|
|
|
|
|
|
by garbagepatch
14 days ago
|
|
|
Most users don't need it. Having it on by default is a feature for malware writers not users. But to your point, Node has had permission flags for a while[0] but allows everything by default. Npm could use them to increase security even more. I just hope it doesn't take them another 10 years to change the default. [0] https://nodejs.org/api/permissions.html |
|
|
Still, “default off” is better. It would be nice if there were a lightweight way to fork upstream packages, and cache the native builds. It’d improve build times, make the build step more explicit / sandboxable and allow for easier binary builds for operating systems and processors that M$ treats as second class.