just to clarify because apparently some people didn't get it:
"require('package-i-just-installed')" is arbitrary code execution.
postinstall scripts are irrelevant in the face of an unsandboxed nodejs.
require('pkg') is what people are *actually* exploiting in the wild.
that RFC that just got put up is a waste of human effort. On all sides. I'm so glad I don't have to deal with that exhausting bullshit myself anymore.
@zkat the ocean is just very soggy woods so sure
On the internet, everyone knows you're a cat — and that's totally okay.