Based on how much imported libraries are relied upon, it makes sense to treat everything as untrusted. Unless you write every line yourself/in-house, code should be considered untrusted.

I would be curious which attack vectors change or become safe after compiling though.

▲

samwillis 3 days ago | parent | next [-]

The point of the js engine sandbox is to protect the user in the browser - it's completely redundant on the server. Supply chain attacks are real, but only Deno has tried to fix that through permissions/rules.

I don't think anything changes with compile to native on the server.

	▲	rafram 3 days ago \| parent [-]
		Totally disagree. A spec-compliant JS engine has to support the features that allow vulnerabilities like prototype pollution, which can be exploited through user input alone.

▲

hinkley 3 days ago | parent | prev [-]

Also none of the third party code will be thread safe. Hell, some of it isn’t even reentrant.