| ▲ | ec109685 5 days ago | |
Can’t the exploit just be encoded in files that are used when the npm module is actually used? It seems like not running it at package install time doesn’t afford that much protection. | ||
| ▲ | bapak 5 days ago | parent [-] | |
Correct. Pretty limited as a protection when the first thing you do after installing a package is running it. Literally the only thing blocking scripts protects you from is if a package is bundled by webpack and not run by node. If the compromise happens in nx, it's just run after up type nx[enter] in your command line. | ||