Clarify supply-chain risk framing for external JSON keybindings fetch

[Copilot]

A reviewer flagged fetching from refs/heads/master of codebling/vs-code-default-keybindings as a "supply-chain risk." This PR addresses the follow-up question of whether that concern is a real security threat given the project only consumes and produces JSON.

Assessment

The concern is not a code-execution security risk:

• JSON.parse() produces data structures only — no code is evaluated
• Fetched data is strictly validated via isVscKeybinding() before use
• Output is pure VSCode keybinding configuration JSON, processed safely by VSCode

The actual risk is operational reliability:

• Non-reproducibility: using a moving branch means the same source commit can generate different package.json keybindings over time
• Build fragility: upstream branch/repo removal breaks CI

Pinning to a commit SHA would address reproducibility at the cost of no longer automatically picking up upstream keybinding updates — a deliberate tradeoff, not a security fix.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7b2bd6f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR