WingNews logo WingNews
top | item 45122573

(no title)

bayesianbot | 5 months ago

Am I the only one who thinks the way plugins are updated in lazy.nvim (and probably others) is a bit insane? It seems to just pull the latest commits. Every time I update, I feel one rogue commit away from someone stealing my keys. It definitely feels like the riskiest thing I do on my system. Or have I misunderstood something?

discuss

order

behnamoh|5 months ago

Thanks, new fear unlocked for me :')

For me, lazy.nvim doesn't pull the latest commits automatically. I have to <leader>-L and SHIFT-U it. And I don't do it often exactly because if there's an issue with the plugins I hope it's caught by others and addressed before I update mine.

sim7c00|5 months ago

you are right to be worried about such practices. this is why i avoid these things entirely. its a bit more hastle but a lot less risk. once you have a good config u can just roll with that anyhow. but i guess in the same vein i dont use a lot of plugins.

the nr of times now people have been owned by rogue plugins via editors is rising each day...

gitaarik|5 months ago

So you mean you review all the plugin code before you add it? And when there's an update you review the changes?

bayesianbot|5 months ago

So far I’ve just YOLO'd it. But if I install other software directly from git and the source isn’t fully reliable, I’ll usually at least check recent changes, or have codex take a look through the source, just like I read through PKGBUILDs when installing from AUR. It feels crazy that I then update LazyVim and suddenly pull in 150 new commits, some just minutes old, all with free access to my system.

recursivecaveat|5 months ago

If you manual update infrequently you are leaving a period for other people to get burned and flag issues before you pull the change, even if you don't look into a thing yourself.

freedomben|5 months ago

I mostly do, yes. There are exceptions for very mainstream and big plugins, but for the most part I do at least skim the new plugin code before committing it to my dotfiles repo. A nice thing about this ecosystem is for the most part, things don't change that quickly/often, and big refactors are quite rare