Skip to content

Fix Windows install security warning from Invoke-WebRequest#122

Merged
shouze merged 2 commits intomainfrom
fix/windows-install-security-warning
Mar 29, 2026
Merged

Fix Windows install security warning from Invoke-WebRequest#122
shouze merged 2 commits intomainfrom
fix/windows-install-security-warning

Conversation

@shouze
Copy link
Copy Markdown
Contributor

@shouze shouze commented Mar 29, 2026

Root cause

On Windows PowerShell 5.1, Invoke-WebRequest uses the Internet Explorer HTML parser by default. Any call to it — even a simple HEAD request — triggers a security prompt:

Avertissement de sécurité : risque d'exécution de script
Invoke-WebRequest analyse le contenu de la page web...
[O] Oui  [T] Oui pour tout  [N] Non  [U] Non pour tout...

The install script used Invoke-WebRequest to probe each candidate artifact with a HEAD request before downloading it (to detect which variant — x64-modern, x64-baseline or x64 — was available in the release). This caused one security warning per install, alarming users and leading to abandoned installs.

Fix

Replace the Invoke-WebRequest HEAD probe loop with a membership check against the GitHub release asset list, which is already available via Invoke-RestMethod (the existing pattern in the script).

  • latest case: extract $ReleaseAssets from the response already fetched — zero extra requests.
  • Specific version case: add one Invoke-RestMethod call to /repos/{repo}/releases/tags/{tag} to obtain the same asset list.
  • The probe loop becomes a simple if ($ReleaseAssets -contains $CandidateArtifact) check — no network I/O, no Invoke-WebRequest, no security warning.
  • Better error message: when no compatible binary is found, display the list of available Windows assets from the release to aid diagnosis.

Steps to reproduce (before the fix)

# On Windows PowerShell 5.1:
powershell -c "irm https://raw.githubusercontent.com/fulll/github-code-search/main/install.ps1 | iex"
# → Security warning prompts appear before the install completes

Steps to verify (after the fix)

# On Windows PowerShell 5.1, install from the branch:
powershell -c "irm https://raw.githubusercontent.com/fulll/github-code-search/fix/windows-install-security-warning/install.ps1 | iex"
# → No security warning; install proceeds silently to completion

Fixes #118

@shouze
Fix Windows install security warning from Invoke-WebRequest
70a50b0 
Replace the artifact probe loop (Invoke-WebRequest HEAD requests) with
a membership check against the GitHub release asset list already fetched
via Invoke-RestMethod. This eliminates Invoke-WebRequest entirely, which
was triggering a PowerShell 5.1 IE-parser security warning on every
install.

- For 'latest': extract $ReleaseAssets from the existing API response
  at no extra cost.
- For a specific version: add an Invoke-RestMethod call to
  /releases/tags/{tag} to fetch the same asset list.
- Replace the HEAD probe loop with a simple -contains membership check.
- Improve the error message: show available Windows assets from the
  release when no compatible binary is found.

Fixes #118
Copilot AI review requested due to automatic review settings March 29, 2026 23:00
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 29, 2026

Coverage after merging fix/windows-install-security-warning into main will be

95.62%

Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
src
   aggregate.ts100%100%100%100%
   api-utils.ts93.20%100%93.75%93.13%101–103, 65, 73, 86–87, 91–92
   api.ts94.57%100%100%93.89%319–323, 384, 401, 63–69
   cache.ts94.67%100%100%94.29%139–141, 39
   completions.ts99.42%100%100%99.37%270
   group.ts100%100%100%100%
   output.ts99.20%100%95%99.56%79
   regex.ts99.26%100%100%99.21%251
   render.ts89.66%100%89.47%89.66%167, 191–196, 198–200, 202–203, 254–255, 276, 456–457, 462–464, 530–534, 546–547, 552–559, 561–569, 571–572
   upgrade.ts88.38%100%94.44%87.89%128, 131, 133, 153, 167–168, 188–195, 198–204, 209, 214, 250–253
src/render
   filter-match.ts97.44%100%92.31%100%
   filter.ts100%100%100%100%
   highlight.ts96.63%100%90.40%99.31%284–285
   rows.ts97.58%100%100%97.44%168, 54–55
   selection.ts100%100%100%100%
   summary.ts100%100%100%100%
   team-pick.ts100%100%100%100%

Copilot AI reviewed Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Windows install script to avoid Windows PowerShell 5.1 security prompts by removing Invoke-WebRequest usage during artifact selection and instead using the GitHub release asset list.

Changes:

  • Derive $ReleaseAssets from the GitHub release API response and use it to select the best Windows artifact variant (with x64 fallbacks).
  • For -Version installs, fetch the release-by-tag metadata to obtain the asset list.
  • Improve the “no compatible binary” error by printing available Windows assets from the release.

@shouze
Add curl.exe fallback when GitHub API unreachable for specific version
47c0dbf 
When installing a specific version (-Version v1.x.y) and the GitHub API
is blocked or rate-limited, set $ReleaseAssets to $null instead of
failing hard, then fall back to probing candidate artifact URLs with
'curl.exe -fsI' (HEAD requests).

curl.exe ships with Windows 10 1803+ and is already used for the binary
download, so the dependency is not new. This preserves the behaviour of
the original script in API-restricted environments while avoiding
Invoke-WebRequest (which triggers the PS5.1 security warning).

Addresses code-review feedback on PR #122.
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 29, 2026

Coverage after merging fix/windows-install-security-warning into main will be

95.62%

Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
src
   aggregate.ts100%100%100%100%
   api-utils.ts93.20%100%93.75%93.13%101–103, 65, 73, 86–87, 91–92
   api.ts94.57%100%100%93.89%319–323, 384, 401, 63–69
   cache.ts94.67%100%100%94.29%139–141, 39
   completions.ts99.42%100%100%99.37%270
   group.ts100%100%100%100%
   output.ts99.20%100%95%99.56%79
   regex.ts99.26%100%100%99.21%251
   render.ts89.66%100%89.47%89.66%167, 191–196, 198–200, 202–203, 254–255, 276, 456–457, 462–464, 530–534, 546–547, 552–559, 561–569, 571–572
   upgrade.ts88.38%100%94.44%87.89%128, 131, 133, 153, 167–168, 188–195, 198–204, 209, 214, 250–253
src/render
   filter-match.ts97.44%100%92.31%100%
   filter.ts100%100%100%100%
   highlight.ts96.63%100%90.40%99.31%284–285
   rows.ts97.58%100%100%97.44%168, 54–55
   selection.ts100%100%100%100%
   summary.ts100%100%100%100%
   team-pick.ts100%100%100%100%

@shouze shouze merged commit 2cbcb6f into main Mar 29, 2026
6 checks passed
@shouze shouze deleted the fix/windows-install-security-warning branch March 29, 2026 23:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve windows install experience

2 participants

@shouze