Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This sucks for libraries that download native binaries in their install script. There are quite a few.


Downloading binaries as part of an installation of a scripting language library should always be assumed to be malicious.

Everything must be provided as source code and any compilation must happen locally.


Sure, but then you need to have a way to whitelist


The whitelist is the package-lock.json of the hashes of libraries you or a security reviewer you trust has reviewed.


You can still whitelist them, though, and reinstall them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: