Add security warning to tsp init documentation and CLI for external templates (#8917)

Copilot · markcowl · web-flow · commit f3d792b252c6 · 2025-12-05T03:39:07.000Z
Add warning to documentation and CLI help for templateUrl parameter in tsp init command **Completed:** - [x] Explore repository structure and locate documentation files - [x] Install dependencies - [x] Add warning to CLI reference documentation (/website/src/content/docs/docs/handbook/cli.md) - [x] Add warning to scaffolding template documentation (/website/src/content/docs/docs/extending-typespec/writing-scaffolding-template.md) - [x] Add warning to templatesUrl parameter description in CLI code (packages/compiler/src/core/cli/cli.ts) - [x] Build and validate the documentation changes - [x] Address code review feedback for consistency - [x] Add changelog entry for @typespec/compiler referencing issue #8916 - [x] Review and finalize **Changes Made:** - Added security warnings to both the CLI handbook and scaffolding templates documentation - Added security warning to the templatesUrl parameter description in the CLI code, which appears in the `tsp init --help` output - The warnings inform users that downloading or using an untrusted template may contain malicious packages that can compromise their system and data, matching the warning prompt shown in the `tsp init` command - Warning text is consistent across documentation files and CLI help - Added changelog entry using chronus format for @typespec/compiler package only (no changelog needed for website documentation changes) - Fixes #8916  <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>Add warning text to documentation on `templateUrl` parameter in tsp init command</issue_title> > <issue_description>External templates *can* contain malicious packages and the like. We prompt about this when folks use `tsp init`: > > ```bash > warning: Downloading or using an untrusted template may contain malicious packages that can compromise your system and data. Proceed with caution and verify the source. > ? Continue (Y/n) > ``` > > We should also add a similar warning to the reference doc on tsp init</issue_description> > > <agent_instructions>Add a warning to the documentation on the templateUrl parameter to `tsp init`, similar to the warning prompt mentioned in the bug. It should be clear to users that using tsp init with an external templateUrl is unsafe, unless the template source is trusted.</agent_instructions> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details> - Fixes #8916  --- ✨ Let Copilot coding agent [set things up for you](https://github.com/microsoft/typespec/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: markcowl <1054056+markcowl@users.noreply.github.com>
diff --git a/.chronus/changes/add-security-warning-tsp-init-docs-2025-11-10-20-22-32.md b/.chronus/changes/add-security-warning-tsp-init-docs-2025-11-10-20-22-32.md
@@ -0,0 +1,7 @@
+---
+changeKind: fix
+packages:
+  - "@typespec/compiler"
+---
+
+Add security warning to tsp init CLI documentation for external templates (#8916)
diff --git a/packages/compiler/src/core/cli/cli.ts b/packages/compiler/src/core/cli/cli.ts
@@ -211,7 +211,8 @@ async function main() {
       (cmd) =>
         cmd
           .positional("templatesUrl", {
-            description: "Url of the initialization template",
+            description:
+              "Url of the initialization template. WARNING: Downloading or using an untrusted template may contain malicious packages that can compromise your system and data. Proceed with caution and verify the source.",
             type: "string",
           })
           .option("template", {
diff --git a/website/src/content/docs/docs/extending-typespec/writing-scaffolding-template.md b/website/src/content/docs/docs/extending-typespec/writing-scaffolding-template.md
@@ -8,6 +8,10 @@ TypeSpec offers a scaffolding feature through the `tsp init` command.
 tsp init <templateUrl>
 ```
 
+:::warning
+When using `tsp init` with an external template URL, be aware that downloading or using an untrusted template may contain malicious packages that can compromise your system and data. Proceed with caution and verify the source.
+:::
+
 ## Setting a minimum TypeSpec version
 
 If your template requires a feature that was introduced in a later version of TypeSpec, you can specify this in the template. This will alert the user that the template may not function as expected and ask them to confirm if they wish to proceed.
diff --git a/website/src/content/docs/docs/handbook/cli.md b/website/src/content/docs/docs/handbook/cli.md
@@ -5,6 +5,10 @@ title: Cli usage
 
 See full usage documentation by typing `tsp --help`:
 
+:::warning
+When using `tsp init` with an external template URL, be aware that downloading or using an untrusted template may contain malicious packages that can compromise your system and data. Proceed with caution and verify the source.
+:::
+
 ```bash
 >tsp --help
 TypeSpec compiler v0.36.1
