Skip to content
Better HN
Top
Best
Ask
Show
New
Jobs
Search
⌘K
0 points
lrvick
10mo ago
0 comments
Save
Share
Downloading binaries as part of an installation of a scripting language library should always be assumed to be malicious.
Everything must be provided as source code and any compilation must happen locally.
0 comments
2 comments · 1 top-level
top
newest
oldest
oulipo2
10mo ago
· 1 in thread
Sure, but then you need to have a way to whitelist
lrvick
OP
10mo ago
The whitelist is the package-lock.json of the hashes of libraries you or a security reviewer you trust has reviewed.
j
/
k
navigate · click thread line to collapse
