| ▲ | grassfedgeek 4 hours ago | |||||||
"First run" doesn't exist for JavaScript libs used only in web apps. So for that entire class of packages this change makes them safe. | ||||||||
| ▲ | tabwidth 3 hours ago | parent | next [-] | |||||||
Build tooling still runs though. Your bundler plugin or PostCSS transform gets full fs access at build time, nobody's auditing that. | ||||||||
| ||||||||
| ▲ | WatchDog 3 hours ago | parent | prev | next [-] | |||||||
"First run" certainly exists in web apps, it's just running JS in a browser rather than a shell script on a developer or CI machine. There is plenty of malicious stuff you can do from the browser. | ||||||||
| ▲ | TZubiri 2 hours ago | parent | prev [-] | |||||||
But this is npm, the execution environment is not the browser, but the server. Most packages are imported via import/require, even if it's a browser only package. Because of SSR and reasons. Or maybe not, let's look at a random browser only example, angular and react will use SSR, so they will execute in the server, let's check Jquery: https://www.npmjs.com/package/jquery Docs suggest just using a script tag instead of npm, when using npm install, they suggest to run import statement, which can execute arbitrary code. The bottom line seems to be that if you are using npm, it's cause you are using node, and therefore you will run the imported code in the server, otherwise you would use a script tag. But maybe there's a way to define a browser only package or .js URL such that it is only downloaded and served but never executed server side? In any case, not a huge usecase of npm, which again, is designed for node which is backend. Randome example, include | ||||||||