Comment by bcardarella

Vendoring the binary guarantees that I control what is running. It isn't installed, just run locally from the lib. I'll quote the OP issue on GH:

> Now I found that it downloads (here) even some proprietary binary from https://supermaven.com, i.e. unaudited and unauditable code, without any verification (except TLS)!

This opens Zed up to Man In The Middle attacks and Supply Chain attacks. And now that Zed has indicated that they won't fix the door is wide open to these vulnerabilities.