"please protect us from the NPM install scripts! It's arbitrary code execution!"
Says the people downloading and installing thousands of packages they have almost definitely not audited, in the face of vuln after vuln targeting execution-time.
I'm so glad this isn't my problem.
Seriously you're literally running arbitrary code.
Trying to add a bunch of configuration to whitelist packages you "trust" will only give you a false sense of security while massively increasing the complexity of maintaining your dependencies.
just to clarify because apparently some people didn't get it:
"require('package-i-just-installed')" is arbitrary code execution.
postinstall scripts are irrelevant in the face of an unsandboxed nodejs.
require('pkg') is what people are *actually* exploiting in the wild.
that RFC that just got put up is a waste of human effort. On all sides. I'm so glad I don't have to deal with that exhausting bullshit myself anymore.
@zkat wow, I'm so glad that people are worried about the code that runs on my computer to install the other code that I am definitely going to also run on my computer! What a creature of everyone's time and energy!
@zkat Working in tech is just continually adding things to the "Exhausting bullshit I don't want to touch" list until you find yourself in a hut in the woods, quiet and happy.
@qdot or on a sailboat
@zkat the ocean is just very soggy woods so sure
@zkat this post was prophetic
On the internet, everyone knows you're a cat — and that's totally okay.