Having post-install step available to maliciously use doesn't really solve anyth... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		capableweb on April 11, 2022 \| parent \| context \| favorite \| on: Node.js packages don't deserve trust Having post-install step available to maliciously use doesn't really solve anything. As you're a programmer downloading a dependency, you're allowing the dependency full control of your system (in most language, Deno seems to try to address this at least) at runtime (at least), so they could do whatever they want as soon as you include the dependency in your application and run it once.

ecmascript on April 11, 2022 [–]

True true, but at least you will have to check the api and start implement the library itself. Chances increase that you will see something weird about it the more you have to look at it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact