Y
Hacker News
new
|
ask
|
show
|
jobs
by
lrvick
295 days ago
Downloading binaries as part of an installation of a scripting language library should always be assumed to be malicious.
Everything must be provided as source code and any compilation must happen locally.
1 comments
oulipo2
295 days ago
Sure, but then you need to have a way to whitelist
link
lrvick
295 days ago
The whitelist is the package-lock.json of the hashes of libraries you or a security reviewer you trust has reviewed.
link