| ▲ | eknkc 5 hours ago | |||||||
Does that even matter? The malware could have been a JS code injected into the module entry point itself. As soon as you execute something that imports the package (which, you did install for a reason) the code can run. I don't think that many people sandbox their development environments. | ||||||||
| ▲ | theodorejb 3 hours ago | parent [-] | |||||||
It absolutely matters. Many people install packages for front-end usage which would only be imported in the browser sandbox. Additionally, a package may be installed in a dev environment for inspection/testing before deciding whether to use it in production. To me it's quite unexpected/scary that installing a package on my dev machine can execute arbitrary code before I ever have a chance to inspect the package to see whether I want to use it. | ||||||||
| ||||||||