Arch Linux User Repository

Is downloads.cursor.com reliable? The official download link is something like https://api2.cursor.sh/updates/download/golden/linux-x64-rpm/cursor/1.7

EDIT: Yes, I found out that the official curl https://cursor.com/install contains this domain.

indeed this blocks it

chmod -x .local/share/cursor-agent/versions

just needs adding a bit of extra in the launcher.

mkdir -p "${XDG_DATA_HOME:-$HOME/.local/share}/cursor-agent/versions"
chmod -x "${XDG_DATA_HOME:-$HOME/.local/share}/cursor-agent/versions"

i'm blocking versions, because cursor-agent might be used for user data later.

oh wtf. I may delete this package in that case

crap...

it auto updates with each start and index.js is a 17MB obfuscated mess. No easy fix. Even AI will have a hard time.

check .local/share/cursor-agent , .local/bin and which cursor-agent

i turned .local/share/cursor-agent/versions noexec, maybe that will block it. Not tested yet, i'm already on the last version.

not elegant, but it does the job. lol I thought it was a library.

Replaced node and rg binaries with symlinks to the system versions.

i'm not actually using arch. i'm using debian with a makepkg clone. They might be glitches.

i simply cp everything except the bash script and node

cp -r "${srcdir}"/dist-package/{rg,*.js,*.json,*.node} "${pkgdir}/opt/cursor-agent/"

change the depends to use node

and i'm using this launcher

NODE_BIN="node"
SCRIPT_DIR="/opt/cursor-agent"

exec "$NODE_BIN" --use-system-ca "$SCRIPT_DIR/index.js" "$@"

or you can just sed their bash script

I don't know how brittle this would be. keep the old stuff commented out to avoid frustration if it's too brittle. I'm not using this since very long. And since it's very new, they might make lots of changes.

They literally just dumped the node executable in their release. It's nothing complicated.

i haven't checked how to force it to be perfectly monotonic(and now i understand the weird stuff you were doing). If the recent npm fiasco should have taught you something, is not to be obsessively bleeding edge.

update scripts are very useful for these type of apps that update very frequently. I'd rather use that then follow the rhythm of the packager or even upstream. I've heard some very sneeky tricks with scams/malware to hide them selves, and you should be careful when downloading from the AUR.

I avoided using their versioning because it is not guaranteed to be increasing if there are multiple releases in the same day.

The version update script is for maintenance and is intentionally not part of the package sources. It is not run during the build script, it's just used by me to easily update the pkgver. Happy to exclude it entirely from the git repo if that would be preferred. Not against simplification but your script won't work well for me as is.

Also, agree on using node from the repo, just haven't had a chance to dig through their binary to figure out what would be needed. If you've checked and a symlink or something would suffice, that's awesome and I'll add it.

that update script is hilariously over engineered. It makes auditing harder. 2 months ago there was news of malware on the AUR, it's not totally impossible. I trimmed it down, renamed the upstream version to _pkgver and used pkgver="${_pkgver//-/.}" in the PKGBUILD

also, almost all of upstream is the node executable. I would suggest refactoring to use node from the repo

the proposed script

install="$(curl -fsSL "https://cursor.com/install")"

version="$(echo "${install}" | grep -Eo 'downloads\.cursor\.com/lab/([0-9]{4}\.[0-9]{2}\.[0-9]{2}-[A-Za-z0-9]+)' | head -n1 | sed -E 's@.*lab/([^/]+).*@\1@')"

# Fallback
if [ -z "${version}" ]; then
echo "fallback!!!"
version="$(echo "${install}" | grep -Eo 'versions/([0-9]{4}\.[0-9]{2}\.[0-9]{2}-[A-Za-z0-9]+)' | head -n1 | sed -E 's@versions/@@')"
fi

echo "${version}"
sed -i -E "s/^_pkgver=.*/_pkgver='${version}'/" "PKGBUILD"