| ▲ | bayesianbot 5 days ago |
| Am I the only one who thinks the way plugins are updated in lazy.nvim (and probably others) is a bit insane? It seems to just pull the latest commits. Every time I update, I feel one rogue commit away from someone stealing my keys. It definitely feels like the riskiest thing I do on my system. Or have I misunderstood something? |
|
| ▲ | behnamoh 5 days ago | parent | next [-] |
| Thanks, new fear unlocked for me :') For me, lazy.nvim doesn't pull the latest commits automatically. I have to <leader>-L and SHIFT-U it. And I don't do it often exactly because if there's an issue with the plugins I hope it's caught by others and addressed before I update mine. |
|
| ▲ | sim7c00 5 days ago | parent | prev | next [-] |
| you are right to be worried about such practices. this is why i avoid these things entirely. its a bit more hastle but a lot less risk. once you have a good config u can just roll with that anyhow. but i guess in the same vein i dont use a lot of plugins. the nr of times now people have been owned by rogue plugins via editors is rising each day... |
|
| ▲ | gitaarik 5 days ago | parent | prev | next [-] |
| So you mean you review all the plugin code before you add it? And when there's an update you review the changes? |
| |
| ▲ | bayesianbot 5 days ago | parent | next [-] | | So far I’ve just YOLO'd it. But if I install other software directly from git and the source isn’t fully reliable, I’ll usually at least check recent changes, or have codex take a look through the source, just like I read through PKGBUILDs when installing from AUR. It feels crazy that I then update LazyVim and suddenly pull in 150 new commits, some just minutes old, all with free access to my system. | |
| ▲ | recursivecaveat 5 days ago | parent | prev | next [-] | | If you manual update infrequently you are leaving a period for other people to get burned and flag issues before you pull the change, even if you don't look into a thing yourself. | | |
| ▲ | ratrocket 5 days ago | parent | next [-] | | If your update is the simplest version, a "git pull" -- then you're incorporating commits that have not "stewed" long enough for anyone to be burned. You might win the lucky ticket! (Saying this as someone who rarely updates nvim plugins, out of forgetfulness, not principle, and when they are updated I believe it IS a simple "git pull"...) | |
| ▲ | gitaarik 5 days ago | parent | prev [-] | | With a plugin manager you can also update infrequently |
| |
| ▲ | freedomben 5 days ago | parent | prev [-] | | I mostly do, yes. There are exceptions for very mainstream and big plugins, but for the most part I do at least skim the new plugin code before committing it to my dotfiles repo. A nice thing about this ecosystem is for the most part, things don't change that quickly/often, and big refactors are quite rare |
|
|
| ▲ | 5 days ago | parent | prev [-] |
| [deleted] |
