I mean, wow. I've seen half-baked ideas before, but this takes the cake. Typos now equal remote code execution, and it's even easier to enter dependancy hell, because deps are now implicit.
I actually looked at the code for 5 minutes. This module is vulnerable to arbitrary code execution simply by having a malicious JavaScript file in a directory or subdirectory underneath where `auto-install` is run, without the user even needing to make a typo due to its design.
The documentation currently just says 'avoid typos'.
siddharthkp: please give me a way to contact you. see my contact info on my profile.
The whole node ecosystem is a mess. Shrinkwraping is a pain, easily bottoms out due to node's small default stack limits, and often the only solution is to `rm -r node_modules` and rebuild the dependency graph from scratch.
Right, but when you are running npm install you know you are installing and so you know you should be careful, and only hit return if you are sure it is right.
With this, you have to be careful the WHOLE time you are typing. You normally don't worry about hitting return in your editor causing RCE.
The idea is inherently flawed. depandancy installation should be done as needed by people who are conciously aware of what they are doing. A better solution would be integrating NPM into your editor, so that package installation is trivial, but still explicit. M-x install-from-npm-region, anyone?
That function MIGHT install random things through NPM if your mark is unset, but it is, at least, explicit. And the random thing in question is your last region, so it's far more likely that NPM will just throw its hands and shout "what the hell?" Than actually install anthing...
Also note that that code hasn't been tested. I wouldn't copy this into my .emacs just yet, if I were you. Run it by somebody who actually knows elisp, first.
I don't really know if there is a way to fix this issue... unless you had some sort of whitelist of acceptable packages, and a prompt if you try to install a non-whitelisted package.
One other possibility is to have a delay, so that it waits an amount of time before installing, to give a chance to catch and fix the typo.
If I understand correctly, this doesn't happen while you type, it happens after you save the file. Not much difference in care needed between saving a file or hitting enter IMO, if you are aware of the consequences. Also, its not like you don't know the thing is running - you'll subconsciously double check you typed the repo correctly before you save, knowing it will invoke an install.
Indeed. If there's one thing we learned about node dependencies this year it's that nothing can go wrong if you take dependencies without thinking about them.
Because it installs based on what you type, if you accidentally type something like `expres`, which has some kind of vulnerability or is malicious, you won't have time to notice the typo before it installs it. It could happen when doing it manually, but it's less likely because it doesn't install based on looking at your code but based on your `npm install` command.
I'm not buying the argument. I often hit [npm install] 20 times a day, and sometimes you get distracted, or just sloppy at the end of a long week. A nice feature of this, is in vim I'd have a dict of common modules, and then have the autocomplete autocomplete their names for me. That way you get in a routine where if the library isn't in the autocomplete, you need to take a second and think about it. So nothing wrong with the tool, it's just a tool. Use a flamethrower carelessly, you're going to have a bad time.
The documentation currently just says 'avoid typos'.
siddharthkp: please give me a way to contact you. see my contact info on my profile.