[no-name-here]

> aube (npm/yarn/pnpm drop-in alternative) now has a "jailBuilds" flag that restricts access to network/filesystem access.

1. It seems like the restrictions are only for lifecycle scripts, so wouldn't help if/when the package's actual code had malicious code inserted?

2. Package managers like pnpm seem to entirely block lifecycle scripts by default, so I guess this is an in-between solution.

Still, I guess it's a step in the right direction for those want or need to run lifecycle scripts specifically.

[jdxcode]

1. the supply chain attacks I've seen are naive. They just leverage postinstall hooks. Malicious code also needs to be executed, not simply installed, so it's a lot less likely that an exploit would happen compared to postinstall since it can't just be buried in a transitive.

2. aube does the same. This is an extra level of protection if you've already whitelisted a package