4e2df67adc
If the `client9/misspell` repo is compromised, an attacker could control the contents of `install-misspell.sh`. Since we execute that file directly, we should use a URL that guarantees its contents will not change. Note that, at the time of writing, the last commit to `client9/misspell` was in March 2018 (client9/misspell@c0b55c8239), so the code appears to be stable. Also, although using a tag would be prettier than using a hash, the repo's last commit is after its most recent tag (`v0.3.4`). |
||
---|---|---|
.. | ||
workflows | ||
autolabeler.yml | ||
CODEOWNERS | ||
issue_template.md | ||
no-response.yml | ||
pull_request_template.md | ||
security.md | ||
stale.yml | ||
verba-sequentur.yml |