Every time I see a something with the ability to import code from Git, especially if they allow specifying a branch (this pack even supports commit hashes), I wish they would document (and that more people would know) that they can "checkout" a branch at a specific time; because a lot of branches (vim plugins included) don't even bother with versioning.
ex: you can use this to checkout a repo @ a specific datetime:
> git checkout 'master@{2025-05-26 18:30:00}'
just doing my share to help people steer away from another leftPad disaster (or the xz apocalypse that almost was...)
Seems like a plausible idea but working with clocks my first question would be "whose clock is it". Is it repository defined clock? My clock? Git remote’s clock?
AFAIK this can be used for hashes, but friends don’t let friends use clocks in software developments (unless it’s last resort).
A plugin can spawn arbitrary processes so if neovim is not started in a sandbox (container, namespace, firejail...) they can basically do whatever your user has the right to do.
neovim (vim) plugins can make web requests, so you could steal secrets from a .env file being edited by, for example, making a LSP plugin active for .env files? According to my limited knowledge of LSP and how neovim plugins work, it should be possible
Could also just phone home everything a user edits using the text editor I bet.
Can someone tell me, when someone has a terminal buffer, using a vim plugin, could you potentially steal their root password when a user runs a sudo command?
And following up, could you, using that password, allow SSH connections and open ports in other system config files? Disable firewall? And potentially execute other commands using `:!` ?
You have the entire Lua language available in vim plugins, so you can just read all the files on the disk that the user has access to, you don't need to make an lsp plugin.
Executing shell commands is also possible, yes. Reading the root password is not possible because that's handled by an external program (forgot the specifics on Linux), but you could technically present a fake password prompt, and steal that.
I thought that gives master as of your pull time, not nearest commit to that time, which seems very confusing (it isn’t reproducible, except for yourself). I think you need a more complicated git log —before=time for any semblance of reproducibility
but thought I found a shortcut - which turns out is not really one, and like you said: confusing.
I can't edit my post, but in any case; the point being: it would be nice if import statements are closer to "github.com/google/uuid@YYYY-MM-DD" or in this case you can pass a date to version: "YYYY-MM-DD" and the library would run the uglier nested command above to import the proper version.
Easier for humans to parse, but introduces the threat vector of malicious attackers modifying the history and force submitting malicious code at or before a pinned time. That's why lock files exist.
SHA is still the way to go for those who are security sensitive.
Fair. If we're talking about documenting this feature, we should point out that SHA is immutable, while branches, tags, and dates are mutable references.
ex: you can use this to checkout a repo @ a specific datetime: > git checkout 'master@{2025-05-26 18:30:00}'
just doing my share to help people steer away from another leftPad disaster (or the xz apocalypse that almost was...)