"please protect us from the NPM install scripts! It's arbitrary code execution!"

Says the people downloading and installing thousands of packages they have almost definitely not audited, in the face of vuln after vuln targeting execution-time.

I'm so glad this isn't my problem.

just to clarify because apparently some people didn't get it:

"require('package-i-just-installed')" is arbitrary code execution.

postinstall scripts are irrelevant in the face of an unsandboxed nodejs.

require('pkg') is what people are *actually* exploiting in the wild.

Show thread

that RFC that just got put up is a waste of human effort. On all sides. I'm so glad I don't have to deal with that exhausting bullshit myself anymore.

Show thread

@zkat Working in tech is just continually adding things to the "Exhausting bullshit I don't want to touch" list until you find yourself in a hut in the woods, quiet and happy.

@zkat the ocean is just very soggy woods so sure

Sign in to participate in the conversation

On the internet, everyone knows you're a cat 鈥 and that's totally okay.