Comment by IshKebab
13 minutes ago
So what? Packages can just put their backdoors in some initialisation code that is always used.
It is possible that not running package installation scripts could improve security, but for that you need really good sandboxing/compartmentalisation of library code, e.g. with CHERI, WASI component model, or if all of your code must run in a secure context it probably helps.
But those situations are unfortunately rare in my experience.
No comments yet
Contribute on Hacker News ↗