| ▲ | matheusmoreira an hour ago |
| > allows all packages to run package supplied arbitrary code as the logged-in user after an update completes As opposed to the completely untrusted package supplied arbitrary code that the logged in user executes when they actually use the package immediately after installing it? |
|
| ▲ | saturn_vk an hour ago | parent | next [-] |
| The package might not ever be executed on the user's machine. Depending on your setup, it might only be ran on a server, where the data that can be exfiltrated is completely different. |
| |
| ▲ | PunchyHamster an hour ago | parent | next [-] | | Why you are downloading code if you're not even using it to run tests ? And if you run tests in CI/CD, or in a container, why you are downloading code locally ? Only thing that comes to mind is code completion but surely most people at least run unit tests locally before pushing the code out ? | |
| ▲ | Petersipoi an hour ago | parent | prev [-] | | Sure but like.. come on. Is that really a defense? Most packages are run on devs machines. And it's not like "Oh it's just running on my production server, what could go wrong there" is any better. | | |
| ▲ | ZiiS 30 minutes ago | parent [-] | | We should not dismiss that it is slightly better. Production servers vary rarely have creds to the source repository nor to other production servers running possibly more sensitive code where investing in a smaller supply chain was justified. |
|
|
|
| ▲ | Sankozi 5 minutes ago | parent | prev [-] |
| One malicious script that is run right after install vs one per each API entry point that might be called or not (transitive dependency). |
