"please protect us from the NPM install scripts! It's arbitrary code execution!"

Says the people downloading and installing thousands of packages they have almost definitely not audited, in the face of vuln after vuln targeting execution-time.

I'm so glad this isn't my problem.

just to clarify because apparently some people didn't get it:

"require('package-i-just-installed')" is arbitrary code execution.

postinstall scripts are irrelevant in the face of an unsandboxed nodejs.

require('pkg') is what people are *actually* exploiting in the wild.

that RFC that just got put up is a waste of human effort. On all sides. I'm so glad I don't have to deal with that exhausting bullshit myself anymore.

Follow

@zkat Working in tech is just continually adding things to the "Exhausting bullshit I don't want to touch" list until you find yourself in a hut in the woods, quiet and happy.

· · Web · 1 · 0 · 3
Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!