Pin pre-commit version and align installation logic between bash and Windows setup scripts

[Copilot]

The bash script checked for pre-commit existence before installing while the Windows script always installed it unconditionally, causing unnecessary reinstalls. Additionally, both scripts had a supply-chain security vulnerability by installing pre-commit without version pinning.

Changes:

• Added pre-commit==4.5.1 to requirements-dev.txt with pinned version for supply-chain security
• Simplified both setup_dev.sh and setup_dev.bat to rely on requirements-dev.txt installation
• Removed direct pip install pre-commit calls from both scripts
• Both scripts now consistently install pre-commit from the pinned version in requirements-dev.txt

Before:

Bash (setup_dev.sh):

if command -v pre-commit &> /dev/null || pip show pre-commit &> /dev/null; then
    pre-commit install
else
    pip install pre-commit --quiet
    pre-commit install
fi

Windows (setup_dev.bat):

python -m pip install pre-commit --quiet

After:

requirements-dev.txt:

pre-commit==4.5.1

Both scripts (setup_dev.sh and setup_dev.bat):

pre-commit install

Security improvements:

• Version pinning protects against supply-chain attacks
• Pip verifies package integrity when installing from PyPI
• Eliminates arbitrary code execution risk from compromised packages
• Ensures reproducible builds across environments

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR aligns the pre-commit installation logic between the bash (setup_dev.sh) and Windows (setup_dev.bat) setup scripts. Previously, the Windows script would unconditionally reinstall pre-commit on every run, while the bash script checked for its existence first. This change eliminates unnecessary reinstalls and ensures consistent behavior across platforms.

Key changes:

• Added pre-commit existence check to Windows script using both where command and pip show package verification
• Conditional installation that only proceeds when pre-commit is not found
• Aligned warning message format with bash script

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The line python -m pip install pre-commit --quiet downloads and executes a third-party package from PyPI without any version pinning or integrity verification, which exposes the development environment to supply-chain compromise if the pre-commit package or its dependencies are hijacked. An attacker who gains control of that package stream could execute arbitrary code with the developer's privileges when this script is run. Consider pinning pre-commit to a specific trusted version and enabling hash-based or signature-based verification so that the installed artifact is both reproducible and integrity-checked.

[omsherikar]

@copilot apply changes based on this feedback

[Copilot]

Pinned pre-commit to version 4.5.1 in requirements-dev.txt. Both scripts now install pre-commit from the requirements file instead of installing it dynamically, providing version pinning and supply-chain protection. Commit: 9d4228d