Edit - Information Security Stack Exchange

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Thanks for your answer. It's true that as soon as the environment is compromised, there is not much to do to save it. To answer your question: the packages I download are going to be used in a web app. For my users, these packages will be executed in a web browser, which is a safe and sandboxed environment. For me however, these packages can simply do anything as soon as I install them.

Zwyx
– Zwyx

2022-07-20 07:10:30 +00:00
Commented Jul 20, 2022 at 7:10
So it appears to me that NPM is too open and I'm wondering why it hasn't been made more secure by default, for instance by preventing execution of scripts at install, unless explicitly authorised. But as mentioned in a comment above, it has probably been done to allows ease of usage, to the detriment of security.

Zwyx
– Zwyx

2022-07-20 07:12:37 +00:00
Commented Jul 20, 2022 at 7:12

Add a comment |

Correct minor typos or mistakes
Clarify meaning without changing it
Add related resources or links
Always respect the author’s intent
Don’t use edits to reply to the author

create code fences with backticks ` or tildes ~
```
like so
```
add language identifier to highlight code
```python
def function(foo):
print(foo)
```
put returns between paragraphs
for linebreak add 2 spaces at end
_italic_ or **bold**
quote by placing > at start of line
to make links (use https whenever possible)

<https://example.com>

[example](https://example.com)

<a href="https://example.com">example</a>

formatting help »
answering help »