this post was submitted on 11 Apr 2022
3 points (100.0% liked)

JavaScript community

866 readers
2 users here now

A community about JavaScript, the ECMAScript standard, and programs that make use of JS such as Node.js.

founded 5 years ago
MODERATORS
miguel@lemmy.ml
mlaunois@lemmy.ml
3
NodeJS packages don't deserve your trust. (a proposal for building a capabilities-based sandbox to fix this) (josephg.com)
submitted 2 years ago by cypherpunks@lemmy.ml to c/javascript@lemmy.ml
3 comments fedilink hide all child comments
 

via https://news.ycombinator.com/item?id=30988034

top 3 comments
sorted by: hot top controversial new old
[–] castarco@lemmy.ml 1 points 2 years ago

Very interesting :) , although I have the feeling we already have some features in place (and others on the way) trying to solve this same problem.

  • We already have "Shadow Realms", which doesn't really solve the capabilities problem, but at least provides a thin isolation layer (at least our globals are protected!). This is supposed to work in all JS environments, not just NodeJS.
  • On top of that, there's work in progress to implement a permissions system (with experimental code already in place, that can be tested): https://github.com/nodejs/security-wg/issues/791
[–] The_Monocle_Debacle@lemmygrad.ml 0 points 2 years ago (1 children)

I don't think the node ecosystem is fixable, it's honestly a better idea to just start from scratch.

[–] castarco@lemmy.ml 1 points 2 years ago

I don't think talking in absolutes is the best way to tackling at problems. In this case, I would say there's a gradient, and we can surely shift our current position from "utterly broken" to something more benign, even if there are still flaws pending to be corrected.

Starting from scratch would imply throwing away millions of hours of developer time. It's tempting, but not feasible, and even if it was, it would be a bad economical decision.