[ryanlol]

>If the ad makes a remote call during execution (for an dynamic ad serve), it's an attack vector. There is always custom ad code for analytics that adserves use to fill (the ad placement space) and report back, called an admanager. As an advertiser, you can upload your own admanager (that that has your own custom code

Can you point out a real example of terminal advertising like this?

[reallydude]

No. I haven't looked through many js packages.

I could make it without any effort via:

> https://github.com/feross/funding/blob/master/messages.json

Currently it's "manually curated" which is a fancy way of saying, it's my own custom ad-tag that doesn't call an adserver. Replacing one field with a function that is immediately called and getting your value out, is how most people would integrate an ad-tag.

Using DFP or whatever, you can plug in an adtag call and parse values and you're in business. Ad platforms don't usually support plaintext tags, but I have seen them still supported by some of the older "native ad" platforms who started as platforms that served HTML strings (Taboola, etc).

The takeaway is that NPM nipped it in the bud because it's trivial to abuse.

[ryanlol]

So you’re talking about software which doesn’t exist, right?

This seems like a silly slippery slope argument.

[reallydude]

> So you’re talking about software which doesn’t exist, right?

It exists on my computer right now (didn't use an actual admanager, just coded a remote call). You want to believe the gun pointed at the door with a string on the trigger and doorknob is not a danger because you don't want to open the door. Good luck with whatever.