all standard forwarding/origin-IP headers, with a prefix sweep for
any vendor-specific X-Forwarded-* variant.
- NPM advanced.conf clears the same headers (defense in depth).
- Add TestStripIdentifying covering removal + survival of legit headers.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
When downloading a release asset over HTTP the executable bit is lost,
so checking '-x' would always fail. Check existence instead and chmod
unconditionally. Update the error message to cover the three common
install paths.
Asger Weirsøe