| ▲ | dns_snek 2 hours ago |
| > since a bunch of people responding with "every package manager can be hit!!!" npm, by design, allows all packages to run package supplied arbitrary code as the logged-in user after an update completes. This is semi-common and in no way unique to NPM. |
|
| ▲ | Ajedi32 2 hours ago | parent | next [-] |
| And even in the ones that don't, having to wait until the project executes to begin its attack is a minor inconvenience for malware. |
|
| ▲ | an0malous an hour ago | parent | prev | next [-] |
| What other package managers do this? I don’t think Ruby does |
| |
| ▲ | matheusmoreira an hour ago | parent | next [-] | | https://docs.ruby-lang.org/en//master/Gem.html#method-c-post... | |
| ▲ | dns_snek an hour ago | parent | prev | next [-] | | Most of them? Ruby gems have hooks, Python has setup.py, deb, rpm have them too (relevant if you're installing from 3rd party sources). Elixir/Mix doesn't technically execute code on install, but your language server builds the dependencies as soon as you open the project, which can execute arbitrary code. Either way it misses the point, nobody just fetches code and removing post-install scripts wouldn't change much because you're going to run `npm run something` 5 seconds after you run `npm install`. | |
| ▲ | IshKebab an hour ago | parent | prev [-] | | Python does too I believe. Really the reason not to allow that is for robustness, not security. You ideally don't want package installs doing random stuff to your system because package authors are generally bad at doing that sort of thing cleanly. The security impact is relatively minimal because as other people have said, you just installed a package. What's the very next thing you're going to do? Compile/run it obviously. | | |
| ▲ | oblio an hour ago | parent [-] | | A lot of packages are pulled in to call minimal bits of the actual library. I obviously don't have any statistics on this but my instinct would say that for the average application only 5% of an average package is actually used. So not running package installation scripts is a huge, massive problem. |
|
|
|
| ▲ | matheusmoreira an hour ago | parent | prev [-] |
| You're right. I said the same thing and got downvoted too. Don't let it discourage you. |
