|
|
|
|
|
|
by dns_snek
811 days ago
|
|
|
How does that add any danger? You're pulling in code because you want to use it. If the package is malicious and your package manager doesn't have post-install scripts, the malicious code is just going to run 5 seconds later when you import it and start working with it. In the case of NPM with post-install scripts disabled, you'll simply get pwned when you `npm start` rather than `npm install`. |
|
|