Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes the CLI installation script by correcting platform target names to match the actual GitHub release artifact naming convention.
Changes:
- Updated platform target names from
amd64suffix tox64suffix (darwin-amd64→darwin-x64,linux-amd64→linux-x64) to align with release artifacts - Reordered Darwin platform cases to match the release workflow order (arm64 before x64)
- Renamed variable
exetoexe_pathfor better clarity
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| curl --fail --location --progress-bar --output "$exe_path.gz" "$dl_url" | ||
| tar -xzf "$exe_path.gz" -C "$bin_dir" | ||
| chmod +x "$exe_path" | ||
| rm "$exe_path.gz" |
There was a problem hiding this comment.
This install script downloads and extracts a remote CLI binary from https://github.com/esm-dev/esm.sh/... via curl and tar without any checksum or signature verification. If the release artifact or distribution channel is compromised, an attacker can ship a malicious binary that will be installed into bin_dir and later executed by users, resulting in a supply chain compromise. Add integrity verification (e.g., validating a pinned SHA-256 checksum or cryptographic signature for the downloaded archive) before extracting and installing the binary.
No description provided.