This sucks for libraries that download native binaries in their install script. There are quite a few.

lrvick 5 days ago | parent | next [-]

Downloading binaries as part of an installation of a scripting language library should always be assumed to be malicious.

Everything must be provided as source code and any compilation must happen locally.

Sure, but then you need to have a way to whitelist

	▲	lrvick 5 days ago \| parent [-]
		The whitelist is the package-lock.json of the hashes of libraries you or a security reviewer you trust has reviewed.

junon 5 days ago | parent | prev [-]

You can still whitelist them, though, and reinstall them.