new | ask | show | jobs
cookiengineer 9 hours ago  [ - ]

What a pointless change.

If you force every user to just use "--enable-unsecure-feature", guess what will happen?

This is not about improving security. This is about shifting blame.

A much better alternative would've been the introduction of sandboxes or simulation runs that would output which scripts and programs are running due to unpredictable dependencies. This way the user could check before the actual execution, and maintain an allow list much easier. That could be done via an npm update && npm upgrade workflow where the update generates the list that the user has to manually confirm.

Heck, even a chroot would be an improvement, and they're almost pointless these days, considering how good malware got at escaping chroots.

woodruffw 8 hours ago  [ - ]

I don't think it's pointless. A large number (the majority?) of users probably don't need install scripts, so disabling them by default is a net security improvement. Those that do can enable the insecure behavior, which will become an explicit decision that is trackable, auditable, etc.

You're not wrong about sandboxing, but sandboxing isn't something that can just be blithely introduced to a large packaging ecosystem that previously assumed full system access. Doing so results in the same kind of regression you point out: if the sandboxing breaks peoples' builds, they'll just disable it and move on with their goals.

garbagepatch 8 hours ago  [ - ]

Most users don't need it. Having it on by default is a feature for malware writers not users.

But to your point, Node has had permission flags for a while[0] but allows everything by default. Npm could use them to increase security even more. I just hope it doesn't take them another 10 years to change the default.

[0] https://nodejs.org/api/permissions.html

hedora 7 hours ago  [ - ]

Most packages don’t need it, but I imagine a large percentage of users do since most projects pull in an insane number of packages.

Still, “default off” is better. It would be nice if there were a lightweight way to fork upstream packages, and cache the native builds. It’d improve build times, make the build step more explicit / sandboxable and allow for easier binary builds for operating systems and processors that M$ treats as second class.

recursive 8 hours ago  [ - ]

I'm not going to get forced.