|
|
|
|
|
|
by STRML
3731 days ago
|
|
|
> ● pre-install/post-install scripts should require user to accept or refuse. Unfortunately this wouldn't fix the issue. A malicious package could simply require() a JS script that does the same thing upon its first require(). There's no dependency on postinstall hooks for this worm to spread. Presumably, if you're installing packages, you intend to run them. |
|
|