[bheadmaster]

Please go full Richard Stallman.

Control of computing is an all-or-nothing business - even a single compromised component can lead to compromise of the complete system.

Don't trust opaque binaries.

> How do you deal with this situation, do you use a virtual machine, or is there any other ideas I am missing here?

If you really want to run that opaque binary, a virtual machine will give you a decent amount of security. With GPU passthrough, you can even get near-native speed, too.

[bhedgeoser]

If you've ever run an `npm install` you've executed 100s of opaque binaries on your machine.

[paskozdilar]

Would you care to elaborate?

I always thought npm was open-source-centric. If npm somehow ran opaque binaries, I'd really like to know about that.

[leppr]

There is no open-source requirement, like there would be on Gentoo packages for instance. NPM packages frequently pull arbitrary binaries in their install scripts.

[bhedgeoser]

1. There are thousands of dependencies in a usual lockfile.

2. A package author can push something other than the repository contents to npm/ change contents before pushing to npm, making the whole open source thing useless.

3. As someone else pointed out, you can download+exec when an npm package is installed.

[Something1234]

Do you really think your average javascript developer is going to read and understand all of their dependencies?