npm fails to restrict the actions of malicious npm packages

Discussion in 'other security issues & news' started by ronjor, Mar 26, 2016.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    I always thought there was something kind of lax about npm...

    That said, I wonder about stuff like this w.r.t. other language package managers. For instance, how much of Ruby Gems or Perl CPAN is reviewed? And those can both run stuff with root privileges.

    Likewise the repos for tools like Docker and Vagrant. Those have officially approved containers, but I wonder how many people/companies use third-party ones as bases for critical stuff.
     
Loading...