Add security warning to tsp init documentation and CLI for external templates

[Copilot]

Add warning to documentation and CLI help for templateUrl parameter in tsp init command

Completed:

• Explore repository structure and locate documentation files
• Install dependencies
• Add warning to CLI reference documentation (/website/src/content/docs/docs/handbook/cli.md)
• Add warning to scaffolding template documentation (/website/src/content/docs/docs/extending-typespec/writing-scaffolding-template.md)
• Add warning to templatesUrl parameter description in CLI code (packages/compiler/src/core/cli/cli.ts)
• Build and validate the documentation changes
• Address code review feedback for consistency
• Add changelog entry for @typespec/compiler referencing issue Add warning text to documentation on templateUrl parameter in tsp init command #8916
• Review and finalize

Changes Made:

• Added security warnings to both the CLI handbook and scaffolding templates documentation

• Added security warning to the templatesUrl parameter description in the CLI code, which appears in the tsp init --help output

• The warnings inform users that downloading or using an untrusted template may contain malicious packages that can compromise their system and data, matching the warning prompt shown in the tsp init command

• Warning text is consistent across documentation files and CLI help

• Added changelog entry using chronus format for @typespec/compiler package only (no changelog needed for website documentation changes)

• Fixes Add warning text to documentation on templateUrl parameter in tsp init command #8916

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add warning text to documentation on templateUrl parameter in tsp init command</issue_title>
<issue_description>External templates can contain malicious packages and the like. We prompt about this when folks use tsp init:

warning: Downloading or using an untrusted template may contain malicious packages that can compromise your system and data. Proceed with caution and verify the source.
? Continue (Y/n)

We should also add a similar warning to the reference doc on tsp init</issue_description>

<agent_instructions>Add a warning to the documentation on the templateUrl parameter to tsp init, similar to the warning prompt mentioned in the bug. It should be clear to users that using tsp init with an external templateUrl is unsafe, unless the template source is trusted.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Add warning text to documentation on templateUrl parameter in tsp init command #8916

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

No changes needing a change description found.

[markcowl]

@copilot please add and appropriate bug fix changes entry for the changelog, mentioning the issue number that this PR resolves and referencing the impacted package. pnpm chronus add can be used for this purpose

[markcowl]

@copilot also add this warning in the js comment documentation for the 'tsp init` command parameter 'templateUrl'

[Copilot]

@copilot please add and appropriate bug fix changes entry for the changelog, mentioning the issue number that this PR resolves and referencing the impacted package. pnpm chronus add can be used for...

Added changelog entry for @typespec/website package referencing issue #8916 in commit dca2935.

[markcowl]

@copilot the changelog entry should be for the change to compiler command line documentation, no changelog is needed for website changes. Please remove that changelog. Also add the warning text in the description for the 'tsp init` command parameter 'templateUrl', which is here: https://github.com/microsoft/typespec/blob/main/packages/compiler/src/core/cli/cli.ts#L213-L215 and create a changelog entry for this change.

[Copilot]

@copilot also add this warning in the js comment documentation for the 'tsp init` command parameter 'templateUrl'

Added security warning to the templatesUrl parameter description in the CLI code (packages/compiler/src/core/cli/cli.ts). The warning now appears in the tsp init --help output in commit 0c82d0f.

[Copilot]

@copilot the changelog entry should be for the change to compiler command line documentation, no changelog is needed for website changes. Please remove that changelog. Also add the warning text in ...

Updated changelog to only include @typespec/compiler package (removed @typespec/website) in commit c51a670. The warning text was already added to the templatesUrl parameter description in commit 0c82d0f.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/microsoft/typespec/@typespec/compiler@8917

commit: c51a670

[markcowl]

/azp run typespec - PR Tools

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[azure-sdk]

You can try these changes here

🛝 Playground	🌐 Website	🛝 VSCode Extension