I very much appreciated the run-this-remote-file | sh installer method before I learned what I was actually opening myself up to. As handy as it is, this practice really should be discouraged, imho.
I get that, but what if you recently ran sudo make-me-a-sandwich in that shell session? If someone maliciously slipped a sudo command in that script they'd have everything they needed, and you might not even realize it. Obviously, I'm not suggesting the authors of these tools, but these remote shell installers seem like they'd be obvious targets for Bad Hackers.
It seems like the whole point of these remote shell installers is to make it easier for some people, but some might not be aware of this risk.
Yes, and they should drop the pipe to bash/sh at the end of the curl command. Download it, read it, then manually run it, don't just pipe it all together.
Fair enough. This is why I have explicit instructions on how to install without the run-as-remote-file install method right above it. Do you think it would help to add a view source link next to it or something?
Personally since node is the only real dependency, I'd just use the npm installer. I didn't mean to discourage the work you put in, by the way. I might be using this tomorrow, but today is the christmas party.
If you check the source, really this is all the script does. It checks to see if you have node, and if you do it runs npm install roots -g. But this is good feedback and if other people feel the same I'll definitely swap out the one-command installer. Have fun at the christmas party!
