Skip to content

Update install command #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
amalshaji merged 2 commits into from
Jun 1, 2025
Merged

Update install command #162

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fa09b66
Update install command
amalshaji Jun 1, 2025
f15f97f
Set Node version for docs
amalshaji Jun 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 40 additions & 14 deletions admin/web/src/pages/app/overview.svelte
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,10 @@
};

const installCommand = `
curl -sSf https://install.portr.dev | sh
`.trim();

const homebrewCommand = `
brew install amalshaji/taps/portr
`.trim();
Comment on lines 100 to 106
Copy link
Contributor

@coderabbitai coderabbitai bot Jun 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Consider security implications of the curl-based install script.

The new install script pattern curl -sSf https://install.portr.dev | sh is convenient but poses security risks since it downloads and executes code directly. Consider adding a security warning or offering users the option to download and inspect the script first.

Consider adding a security notice in the UI or providing an alternative download-first approach:

+  const installScriptUrl = "https://install.portr.dev";
+  const installCommand = `
+  # Download and inspect the script first (recommended):
+  curl -sSf ${installScriptUrl} -o install.sh && chmod +x install.sh && ./install.sh
+  
+  # Or run directly (less secure):
+  curl -sSf ${installScriptUrl} | sh
+  `.trim();

Let me verify if the install script URL is accessible:

🏁 Script executed:

#!/bin/bash
# Check if the install script URL is accessible and inspect its content
curl -I https://install.portr.dev
curl -sSf https://install.portr.dev | head -20

Length of output: 1606

Add security notice and download-first option for the curl installer

The install script at https://install.portr.dev is accessible and returns the expected bash installer. However, piping remote code directly into sh carries inherent risks. Please update the UI and constants to:

• Offer a download-and-inspect approach as the recommended path
• Retain the direct pipeline option with a clear warning

Locations to update:

  • admin/web/src/pages/app/overview.svelte around lines 100–106 (installCommand definition)

Suggested diff:

  // Define installer URL
+ const installScriptUrl = 'https://install.portr.dev';

- const installCommand = `
- curl -sSf https://install.portr.dev | sh
- `.trim();
+ const installCommand = `
+ # Recommended: download and inspect the installer first
+ curl -sSf ${installScriptUrl} -o install.sh && chmod +x install.sh && ./install.sh
+
+ # Or run directly (less secure)
+ curl -sSf ${installScriptUrl} | sh
+ `.trim();

Additionally, consider adding a brief security notice in the UI adjacent to the install command, e.g.:

“Running remote scripts directly is less secure. We recommend downloading and reviewing the script before execution.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const installCommand = `
curl -sSf https://install.portr.dev | sh
`.trim();
const homebrewCommand = `
brew install amalshaji/taps/portr
`.trim();
// Define installer URL
const installScriptUrl = 'https://install.portr.dev';
const installCommand = `
# Recommended: download and inspect the installer first
curl -sSf ${installScriptUrl} -o install.sh && chmod +x install.sh && ./install.sh
# Or run directly (less secure)
curl -sSf ${installScriptUrl} | sh
`.trim();
const homebrewCommand = `
brew install amalshaji/taps/portr
`.trim();
🤖 Prompt for AI Agents 
In admin/web/src/pages/app/overview.svelte around lines 100 to 106, the
installCommand uses a direct curl-to-sh pipeline which poses security risks.
Update the code to provide two options: keep the direct pipeline command but add
a clear security warning, and add a new command that downloads the script first
for inspection before running it. Also, add a brief security notice in the UI
near the install command explaining that running remote scripts directly is less
secure and recommending users download and review the script before execution.


Expand Down Expand Up @@ -223,25 +227,47 @@
<div class="bg-gray-50 rounded-lg p-6 border border-gray-100">
<h3 class="text-sm font-medium mb-3 flex items-center gap-2">
<span class="flex h-6 w-6 rounded-full bg-primary/10 items-center justify-center text-xs font-semibold">1</span>
Install the portr client using homebrew
Install the portr client
</h3>

<div class="relative group">
<Highlight
language={bash}
code={installCommand}
class="border rounded-md text-sm my-2 overflow-hidden"
/>
<button
class="absolute right-2 top-2 p-1 rounded-md bg-white/90 opacity-0 group-hover:opacity-100 transition-opacity shadow-sm border"
on:click={() => handleCopy(installCommand)}
>
<Copy class="h-4 w-4" />
</button>
<div class="space-y-4">
<div>
<p class="text-sm text-gray-600 mb-2">Using the install script:</p>
<div class="relative group">
<Highlight
language={bash}
code={installCommand}
class="border rounded-md text-sm my-2 overflow-hidden"
/>
<button
class="absolute right-2 top-2 p-1 rounded-md bg-white/90 opacity-0 group-hover:opacity-100 transition-opacity shadow-sm border"
on:click={() => handleCopy(installCommand)}
>
<Copy class="h-4 w-4" />
</button>
</div>
</div>

<div>
<p class="text-sm text-gray-600 mb-2">Or using homebrew:</p>
<div class="relative group">
<Highlight
language={bash}
code={homebrewCommand}
class="border rounded-md text-sm my-2 overflow-hidden"
/>
<button
class="absolute right-2 top-2 p-1 rounded-md bg-white/90 opacity-0 group-hover:opacity-100 transition-opacity shadow-sm border"
on:click={() => handleCopy(homebrewCommand)}
>
<Copy class="h-4 w-4" />
</button>
</div>
</div>
</div>

<p class="mt-4 text-sm text-gray-600">
Or download the binary from the <a
You can also download the binary from the <a
href="https://github.com/amalshaji/portr/releases"
target="_blank"
class="text-primary hover:underline font-medium">GitHub releases</a>
Expand Down
1 change: 1 addition & 0 deletions docs/.nvmrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
20
8 changes: 7 additions & 1 deletion docs/src/content/docs/client/installation.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,13 @@ import { Aside } from "@astrojs/starlight/components";

### Install the client

Install the client using homebrew:
Using the install script:

```shell
curl -sSf https://install.portr.dev | sh
```

Or install the client using homebrew:
Comment on lines +10 to +16
Copy link
Contributor

@coderabbitai coderabbitai bot Jun 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Address the grammar issue and consider security documentation.

The documentation structure aligns well with the UI changes, but there's a grammar issue flagged by static analysis. Also consider adding security guidance for the curl-based install method.

Apply this diff to fix the grammar and add security context:

-Using the install script:
+Using the installation script:



+:::caution[Security Notice]
+The install script downloads and executes code directly. For enhanced security, consider downloading and inspecting the script first:
+

Let me verify the grammar concern from static analysis:

---

🏁 Script executed:

```shell
curl -sSf https://install.portr.dev | sh

Length of output: 959

🏁 Script executed:

+curl -sSf https://install.portr.dev -o install.sh && chmod +x install.sh && ./install.sh
+```
+:::

Or install the client using homebrew:

Length of output: 265

🌐 Web query:

Is "install script" grammatically correct or should it be "installation script"?

💡 Result:

Both "install script" and "installation script" can be used, but they have slightly different connotations and usage preferences.

  • "Installation script" is the more formal and commonly used term. It refers to a script that performs the process of installation. It treats "installation" as a noun modifying "script," emphasizing the purpose of the script related to installing software or components.

  • "Install script" is more informal and less common. It might be used in contexts where "install" is treated as a verb or shorthand, but it's generally considered less standard than "installation script."

In most professional and technical contexts, "installation script" is preferred for clarity and formality.

Use “installation script” and add security guidance

Tested the direct install script; it runs as expected. To improve clarity and help users stay safe, update the phrasing and include a caution block:

Suggested patch:

- Using the install script:
+ Using the installation script:

```shell
curl -sSf https://install.portr.dev | sh
  • :::caution[Security Notice]
  • The install script downloads and executes code directly. For greater security, download and review the script before running:
  • 

    • 

  • curl -sSf https://install.portr.dev -o install.sh
    • 

  • chmod +x install.sh
    • 

  • ./install.sh
    • 

  • 

    

    • 

  • :::
    • 



Or install the client using Homebrew:



This fixes the grammar (“installation script” is more formal) and provides essential security guidance for users installing via curl.

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 LanguageTool</summary>

[grammar] ~10-~10: The word ‘install’ is not a noun.
Context: ...ts";  ### Install the client  Using the install script:  ```shell curl -sSf https://ins...

(A_INSTALL)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>




In docs/src/content/docs/client/installation.mdx around lines 10 to 16, replace

the informal phrase "install script" with the more formal "installation script"

for clarity. Additionally, add a caution block advising users about the security

risks of piping curl output directly to sh, and provide an alternative safer

method by downloading the script first, reviewing it, making it executable, and

then running it. This improves grammar and adds important security guidance for

users.



</details>

<!-- This is an auto-generated comment by CodeRabbit -->


    

  
  




    


        

      
  
  

    
  
    
    

  

  

  



          

              

      








    


  









  


    


  		



    

    

    

  
    







    

    

    

  
    ```shell






    

    

    

  
    brew install amalshaji/taps/portr






  

    
          
            
          
          Expand Down
    
    
  



                
              


          


    

  







    

  
  
    
      Loading