Hi, and thanks for claude-pace — the jq-only statusline is genuinely nice,
and I appreciate that the npm path already ships an immutable bundled script.
One small hardening suggestion on the curl install/upgrade path. Both the
slash-command setup and the README fetch the script from the main branch:
commands/setup.md (lines 24–25)README.md (lines 62–63), and the "Upgrade → Manual" note says to re-run it
curl -fsSL -o ~/.claude/statusline.sh \
https://raw.githubusercontent.com/Astro-Han/claude-pace/main/claude-pace.sh
chmod +x ~/.claude/statusline.sh
Because this resolves …/main/…, every install/upgrade silently pulls the
current tip of main. The script today is fine — this isn't a report of any
compromise. It's that the install mechanism trusts a moving branch with no
version pin and no integrity check, so whatever lands on main next (an
unreviewed merge, a hijacked push, a bad force-push) is what users get on their
next setup run, executed via chmod +x. For a statusline that runs on every
prompt, that's a wide unversioned auto-update surface.
You already cut tagged releases (v0.9.1), so the simplest fix is pinning the
curl URL to a tag instead of main — and since v0.9.1 currently equals
HEAD, it's behavior-preserving right now. Upgrades then become an explicit
tag bump rather than a silent branch follow. Optionally, publishing a SHA256
per release and verifying it before chmod +x closes the gap even if you'd
rather keep tracking a moving ref.
Happy to open a PR with the one-line URL change in both files (and a checksum
step if you want it) — just let me know which direction you prefer. Thanks
again for the project!
Hi, and thanks for claude-pace — the
jq-only statusline is genuinely nice,and I appreciate that the npm path already ships an immutable bundled script.
One small hardening suggestion on the curl install/upgrade path. Both the
slash-command setup and the README fetch the script from the
mainbranch:commands/setup.md(lines 24–25)README.md(lines 62–63), and the "Upgrade → Manual" note says to re-run itBecause this resolves
…/main/…, every install/upgrade silently pulls thecurrent tip of
main. The script today is fine — this isn't a report of anycompromise. It's that the install mechanism trusts a moving branch with no
version pin and no integrity check, so whatever lands on
mainnext (anunreviewed merge, a hijacked push, a bad force-push) is what users get on their
next setup run, executed via
chmod +x. For a statusline that runs on everyprompt, that's a wide unversioned auto-update surface.
You already cut tagged releases (
v0.9.1), so the simplest fix is pinning thecurl URL to a tag instead of
main— and sincev0.9.1currently equalsHEAD, it's behavior-preserving right now. Upgrades then become an explicittag bump rather than a silent branch follow. Optionally, publishing a SHA256
per release and verifying it before
chmod +xcloses the gap even if you'drather keep tracking a moving ref.
Happy to open a PR with the one-line URL change in both files (and a checksum
step if you want it) — just let me know which direction you prefer. Thanks
again for the project!