Bug: insecure windows installation instructions

[asdkant-bf]

What happened?

The windows installation instructions are:

# Install on Windows
powershell -c "iwr https://qlty.sh | iex"

But when I try that in my work laptop (specifically, when the vscode extensions tries it) I get blocked by windows defender, it even raised an alert with internal IT and someone came to ask me what was going on.

In particular this was triggered by the combination of Invoke-WebRequest (iwr) and Invoke-Expression (iex) in the same line. Note that the AV alert was triggered specifically when the vscode extension tried to do it, but before that I tried to run it manually and it plain didn't work (I suspect it was just blocked without an alert, I'll try to confirm with internal IT)

I did a workaround by running these two commands (I ran this in Temp:\ so cleanup was not required):

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/qltysh/qlty/refs/tags/v0.630.0/installer/install.ps1" -OutFile "install_qlty.ps1"
powershell -ExecutionPolicy Bypass -File .\install_qlty.ps1

I'll let the vscode extension mantainer know about this issue too, but I thought relevant to report it here since the extensions was following the official instructions.

What did you expect to happen?

the steps to work normally

Can you reproduce the problem?

Yes, consistently

CLI Version

N/A

Relevant log output

[asdkant-bf]

It seems the vscode extension's repo doesn't even exist

this: https://marketplace.visualstudio.com/items?itemName=qlty.qlty-vscode

takes me here: https://github.com/qltysh/qlty-vscode

which is a 404

[laura-mlg]

Hey @asdkant-bf, good catch, thanks for letting us know — iwr | iex matches a classic malware pattern, so AV flags it regardless of what the script does. Looking into a safer command to recommend.

Re: the VSCode repo — it's private, not missing, hence the 404. We'll update the source in the VSCode marketplace list, along with our instructions, once we land on an alternative.