I'm seeing this in the Dockerfile:
RUN curl -fsSL https://claude.ai/install.sh | bash
RUN curl -fsSL https://fnm.vercel.app/install | bash -s -- ...
RUN sh -c "$(curl -fsSL https://github.com/deluan/zsh-in-docker/releases/download/v${ZSH_IN_DOCKER_VERSION}/zsh-i
And these:
curl -fsSL "https://github.com/dandavison/delta/releases/download/${GIT_DELTA_VERSION}/git-delta_${GIT_DELTA_VERSION}_${ARCH}.deb" -o /tmp/git-delta.deb
dpkg -i /tmp/git-delta.deb
curl -fsSL "https://github.com/junegunn/fzf/releases/download/v${FZF_VERSION}/fzf-${FZF_VERSION}-${FZF_ARCH}.tar.gz" | t
All of those seem like supply-chain risks. I would love to see this with checksum verification, if feasible. Given that you're security experts, I'm assuming I'm looking at this wrong, but I wanted to raise the issue and be sure. I am not a security expert.
I'm seeing this in the Dockerfile:
And these:
All of those seem like supply-chain risks. I would love to see this with checksum verification, if feasible. Given that you're security experts, I'm assuming I'm looking at this wrong, but I wanted to raise the issue and be sure. I am not a security expert.