this post was submitted on 11 Apr 2022
3 points (100.0% liked)

JavaScript community

866 readers
2 users here now

A community about JavaScript, the ECMAScript standard, and programs that make use of JS such as Node.js.

founded 5 years ago
MODERATORS
miguel@lemmy.ml
mlaunois@lemmy.ml
3
NodeJS packages don't deserve your trust. (a proposal for building a capabilities-based sandbox to fix this) (josephg.com)
submitted 2 years ago by cypherpunks@lemmy.ml to c/javascript@lemmy.ml
3 comments fedilink hide all child comments
 

via https://news.ycombinator.com/item?id=30988034

you are viewing a single comment's thread
view the rest of the comments
[–] castarco@lemmy.ml 1 points 2 years ago

Very interesting :) , although I have the feeling we already have some features in place (and others on the way) trying to solve this same problem.

  • We already have "Shadow Realms", which doesn't really solve the capabilities problem, but at least provides a thin isolation layer (at least our globals are protected!). This is supposed to work in all JS environments, not just NodeJS.
  • On top of that, there's work in progress to implement a permissions system (with experimental code already in place, that can be tested): https://github.com/nodejs/security-wg/issues/791