|
|
|
|
|
|
by qudat
277 days ago
|
|
|
The blast radius is made far worse by npm having the concept of "postinstall" which allows any package the ability to run a command on the host system after it was installed. This works for deps of deps as well, so anything in your node_modules has access to this hook. It's a terrible idea and something that ought to be removed or replaced by something much safer. |
|
|