Making "safe npm"
Feross and his team at Socket recently shipped a wrapper library for the ubiquitous npm package manager’s command-line interface that brings enhanced security when you need it most: before executing any code
Bradly Farias lead this effort, so Jerod & Chris invited him on the show to learn all about it.
Discussion
Sign in or Join to comment or subscribe
Mente Gee
2023-04-22T22:22:31Z ago
Whew this actually made me not want to use this 😅. This is one of the reasons I like Deno though with the security. Also the bit about having to always give permissions in production is a tad misleading.
I do like how this tool gives you context on libraries (known squatter, been part of recent malicious attacks, etc). It sounds like the software is difficult to maintain through npm updates (actual new versions of npm not the command).
Im going to give this another listen though
Jerod Santo
Bennington, Nebraska
Jerod co-hosts The Changelog, crashes JS Party & takes out the trash (his old code) once in awhile.
2023-04-23T14:54:57Z ago
Is this not the case in your experience? I can’t imagine, for example, a typical CRUD web app* that doesn’t have to read environment variables, access the network, read (and usually write) from the file system, and more.
Mente Gee
2023-04-24T17:11:14Z ago
He framed it in a way that its tedious. You can set the command with all the permissions once and then just use the taskrunner to call it. Not having to type and enter it in every time.