Hacker News new | ask | show | jobs
by cortesoft 3604 days ago
Right, but when you are running npm install you know you are installing and so you know you should be careful, and only hit return if you are sure it is right.

With this, you have to be careful the WHOLE time you are typing. You normally don't worry about hitting return in your editor causing RCE.
2 comments
siddharthkp 3604 days ago
Good point, any ideas on handling this better?

Opened an issue here: https://github.com/siddharthkp/auto-install/issues/2

link
qwertyuiop924 3604 days ago
The idea is inherently flawed. depandancy installation should be done as needed by people who are conciously aware of what they are doing. A better solution would be integrating NPM into your editor, so that package installation is trivial, but still explicit. M-x install-from-npm-region, anyone?

  (defun install-from-npm-region (start end)
    (interactive "r")
    (call-process 
      (concat "npm install " 
              (shell-quote-argument 
                (filter-buffer-substring start end)))
      nil
      (get-buffer-create "*NPM Output*")))
That function MIGHT install random things through NPM if your mark is unset, but it is, at least, explicit. And the random thing in question is your last region, so it's far more likely that NPM will just throw its hands and shout "what the hell?" Than actually install anthing...

Also note that that code hasn't been tested. I wouldn't copy this into my .emacs just yet, if I were you. Run it by somebody who actually knows elisp, first.

link
cortesoft 3604 days ago
I don't really know if there is a way to fix this issue... unless you had some sort of whitelist of acceptable packages, and a prompt if you try to install a non-whitelisted package.

One other possibility is to have a delay, so that it waits an amount of time before installing, to give a chance to catch and fix the typo.

link
siddharthkp 3604 days ago
Added a --secure flag which will install popular modules only (>10k downloads last month)
link
cortesoft 3604 days ago
Good idea!
link
binarymax 3604 days ago
If I understand correctly, this doesn't happen while you type, it happens after you save the file. Not much difference in care needed between saving a file or hitting enter IMO, if you are aware of the consequences. Also, its not like you don't know the thing is running - you'll subconsciously double check you typed the repo correctly before you save, knowing it will invoke an install.
link
pavel_lishin 3604 days ago
Unless your IDE, like many, auto-saves files.
link
qwertyuiop924 3604 days ago
Even Emacs'll do that.
link