undefined | Better HN

0 pointsxorcist10y ago0 comments

What I want to know is how many systems does the author of is-positive-integer have implicit root access to?

Sounds to me like publishing oneliners on NPM is a trivial way to build a botnet.

0 comments

Seems like the answer is "none" by default, from https://docs.npmjs.com/misc/scripts#user

> If npm was invoked with root privileges, then it will change the uid to the user account or uid specified by the user config, which defaults to nobody. Set the unsafe-perm flag to run scripts with root privileges.

xorcistOP10y ago

That's good, even if nobody is perfectly enough to a botnet. I thought more of the user running the node application.

j / k navigate · click thread line to collapse