diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..01fffd3
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/ci-go.yml b/.github/workflows/ci-go.yml
index 50a9b45..4485526 100644
--- a/.github/workflows/ci-go.yml
+++ b/.github/workflows/ci-go.yml
@@ -9,12 +9,14 @@ on:
       - 'go.sum'
       - 'Makefile'
       - 'scripts/**'
+      - 'scripts/assemble-install.sh'
       - 'install.sh'
-      - 'packaging/init/**'
+      - 'uninstall.sh'
+      - 'packaging/**'
       - 'build/Dockerfile.embedded'
       - 'Dockerfile'
       - 'docs/cli/**'
-      - '.github/workflows/ci-go.yml'
+      - '.github/**'
   pull_request:
     branches: [ main, develop, edgelet/** ]
     paths:
@@ -23,14 +25,18 @@ on:
       - 'go.sum'
       - 'Makefile'
       - 'scripts/**'
+      - 'scripts/assemble-install.sh'
       - 'install.sh'
-      - 'packaging/init/**'
+      - 'uninstall.sh'
+      - 'packaging/**'
       - 'build/Dockerfile.embedded'
       - 'Dockerfile'
       - 'docs/cli/**'
-      - '.github/workflows/ci-go.yml'
+      - '.github/**'
   workflow_dispatch:
 
+permissions: read-all
+
 env:
   GO_VERSION: '1.26.4'
 
@@ -39,10 +45,10 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: go.sum
@@ -50,7 +56,7 @@ jobs:
       - run: go version
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: v2.12.2
           args: --timeout=5m0s
@@ -62,10 +68,10 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: go.sum
@@ -75,6 +81,9 @@ jobs:
       - name: Run unit tests
         run: make test-unit
 
+      - name: Fuzz smoke
+        run: go test -fuzz=FuzzFileMapFields -fuzztime=30s ./pkg/dataverify
+
       - name: CLI docs drift gate
         run: make cli-docs-check
 
@@ -99,8 +108,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [lint, test]
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Install embed build deps
@@ -117,8 +126,8 @@ jobs:
     runs-on: ubuntu-24.04-arm
     needs: [lint, test]
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: ${{ env.GO_VERSION }}
       - name: Install embed build deps
@@ -143,10 +152,10 @@ jobs:
           - goos: windows
             goarch: amd64
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: ${{ env.GO_VERSION }}
 
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..aa0d78a
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,45 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [ develop ]
+  pull_request:
+    branches: [ develop ]
+
+permissions: read-all
+
+env:
+  GO_VERSION: '1.26.4'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      # Required to upload SARIF to the code-scanning dashboard.
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
+        with:
+          languages: go
+
+      - name: Set up Go
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: go.sum
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
+        with:
+          category: "/language:go"
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index c19b24e..85a3e40 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -19,10 +19,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: go.sum
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f899f91..96be7d9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,9 +11,7 @@ env:
   IMAGE: ${{ vars.EDGELET_CONTAINER_IMAGE }}
   GITHUB_REPO: ${{ vars.EDGELET_GITHUB_REPO }}
 
-permissions:
-  contents: write
-  packages: write
+permissions: read-all
 
 jobs:
   build-linux:
@@ -37,9 +35,9 @@ jobs:
             buildarch: amd64
             runner: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: ${{ env.GO_VERSION }}
 
@@ -80,7 +78,7 @@ jobs:
           ARCH=${{ matrix.arch }} ./scripts/binary_size_check.sh
           test -f "build/edgelet-linux-${{ matrix.arch }}"
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: edgelet-linux-${{ matrix.arch }}
           path: build/edgelet-linux-${{ matrix.arch }}
@@ -106,9 +104,9 @@ jobs:
             goarch: amd64
             out: build/edgelet-windows-amd64.exe
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version: ${{ env.GO_VERSION }}
 
@@ -122,7 +120,7 @@ jobs:
             -o "${{ matrix.out }}" ./cmd/edgelet
           test -f "${{ matrix.out }}"
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: edgelet-${{ matrix.id }}
           path: ${{ matrix.out }}
@@ -133,9 +131,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build-linux, build-desktop]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           path: artifacts
 
@@ -164,7 +162,7 @@ jobs:
               install.sh uninstall.sh > SHA256SUMS
           )
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: release-dist
           path: dist/*
@@ -174,16 +172,37 @@ jobs:
     name: GitHub Release
     runs-on: ubuntu-latest
     needs: package
+    permissions:
+      contents: write
+      id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: release-dist
           path: dist
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+
+      - name: Sign release artifacts (keyless cosign)
+        run: |
+          set -euo pipefail
+          for f in dist/*; do
+            case "$(basename "$f")" in
+              *.sig|*.pem|*.sigstore|*.sigstore.json) continue ;;
+            esac
+            [ -f "$f" ] || continue
+            cosign sign-blob --yes \
+              --bundle "${f}.sigstore.json" \
+              --output-signature "${f}.sig" \
+              "$f"
+          done
+          ls -la dist/
+
       - name: Generate release notes
         run: |
           cat > release_notes.md <<EOF
@@ -208,7 +227,7 @@ jobs:
           \`\`\`
           EOF
 
-      - uses: softprops/action-gh-release@v2
+      - uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
         with:
           name: Release ${{ github.ref_name }}
           body_path: release_notes.md
@@ -219,20 +238,22 @@ jobs:
   container:
     name: Push edgelet image
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
 
-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
-      - uses: docker/login-action@v3
+      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: docker/build-push-action@v6
+      - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: .
           file: Dockerfile
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 551a713..c9d183f 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -34,7 +34,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           persist-credentials: false
 
@@ -47,7 +47,7 @@ jobs:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecard on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers
@@ -64,7 +64,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: SARIF file
           path: results.sarif
@@ -73,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
         with:
           sarif_file: results.sarif
diff --git a/CHANGELOG.md b/CHANGELOG.md
index eff037c..c29a0f1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,9 +6,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [1.0.0-beta.1] — mid-June 2026
-
+Hotfix pre-release after `v1.0.0-beta.0`. GitHub Releases remain binary-only; `install.sh` is now self-contained.
 ### Fixed
-- install monolith / curl fix
+- **Curl / fresh-host install:** `install.sh` no longer requires co-located `scripts/lib/` or `packaging/init/` on the release download path. A single `install.sh` from GitHub Releases embeds init helpers and unit templates (assemble pipeline); fixes `Missing init helper scripts` on first install.
+- **Post-install layout:** `/usr/share/edgelet/` ships self-contained `install.sh` / `uninstall.sh` and config samples only — not `lib/` or `init/` trees.
+### Changed
+- **Supply-chain CI:** Dependabot (gomod + github-actions), CodeQL for Go, pinned Actions and Docker base images, `read-all` workflow defaults, keyless cosign signatures on release assets, bounded fuzz smoke in CI, `SCORECARD_TOKEN` for OpenSSF Scorecard branch-protection checks.
+- **Dependencies:** `golang.org/x/net` bumped (vulnerability reduction).
+### Known limitations (beta)
+- **Pre-release:** `v1.0.0-beta.1` is not production GA; expect refinements before 1.0.0.
 
 ## [1.0.0-beta.0] — mid-June 2026
 
diff --git a/Dockerfile b/Dockerfile
index 055b3c2..3551175 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,7 +5,7 @@
 #     --build-arg VERSION=v0.0.0-test \
 #     -t ghcr.io/eclipse-iofog/edgelet:test .
 
-FROM golang:1.26.4-trixie AS builder
+FROM golang:1.26.4-trixie@sha256:0dcba0d95dbfb072e9917a106b9e07d7cc298097dc83e9307056ef1889de654d AS builder
 
 ARG BUILDARCH
 ARG TARGETARCH
@@ -42,7 +42,7 @@ RUN set -eux; \
     test -f "build/out/data-linux-${ARCH}.tar.zst"
 
 # Unpack embed bundle + minimal rootfs.
-FROM alpine:3.22 AS base
+FROM alpine:3.22@sha256:310c62b5e7ca5b08167e4384c68db0fd2905dd9c7493756d356e893909057601 AS base
 RUN apk add --no-cache ca-certificates zstd tzdata
 ARG TARGETARCH
 ARG VERSION=dev
diff --git a/README.md b/README.md
index 7884195..eae6f3e 100644
--- a/README.md
+++ b/README.md
@@ -125,7 +125,7 @@ RELEASE_FRESH_CI_IMAGE=1 ./test/release/build-all.sh
 
 ```bash
 make build-desktop-darwin build-desktop-windows
-scripts/release-binaries.sh v1.0.0-beta.0
+scripts/release-binaries.sh v1.0.0-beta.1
 ```
 
 Local / single-target builds:
@@ -137,7 +137,7 @@ make deps                     # embed pipeline before linux thin build
 make build-linux-amd64        # deps + thin for amd64
 make build-linux-arm64        # deps + thin for arm64
 make build-desktop-darwin     # darwin monolithic
-make release-binaries VERSION=v1.0.0-beta.0
+make release-binaries VERSION=v1.0.0-beta.1
 ```
 
 ## Testing
@@ -173,18 +173,18 @@ Identical builds and tags; choose the channel that matches your fleet docs. Over
 ### Eclipse (canonical)
 
 ```bash
-curl -fsSL https://github.com/eclipse-iofog/edgelet/releases/download/v1.0.0-beta.0/install.sh -o install.sh
+curl -fsSL https://github.com/eclipse-iofog/edgelet/releases/download/v1.0.0-beta.1/install.sh -o install.sh
 chmod +x install.sh
-sudo ./install.sh --version=v1.0.0-beta.0
+sudo ./install.sh --version=v1.0.0-beta.1
 # dev / CI: sudo ./install.sh --bin-path=build/edgelet-linux-amd64 --version=dev
 ```
 
 ### Datasance mirror
 
 ```bash
-curl -fsSL https://github.com/Datasance/edgelet/releases/download/v1.0.0-beta.0/install.sh -o install.sh
+curl -fsSL https://github.com/Datasance/edgelet/releases/download/v1.0.0-beta.1/install.sh -o install.sh
 chmod +x install.sh
-sudo ./install.sh --version=v1.0.0-beta.0
+sudo ./install.sh --version=v1.0.0-beta.1
 ```
 
 Release artifacts per tag: seven binaries (`edgelet-linux-<arch>`, `edgelet-darwin-<arch>`, `edgelet-windows-amd64.exe`), `SHA256SUMS`, `install.sh`, `uninstall.sh`, and config/CA samples.
diff --git a/SECURITY.md b/SECURITY.md
index 43f5108..2160890 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,7 +4,7 @@
 
 | Version | Supported |
 |---------|-----------|
-| `v1.0.0-beta.0` and later pre-releases on `develop` | Yes |
+| `v1.0.0-beta.1` and later pre-releases on `develop` | Yes |
 | Earlier migration / dev builds | No |
 
 ## Reporting a vulnerability
@@ -41,7 +41,7 @@ make vulncheck       # govulncheck@v1.1.4 + go mod verify
 
 ## Known vulnerability exceptions
 
-The following findings are **documented exceptions** accepted for `v1.0.0-beta.0`. They are enforced by `scripts/vulncheck.sh` (keep `ALLOWED_VULNS` in sync with this table).
+The following findings are **documented exceptions** accepted for `v1.0.0-beta.1`. They are enforced by `scripts/vulncheck.sh` (keep `ALLOWED_VULNS` in sync with this table).
 
 | ID | CVE | Component | Rationale | Fix timeline |
 |----|-----|-----------|-----------|--------------|
diff --git a/build/Dockerfile.embedded b/build/Dockerfile.embedded
index 846e973..cf577f9 100644
--- a/build/Dockerfile.embedded
+++ b/build/Dockerfile.embedded
@@ -2,7 +2,7 @@
 # macOS dev:
 #   docker build -f build/Dockerfile.embedded -t edgelet-embed-ci .
 #   docker run --rm -v "$(pwd)":/src -w /src edgelet-embed-ci ./scripts/ci
-FROM golang:1.26.4-trixie
+FROM golang:1.26.4-trixie@sha256:0dcba0d95dbfb072e9917a106b9e07d7cc298097dc83e9307056ef1889de654d
 
 COPY scripts/install-embed-build-deps /usr/local/bin/install-embed-build-deps
 RUN chmod +x /usr/local/bin/install-embed-build-deps \
diff --git a/docs/FEATURE-PARITY.md b/docs/FEATURE-PARITY.md
index 29fd0ad..0a7159c 100644
--- a/docs/FEATURE-PARITY.md
+++ b/docs/FEATURE-PARITY.md
@@ -1,6 +1,6 @@
 # Edgelet feature checklist
 
-This document tracks implemented Edgelet capabilities for the v1.0.0-beta.0 release.
+This document tracks implemented Edgelet capabilities for the v1.0.0-beta.1 release.
 
 ## Core Features
 
diff --git a/go.mod b/go.mod
index d592f8b..25450c9 100644
--- a/go.mod
+++ b/go.mod
@@ -155,7 +155,7 @@ require (
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
 	golang.org/x/mod v0.35.0 // indirect
-	golang.org/x/net v0.54.0 // indirect
+	golang.org/x/net v0.55.0 // indirect
 	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/text v0.37.0 // indirect
diff --git a/go.sum b/go.sum
index 28be290..a93f7fe 100644
--- a/go.sum
+++ b/go.sum
@@ -488,8 +488,8 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
-golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
 golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
diff --git a/pkg/dataverify/dataverify_fuzz_test.go b/pkg/dataverify/dataverify_fuzz_test.go
new file mode 100644
index 0000000..ab8a93e
--- /dev/null
+++ b/pkg/dataverify/dataverify_fuzz_test.go
@@ -0,0 +1,25 @@
+package dataverify
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func FuzzFileMapFields(f *testing.F) {
+	f.Add([]byte("abc123  relative/path\n"))
+	f.Add([]byte("link  target\n"))
+	f.Add([]byte("malformed\n"))
+	f.Add([]byte(""))
+
+	f.Fuzz(func(t *testing.T, data []byte) {
+		dir := t.TempDir()
+		manifest := filepath.Join(dir, "manifest")
+		if err := os.WriteFile(manifest, data, 0644); err != nil {
+			t.Fatalf("write manifest: %v", err)
+		}
+		for _, keyVal := range [][2]int{{1, 0}, {0, 1}} {
+			_, _ = fileMapFields(manifest, keyVal[0], keyVal[1])
+		}
+	})
+}
diff --git a/scripts/lint.sh b/scripts/lint.sh
index a978f6a..a1b00e7 100755
--- a/scripts/lint.sh
+++ b/scripts/lint.sh
@@ -13,7 +13,7 @@ echo "Running linters..."
 # Check if golangci-lint is installed
 if ! command -v golangci-lint &> /dev/null; then
     echo "golangci-lint not found. Installing..."
-    go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+    go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
 fi
 
 make lint