I use neovim as my editor of choice for the Linux command line. Neovim has a huge ecosystem of plugins, and I use the lazyvim “distribution” which provides a curated set of plugins for people like me that don’t want to spend time configuring neovim.
However this plugin model presents a problem: neovim fetches code from the Internet and executes in your system with your user privileges, with complete access to your files and secrets. With all the chain of supply attack we are hearing about these days, this is a great risk.
In order to reduce the attach surface, I’m running now neovim in a podman container by using a custom wrapper script. This script launches a container with just the minimal access to the host system required to do its job.
To use the wrapper, you need to configure the command aliases in your shell. See the README for more details.
Then, you’ll need a container image with neovim. The default is this image, which is based on Fedora and has lazyvim and developer tools for Python, Rust, Go, Lua and C. Create your own image if you need something different.
Safe edits!