Hacker News new | ask | show | jobs
by TekMol 2284 days ago
What is the business model behind this?

The GitHub account links to this site:

https://tabler.io

Which looks like a typical sales page. But it also says "free" everywhere. No info on pricing or business model.

The icons page tays to install the icons like this:

    npm install tabler-icons --save
Does this make you vurnurable to code coming downstream from this repo in the future?
3 comments
eitland 2284 days ago
Maybe they'll introduce something paid later:

- paid support

- paid premium components

- etc

I also see they are already selling email tenplates here: https://gumroad.com/l/tabler-email?utm_source=demo

I'm also very actively looking for a catch whenever I see something like this but this seems entirely benign as far as I can see.

Edit: there's also a pay-what-you-want page when you click download. Still totally ok with me.

link
lioeters 2284 days ago
> Does this make you vulnerable to code coming downstream from this repo in the future?

The command is a standard way to install a module and save that specific version in package.json. By default I believe it's "^x.x.x", which allows patch versions that increment the last number when explicitly updating - otherwise re/install will always get that specific version.

It's no less (or more) secure than any other dependency. The last vulnerability that I heard about was the ability for modules for run arbitrary commands, for example from the pre/post-install step. If I recall correctly, they added an optional way to disable this, but many modules make use of it for compiling native code, etc.

So - I'd say yes, installing any dependency will make you vulnerable to code coming downstream. However, an SVG icon library with little to no executable code can probably be considered low risk.

link
TekMol 2283 days ago 

    can probably be considered low risk
How so? I would think it puts its files in a publicly accessible path. That means if it puts executable code there (python,php,js whatever) in a future release it allows for a server-takeover.
link
lioeters 2283 days ago
You're right, I had doubts while writing that.

Aside from pre/postinstall scripts, I imagine the SVG and/or CSS files gets copied into a folder of static assets.

Depending on how that's done - manual import or part of a build step; specifying file extensions or not; how assets are served, etc. - that could be "vulnerable to code coming downstream".

link
woodrowbarlow 2283 days ago
the risk calculation is trust-based, so wondering how the author will make money is well within scope for trying to evaluate the risk.
link
illumanaughty 2284 days ago
This is very common pattern in open source, I don't see anything strange about this particular case.
link