Add a warning about running scripts from the internet (#242)

Author: basnijholt

README.md

@@ -94,6 +94,28 @@ To get started quickly with UniDep, run the following command. This will downloa
 > [!NOTE]
 > Micromamba and uv are recommended to optimize your installation experience, but they are not required if you prefer to use your existing Conda and pip setup.
 
+> [!WARNING]
+> NEVER! run scripts from the internet without understanding what they do. Always inspect the script first!
+
+<details>
+<summary>Pin the hash of the bootstrap script with:</summary>
+
+<!-- CODE:BASH:START -->
+<!-- HASH=$(git log -n 1 --pretty=format:"%H" -- bootstrap.sh) -->
+<!-- echo '```bash' -->
+<!-- echo '"${SHELL}"' '<(curl -LsSf raw.githubusercontent.com/basnijholt/unidep/'"$HASH"'/bootstrap.sh)' -->
+<!-- echo '```' -->
+<!-- CODE:END -->
+<!-- OUTPUT:START -->
+<!-- ⚠️ This content is auto-generated by `markdown-code-runner`. -->
+```bash
+"${SHELL}" <(curl -LsSf raw.githubusercontent.com/basnijholt/unidep/0e6b57113a5595f6560eef45d19fa44077cebe7f/bootstrap.sh)
+```
+
+<!-- OUTPUT:END -->
+
+</details>
+
 ## :package: Installation
 
 To install `unidep`, run one of the following commands that use [`pipx`](https://pipx.pypa.io/) (recommended), `pip`, or `conda`: