"please protect us from the NPM install scripts! It's arbitrary code execution!"

Says the people downloading and installing thousands of packages they have almost definitely not audited, in the face of vuln after vuln targeting execution-time.

I'm so glad this isn't my problem.

Seriously you're literally running arbitrary code.

Trying to add a bunch of configuration to whitelist packages you "trust" will only give you a false sense of security while massively increasing the complexity of maintaining your dependencies.

It's lose-lose.

Show thread

just to clarify because apparently some people didn't get it:

"require('package-i-just-installed')" is arbitrary code execution.

postinstall scripts are irrelevant in the face of an unsandboxed nodejs.

require('pkg') is what people are *actually* exploiting in the wild.

Show thread

that RFC that just got put up is a waste of human effort. On all sides. I'm so glad I don't have to deal with that exhausting bullshit myself anymore.

Show thread

@zkat wow, I'm so glad that people are worried about the code that runs on my computer to install the other code that I am definitely going to also run on my computer! What a creature of everyone's time and energy!

@zkat Working in tech is just continually adding things to the "Exhausting bullshit I don't want to touch" list until you find yourself in a hut in the woods, quiet and happy.

@zkat the ocean is just very soggy woods so sure

Sign in to participate in the conversation

On the internet, everyone knows you're a cat — and that's totally okay.