undefined | Better HN

0 pointsreactordev7mo ago0 comments

Correct, luckily, but all it takes is one eval. So be diligent about checking. However, like you said, luckily it’s JavaScript and there’s a history online that you can see.

Be weary of binary wasms though, harder to analyze. In the end, because it was published and npm allows you to see the history, we can all see.

Still, from a security standpoint, anything within a “package” that is compromised, compromises the package. Don’t install it. Wait for the fix.

0 comments

tempaccount4207mo ago

WASM should be easier to analyze since you can't look at what functions the WASM imports to do side-effects.

j / k navigate · click thread line to collapse

0 pointsreactordev7mo ago0 comments

Correct, luckily, but all it takes is one eval. So be diligent about checking. However, like you said, luckily it’s JavaScript and there’s a history online that you can see.

Be weary of binary wasms though, harder to analyze. In the end, because it was published and npm allows you to see the history, we can all see.

Still, from a security standpoint, anything within a “package” that is compromised, compromises the package. Don’t install it. Wait for the fix.

0 comments

tempaccount4207mo ago

WASM should be easier to analyze since you can't look at what functions the WASM imports to do side-effects.

j / k navigate · click thread line to collapse