For those saying curl | sh isn't that bad, remember that the codecov script was breached, and attackers used it to upload environment variables containing secrets, and it took months to get noticed [1].
If they had provided a versioned URL and checksum validation as part of their copy & paste snippet, the breach would have been noticed right away.
If they had provided a versioned URL and checksum validation as part of their copy & paste snippet, the breach would have been noticed right away.
[1] https://www.reuters.com/technology/codecov-hackers-breached-...