|
|
|
|
|
|
by kungfooguru
4159 days ago
|
|
|
But do they need to have the issue? Why allow running arbitrary commands during install? To me it is less about someone purposely including malicious code (since yes, that could be in the project itself not just the install) but that having this willy-nilly form of package managing opens up people to mistakes moving files around that do harm on accident. And it gets even worse if the package is able to be added to a repo, like npmjs.org, and not have to be accepted after being reviewed. |
|
|