You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On the installation of a plugin without any slashes (/) in its name the annex will query the GitHub API searching for */{the-name}, sorting on stars.
It's non-deterministic. If zsh-users/plugin1 became more popular than zdhc/plugin1 overnight, you would then be installing two different configs. This seems bad, since configuration is often not perfectly compatible.
Security risk. It's possible to attack this mechanism by using bots / compromised users to star a malicious repo with a name of a popular zinit package.
Fully qualified repo names solve both issues.
The text was updated successfully, but these errors were encountered:
I have two main complaints:
It's non-deterministic. If
zsh-users/plugin1became more popular thanzdhc/plugin1overnight, you would then be installing two different configs. This seems bad, since configuration is often not perfectly compatible.Security risk. It's possible to attack this mechanism by using bots / compromised users to star a malicious repo with a name of a popular zinit package.
Fully qualified repo names solve both issues.
The text was updated successfully, but these errors were encountered: