You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Although this project is lit, people may think it's dangerous to let thrid-party cli to scan whole codebase. repomix needs to provide a way to convince people this project is legit, so one thing is to pack it self, not the github repo, cause github repo and npm can be totally two different codebase, it's a really simple attack method, so, one ease solution is to let repomix support repomix --remote https://unpkg.com/repomix , this way it can easily pack itself, people can just post the whole thing to LLM to verify if it contains mailicious code.While this project is fantastic, some users might hesitate to allow a third-party CLI to scan their entire codebase. To build confidence and demonstrate the project's legitimacy, Repomix could offer a mechanism to validate itself as a trusted tool.
One potential concern is the discrepancy between the GitHub repository and the published npm package, as malicious actors could exploit this difference with a simple attack method.
Proposed Solution
Introduce a feature to allow Repomix to package itself directly from a remote source. For example:
repomix --remote https://unpkg.com/repomix
With this feature:
Users can fetch and package Repomix directly from its deployed version.
They could then analyze the resulting package (e.g., with an LLM) to ensure no malicious code is present.
This would make it easier for users to trust and adopt Repomix while mitigating potential security concerns.
The text was updated successfully, but these errors were encountered:
Although this project is lit, people may think it's dangerous to let thrid-party cli to scan whole codebase. repomix needs to provide a way to convince people this project is legit, so one thing is to pack it self, not the github repo, cause github repo and npm can be totally two different codebase, it's a really simple attack method, so, one ease solution is to let repomix support
repomix --remote https://unpkg.com/repomix
, this way it can easily pack itself, people can just post the whole thing to LLM to verify if it contains mailicious code.While this project is fantastic, some users might hesitate to allow a third-party CLI to scan their entire codebase. To build confidence and demonstrate the project's legitimacy, Repomix could offer a mechanism to validate itself as a trusted tool.One potential concern is the discrepancy between the GitHub repository and the published npm package, as malicious actors could exploit this difference with a simple attack method.
Proposed Solution
Introduce a feature to allow Repomix to package itself directly from a remote source. For example:
With this feature:
This would make it easier for users to trust and adopt Repomix while mitigating potential security concerns.
The text was updated successfully, but these errors were encountered: