Comment by ashishb
1 month ago
> definitely wouldn't recommend `npm install <actually a random package>`, even in Docker.
That's not the main attack vector. The attack vector is some random dependency that is used by a lot of popular packages, which you `npm install` indirectly.
That doesn't change what I said. It definitely doesn't change what I said about docker as a security boundary.
Again, it's great to run `npm` in a container. I do that too because it's the lowest effort solution I have available.