← Back to context

Comment by graemep

6 days ago

> Nobody should do 'npm install' or 'pip install' on their machine.

What alternative do you suggest?

Do you mean not install outside a sandbox?

10 comments

graemep

Reply
themafia  6 days ago

Download source. Extract. Move files to correct node_modules folder.

If your distribution requires more than this, then it's not really a module, or combines too many non-modular components, and should be distributed differently.

The ability for npm to run scripts on any level should be removed.

Then we can go back to worrying about namespacing issues.

  • dist-epoch  6 days ago

    If an attacker can infect the post-install script of an npm package, they can also infect the package source code itself. So if you ever run the project outside the sandbox, you will still get compromised.

    It's like saying "I don't trust a software app with an installer, I just want a .zip with the binaries from the same source that I will run myself"

    • themafia  6 days ago

      > they can also infect the package source code itself

      Which is where the concept of "safe levels" come in. I should be able to install this module in such a way where file operations and process operations are not available to it. That being said, presumably, this types of infiltration would seem to be _much_ easier to spot. "Why is this web framework calling 'spawn'?"

      > I just want a .zip with the binaries

      I want a .zip with the _code_. Just the code. None of the packaging nonsense. My distribution can handle that.

      2 replies →

progx  6 days ago

alias npm / bun / ... to run in a docker container, so npm install run automatically in the container.

  • ashishb  6 days ago

    That's exactly what I started with. It gets unwieldy quickly enough as you need to mount a lot of directories that these you uses as cache.

    So, amazing-sandbox at its core is nothing but a glorified docker command generator (in default mode).