undefined | Better HN

0 pointsec1096857mo ago0 comments

Can’t the exploit just be encoded in files that are used when the npm module is actually used?

It seems like not running it at package install time doesn’t afford that much protection.

0 comments

Correct. Pretty limited as a protection when the first thing you do after installing a package is running it.

Literally the only thing blocking scripts protects you from is if a package is bundled by webpack and not run by node. If the compromise happens in nx, it's just run after up type nx[enter] in your command line.

j / k navigate · click thread line to collapse

0 pointsec1096857mo ago0 comments

Can’t the exploit just be encoded in files that are used when the npm module is actually used?

It seems like not running it at package install time doesn’t afford that much protection.

0 comments

bapak7mo ago

Correct. Pretty limited as a protection when the first thing you do after installing a package is running it.

j / k navigate · click thread line to collapse