| ▲ | semi-extrinsic 12 hours ago | |||||||||||||
We run everything NPM related inside Apple containers, and are looking to do the same with Python and Rust soon. Bwrap on Linux does the same. I like to think of it like working with dangerous chemicals in the lab. Back in the days, people were sloppy and eventually got cancer. Then dangers were recognized and PPE was developed and became a requirement. We are now at the stage in software development where we are beginning to recognizing the hazards and developing + mandating use of proper PPE. A couple of years ago, pip started refusing to install packages outside of a virtualenv. I'm guessing/hoping package managers will start to have an opt-in flag you can set in a system-wide config file, such that they refuse to run outside of a sandbox. | ||||||||||||||
| ▲ | mike_hearn 11 hours ago | parent [-] | |||||||||||||
The problem is that package managers are a distraction. You have to sandbox everything or else it doesn't work. These attacks use post-install hooks for convenience but nothing would have stopped them patching axios itself and just waiting for devs to run the app on their local workstation. So you end up needing to develop in a fully sandboxed environment. | ||||||||||||||
| ||||||||||||||