Severity

High (supply-chain + archive extraction safety)

Where

crates/goose-cli/src/commands/update.rs

What was observed

Update downloads a release archive and then extracts it directly using library extract/unpack-everything helpers.

There is no checksum/signature verification step before replacing the installed binary.

Why this matters

Even with HTTPS, relying solely on download from GitHub Releases without verifying an expected digest/signature is a common supply-chain weak point.

Using bulk extract helpers can reintroduce zip-slip/tar-slip style path traversal risks unless the library guarantees safe paths for all entries.