Comment by homebrewer
2 hours ago
You can isolate it through bubblewrap; I moaned about it here and there's no point in repeating it:
https://news.ycombinator.com/item?id=45041798
If you only ever use js/ts for frontend projects (like we do), it closes one major hole that I'm aware of, which still leaves at least two:
- the editor possibly starting random binaries from inside the mode_modules (such as biome, vitest, tsgo)
- escape from sandbox by using some kernel vulnerability, of which there have been many recently
No comments yet
Contribute on Hacker News ↗