Mintlify
CLI silently downloads runtime tarball to ~/.mintlify without user consent #5445
dougEfresh
started this conversation in
Bugs & Feedback
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Given the increased risk of supply chain attacks I consider this a security issue
You download a tar.gz file from releases.mintlify.com with zero signature verification and zero user prompt This isn't just files, it is code executed unknowingly by the user
It is a bit odd that you use
npmas a bootstrap distribution. Why not include everything in the npm package?Beta Was this translation helpful? Give feedback.
All reactions