Many of these vim distros (haven’t used AstroNvim specifically) with plug-in managers automatically download and execute random code on your system anytime you start the editor or open a new file type. I just want my own secure config that doesn’t do random network calls when I’m trying to open local files.
Piping shit to bash and running npx whatever has really normalized this and it sucks. Your editor should be a safe haven.
You can turn autoscan (fetch from git repos) off, update should normally be opt-in already. You can use a lockfile and only update on demand. That's a more sane option. But yes, auditing 50+ git repos is not something I've attempted.
Random node packages processes truly sounds horrible for both security and performance, but you do want at least one LSP process spawned per filetype, right?
Separating out the LSP process from the editor is a good idea. One sure hopes the blast radius is small enough if there’s a vulnerability. My beef is really with the auto-update culture. If I can specify lock files for plugins, it helps, but no way most people are going to have the time or expertise to audit editor plugins.
I guess it’s the classic security vs. UX compromise!
Piping shit to bash and running npx whatever has really normalized this and it sucks. Your editor should be a safe haven.