Mleropa/_🌐

2019/11/24 10:55:24 PM UTC

I appreciate that npm will check your packages for vulnerabilities, because I can clone a random js project, run npm isntall, and be told "found 213 vulnerabilities (5 low, 5 moderate, 201 high, 2 critical)"
replies
0
announces
3
likes
7

2019/11/24 10:58:49 PM UTC

@trickster @Dee im quite proud of the fact that memeforth can be npm installed without worrying about that because it has zero non-dev dependencies :^)

2019/11/24 10:59:57 PM UTC

@trickster @Dee guess a lack of massive vulnerabilities is a lack of feature completeness in the world of javascript

2019/11/24 11:00:34 PM UTC

@mdszy @Dee it's more a lack of access to my system as a whole; is it turing complete yet?

2019/11/24 11:01:02 PM UTC

@trickster @Dee it has memory and loops and conditionals so i guess it probably would be

2019/11/24 11:01:32 PM UTC

@mdszy @Dee sounds good to me, just let it run `system()` and we're there

2019/11/24 11:01:47 PM UTC

@a_breakin_glass I'm pretty sure isntalling vulnerabilities with npm is a feature

2019/11/24 11:01:57 PM UTC

@trickster @Dee i considered adding the ability to evaluate arbitrary js code but @bclindner made a :cate: face at that

2019/11/24 11:02:50 PM UTC

@Dee random chance for a bitcoin miner payload in every dependency tree

2019/11/24 11:37:50 PM UTC

@Dee as I know modules can execute some code during install on your machine (like building some native code, but I guess this could be abused)

2019/11/24 11:51:08 PM UTC

@selfisekai Yeah, if you can execute arbitrary code as root then, well, you can execute arbitrary code as root. pip has a similar issue with Python packages.

I just never had any desire to run npm as root, though.

2019/11/24 11:53:19 PM UTC

@Dee you just did it, as I know npm _only_ shows the vulnerability count on npm install if you are logged in as root. on a normal account you'd need to run npm audit separately.

2019/11/25 12:00:39 AM UTC

@selfisekai I’m pretty sure I’d notice if I was running npm as root…

npm has a setting that controls this behavior, audit, which is set to true by default (and I don’t have it set in .npmrc).

2019/11/25 12:07:03 AM UTC

@Dee hmm, I guess they changed it. I use yarn for everything so I don't know

2019/11/25 2:08:07 AM UTC

@a_breakin_glass @Dee

I bet it would be a solid random number generator...