Comment by kmarc
2 years ago
I do the same (not for golang tho). However, vim plug-ins also "have network access", in fact they can just "system()" and call anything. No sandboxing at all. At least the source code of these plug-ins are not obfuscated/compressed.
However, this makes me wonder how much of a surface attack this is.
Do you pin your plugins down to commit hash?
I did in the past.
Now I just run `:PlugUpdate` and hope that whatever comes from GitHub, is seen by the manyeyeballs. I certainly don't check all the diffs.