[lioeters]

> Does this make you vulnerable to code coming downstream from this repo in the future?

The command is a standard way to install a module and save that specific version in package.json. By default I believe it's "^x.x.x", which allows patch versions that increment the last number when explicitly updating - otherwise re/install will always get that specific version.

It's no less (or more) secure than any other dependency. The last vulnerability that I heard about was the ability for modules for run arbitrary commands, for example from the pre/post-install step. If I recall correctly, they added an optional way to disable this, but many modules make use of it for compiling native code, etc.

So - I'd say yes, installing any dependency will make you vulnerable to code coming downstream. However, an SVG icon library with little to no executable code can probably be considered low risk.

[TekMol]

    can probably be considered low risk

How so? I would think it puts its files in a publicly accessible path. That means if it puts executable code there (python,php,js whatever) in a future release it allows for a server-takeover.

[lioeters]

You're right, I had doubts while writing that.

Aside from pre/postinstall scripts, I imagine the SVG and/or CSS files gets copied into a folder of static assets.

Depending on how that's done - manual import or part of a build step; specifying file extensions or not; how assets are served, etc. - that could be "vulnerable to code coming downstream".

[woodrowbarlow]

the risk calculation is trust-based, so wondering how the author will make money is well within scope for trying to evaluate the risk.