| Version | Supported |
|---|---|
| 1.0.x | Yes |
Please do not open a public issue for security vulnerabilities.
Instead, use GitHub's private vulnerability reporting to submit your report. You'll receive a response within 72 hours acknowledging the report, and a detailed follow-up within 7 days.
If private vulnerability reporting is unavailable, email security@aojdevstudio.com with:
- Description of the vulnerability
- Steps to reproduce
- Affected version(s)
- Potential impact
This project downloads and executes software on your machine. Every install source is official and canonical:
| Tool | Install Source | Verification |
|---|---|---|
| Git | winget (Microsoft) |
Git.Git package ID |
| cURL | winget (Microsoft) |
cURL.cURL package ID |
| GitHub CLI | winget (Microsoft) |
GitHub.cli package ID |
| Windows Terminal | winget (Microsoft) |
Microsoft.WindowsTerminal package ID |
| fnm | winget (Microsoft) |
Schniz.fnm package ID |
| pnpm | Corepack (bundled with Node) | Node.js Corepack docs |
| uv | winget (Microsoft) |
astral-sh.uv package ID, Astral official |
| Bun | winget (Microsoft) |
Oven-sh.Bun package ID, Bun official |
| ripgrep | winget (Microsoft) |
BurntSushi.ripgrep.MSVC package ID |
| fd | winget (Microsoft) |
sharkdp.fd package ID |
| bat | winget (Microsoft) |
sharkdp.bat package ID |
| jq | winget (Microsoft) |
jqlang.jq package ID |
| fzf | winget (Microsoft) |
junegunn.fzf package ID |
| lazygit | winget (Microsoft) |
JesseDuffield.lazygit package ID |
| yazi | winget (Microsoft) |
sxyazi.yazi package ID |
| PowerToys | winget (Microsoft) |
Microsoft.PowerToys package ID |
| Claude Code | winget (Microsoft) |
Anthropic.ClaudeCode package ID, Anthropic official |
| Codex CLI | npm install -g @openai/codex |
OpenAI official |
| WSL | wsl --install |
Microsoft official |
We do not use third-party mirrors, custom binaries, or unofficial package sources.
All source URLs are documented inline in bootstrap.ps1 for independent verification.
- No credential storage — API keys for Claude Code and Codex CLI are handled by those tools' own auth flows, never by this script.
- No telemetry — The script does not phone home, track usage, or collect any data.
- No persistent services — Nothing runs in the background after installation completes.
- No system modification beyond PATH — The only system-level changes are PATH additions and a PowerShell profile snippet for fnm.
- Read the script before running it. The entire installer is a single file:
bootstrap.ps1. It's 183 lines. - Verify the URL. The one-liner fetches from
raw.githubusercontent.com/AojdevStudio/dev-bootstrap/main/bootstrap.ps1. Confirm you're pointed at the correct repository. - Use
-SkipWSLif you don't need WSL and want to avoid admin elevation. - Review your PowerShell profile after installation. The script adds one snippet (fnm initialization), marked with
# ---- dev-bootstrap: fnm ----for easy identification.
This policy covers the bootstrap.ps1 script and wsl/setup.sh helper. The tools installed by this script (Git, Node.js, Python, etc.) have their own security policies maintained by their respective organizations.