[ushakov]

> there is barely any security risk in shipping a compiled css file

not when you require 500 dependencies to actually compile the css

imagine running “npm run build” but instead of getting a css file you get your hard drive wiped out, because some author of random npm module decided it’s April Fool’s day today

this is a hard reality than many are not willing to acknowledge because of all the hype around JS

[kaba0]

I agree that it is currently a very real security risk but at the same time we should ask ourselves what on Earth are our OSs do? Because my phone could protect me from that 100%. Running arbitrary code should pose no such threat ever.