“the sandbox is broken, but let's talk about a scenario where everything is fine.“
-
-
-
Both scenarios (supporting trusted AND untrusted code) are outlined on the page I linked to.
End of conversation
New conversation -
-
-
So if you don't use node modules from npm, you're fine.
-
Even if you use modules from npm, nothing really changes. If there’s a malicious package in your dependency tree, you have a security problem, with or without these new vulnerabilities.https://twitter.com/mathias/status/949393844965138433 …
- 2 more replies
New conversation -
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
-
It's something we're exploring. Afaik _no_ language package manager has managed to widely deploy package signing with verification. (Folks tend to conflate OS and appstore envs w/ lang pkg mgmt, but the problem spaces are actually very different.)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.