[giantrobot]

> Or is that just asking for trouble?

The average Node project pulls in hundreds of dependencies. While you'd hope these would have some security vetting because of the Many Eyes theory, you have no fucking idea what your project is doing. Even a trivial Electron app is running a ridiculous amount of unreviewed third party code.

Just one module able to exercise some local exploit in your engine because you didn't fix Security Footgun #8176 screws over all of your users.

A browser engine that's been developed with a billion dollars of person hours runs that same untrusted third party code but has security guardrails everywhere.

[ameliaquining]

Aren't those dependencies trusted anyway? If they want to do something evil, they can just do it, they don't need to look for a zero-day in the engine they're running on.

[giantrobot]

The LCE doesn't need to be in the engine, the engine just needs to lack protections for the code to run something locally. As for Node dependencies being trusted, they are trusted but that's largely unearned trust.