[PM-28446] Log package types

[quexten]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-28446

📔 Objective

We currently lack insight into which sandboxing packaging types are used actively. Specifically, for Linux, we don't know how many users use Snap/Flatpak versus the unsandboxed unsupported types (AppImage, deb, rpm). On Mac, the same applies for DMG/MacAppStore. This makes it hard to gauge where to spend resources / prioritize feature and bug-fix development.

This PR adds insight by adding a new header, "Bitwarden-Package-Type". This adds information that is not already contained in the "Bitwarden-Client-Name" header about specifically which package type is used.

The considered alternative was to add new device entries. However, the migration path here is long and would not give insight into existing installations.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

❌ Patch coverage is 4.34783% with 22 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.11%. Comparing base (9733ef0) to head (c66a5ff).
⚠️ Report is 43 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...atform/services/electron-platform-utils.service.ts	0.00%	12 Missing ⚠️
...s/platform-utils/browser-platform-utils.service.ts	0.00%	8 Missing ⚠️
...rc/platform/services/cli-platform-utils.service.ts	0.00%	1 Missing ⚠️
...pps/web/src/app/core/web-platform-utils.service.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #17496      +/-   ##
==========================================
+ Coverage   40.91%   41.11%   +0.19%     
==========================================
  Files        3544     3544              
  Lines      101673   101867     +194     
  Branches    15234    15271      +37     
==========================================
+ Hits        41602    41880     +278     
+ Misses      58318    58224      -94     
- Partials     1753     1763      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – 69b26fd4-55de-442e-afcf-25a9ffecca47

New Issues (1)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2025-8129	Npm-koa-2.16.1	details Recommended version: 2.16.3 Description: A vulnerability, which was classified as problematic, was found in KoaJS Koa versions through 2.16.1 and versions 3.0.0-alpha0 through 3.0.0. Affec... Attack Vector: NETWORK Attack Complexity: LOW ID: eLf1pfW0%2FwqIBqZ%2BHfJsMhK%2BkX2uVEj39jUgh0awiuk%3D Vulnerable Package

[trmartin4]

Is there a reason why we're using "Unsandboxed" as a default here? Could we expand this to capture all of the desktop packaging methods that we can, and say "Unknown" as the default instead?

For example, adding isWindowsPortable? Perhaps that's the only missing one? I assume we don't have a way to identify whether the client is .deb or .rpm, for example?

[quexten]

Updated. I think deb / rpm detection requires additional research to perform correctly and I felt it is out of scope here.