Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
halflife
10 months ago
|
parent
|
context
|
favorite
| on:
Malicious versions of Nx and some supporting plugi...
This sucks for libraries that download native binaries in their install script. There are quite a few.
lrvick
10 months ago
|
next
[–]
Downloading binaries as part of an installation of a scripting language library should always be assumed to be malicious.
Everything must be provided as source code and any compilation must happen locally.
oulipo2
10 months ago
|
parent
|
next
[–]
Sure, but then you need to have a way to whitelist
lrvick
10 months ago
|
root
|
parent
|
next
[–]
The whitelist is the package-lock.json of the hashes of libraries you or a security reviewer you trust has reviewed.
junon
10 months ago
|
prev
[–]
You can still whitelist them, though, and reinstall them.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search: