I remember one of the first times I tried installing Linux software in the wild. The bash script asked for your password, sent it to their server using curl then returned you the script with the password hard coded into it, run itself with sudo, all over unencrypted http. I was 17 but even then I stopped to think if this was a good idea.

It wasn't.

That is pretty amusing. I’ve seen some bootstrap scripts that pipe the curled output to the terminal for approval before executing it. That seems like an ergonomic alternative to curl | bash. It would be at least as useful as the terms of service warnings before you install something, anyway.

There's 4 alternatives to install query-json.

Before doing any curl | bash, check what's on the install command, that's the entire point of it.