Check out that Makefile. It’s scary af: literally just downloading the latest release of a package not even controlled by the author with 0 documentation. What’s stopping the owner of that repo from uploading a supply chain attack which will get distributed to every user of Avante.
Suggestion to the author: fork the repo and pin it to a hash.
Not to dismiss your criticism, but I think supply chain attacks are generally a weak point of the vim/neovim plugin ecosystem, especially with all the fancy autoupdate package managers.
No package signing, no audits, no curation. Just take over one popular vim package and you potentially gain access to a lot of dev departments.
Suggestion to the author: fork the repo and pin it to a hash.