| ▲ | pas 3 hours ago | |
pnpm (maybe yarn too?) requires explicit allowlisting of build scripts, hopefully npm will do the same eventually > security model yep, some kind of seccomp or other kind of permission system for modules would help a lot. (eg. if the 3rd party library is parsing something and its API only requires a Buffer as input and returns some object then it could be marked "pure", if it supports logging then that could be also specified, and so on) | ||
| ▲ | chuckadams 2 hours ago | parent | next [-] | |
For all the other things I like about yarn, it still executes build scripts willy-nilly, so I am looking at switching to pnpm. I'm sure my $work is going to love me changing up the build toolchain again... PHP's composer on the other hand requires an allowlist in the project's composer.json. I never would have thought PHP would be the one to be getting stuff like this right. Still, I think the "allow-scripts" section or whatever it's called should be named "allow-unrestricted-access-to-everything". Or maybe just stick "dangerously-" in front, I dunno, and drop it when the mechanism is capable of fine-grained privileges. | ||
| ▲ | WorldMaker 24 minutes ago | parent | prev [-] | |
Deno also requires allowlisting npm scripts. It also has a deeper permissions model in general. | ||