← Back to context

Comment by lrvick

3 months ago

Downloading binaries as part of an installation of a scripting language library should always be assumed to be malicious.

Everything must be provided as source code and any compilation must happen locally.

2 comments

lrvick

Reply

oulipo2 3 months ago

Sure, but then you need to have a way to whitelist

lrvick 3 months ago

The whitelist is the package-lock.json of the hashes of libraries you or a security reviewer you trust has reviewed.