Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

repomix --remote https://unpkg.com/repomix #211

Open
rockmandash opened this issue Dec 20, 2024 · 0 comments
Open

repomix --remote https://unpkg.com/repomix #211

rockmandash opened this issue Dec 20, 2024 · 0 comments

Comments

@rockmandash
Copy link

Although this project is lit, people may think it's dangerous to let thrid-party cli to scan whole codebase. repomix needs to provide a way to convince people this project is legit, so one thing is to pack it self, not the github repo, cause github repo and npm can be totally two different codebase, it's a really simple attack method, so, one ease solution is to let repomix support repomix --remote https://unpkg.com/repomix , this way it can easily pack itself, people can just post the whole thing to LLM to verify if it contains mailicious code.While this project is fantastic, some users might hesitate to allow a third-party CLI to scan their entire codebase. To build confidence and demonstrate the project's legitimacy, Repomix could offer a mechanism to validate itself as a trusted tool.

One potential concern is the discrepancy between the GitHub repository and the published npm package, as malicious actors could exploit this difference with a simple attack method.

Proposed Solution
Introduce a feature to allow Repomix to package itself directly from a remote source. For example:

repomix --remote https://unpkg.com/repomix

With this feature:

  • Users can fetch and package Repomix directly from its deployed version.
  • They could then analyze the resulting package (e.g., with an LLM) to ensure no malicious code is present.

This would make it easier for users to trust and adopt Repomix while mitigating potential security concerns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant