> To that end, I wrote a python script which isolates npm inside short-lived docker containers.

Somewhat ironically, docker is just as subject to this type of attack as npm, the main difference being that it (usually) has a narrower blast radius.

▲

mike-cardwell 13 hours ago | parent [-]

Guessing you meant "python" rather than "docker", as docker is not subject to the same type of attack. However, it's a single .py script that you copy somewhere. Not even close to a typical nodejs project using npm install.

	▲	sgbeal 8 hours ago \| parent [-]
		> Guessing you meant "python" rather than "docker", as docker is not subject to the same type of attack. No, i meant docker. _All_ systems which pull dependencies from remote sources are subject to attack via malicious dependencies (and a docker image is one big mega-dependency made up of an arbitrary number of other (remote) dependencies). Docker is not immune to container-escaping attacks, but they have proven to be relatively rare, thus the aforementioned blast-radius reduction compared to npm compromises. (Edit: for that matter, all dependencies, remote or not, can be malicious, but remote dependencies are a particularly rich target for attackers.)