|
|
|
|
|
|
by joelg
3604 days ago
|
|
|
Lots of people addressing security and remote code execution by typo. Yes. You're right. If it scares you, don't use it. It's always possible to run malicious code by typo, and this is only a little different from installing dependencies from the terminal. Even when you do spell a package's name correctly, you still don't know for sure what you're installing. The guy just made a cool thing - it seems a little out-of-scope to freak out over security when npm was never really there. |
|
|
The concerns are fair though, just added a --secure flag which will install popular modules only (>10k downloads last month)