I guess we now live in the post-"ads in the npm install log" erapic.twitter.com/pSnBnMDNSg
Show this thread
-
So I guess we're not at the point yet where one's machine is dynamically downloading and executing advertisers' code during npm installation. But let's check back in 15 minutes
Show this thread
This is probably a good time to start investigating mitigations for the kind of scenario where an npm install script tries to make HTTP requests
-
-
Because an npm install script which dynamically loads ad code is a really amazing opportunity to inject "ad" code which, I don't know, scoops up secrets from the local environment and sends them somewhere
Show this thread -
To be clear: we got to this point because people want money. As long as we live in a capitalist society, there's no point where people stop wanting more money. That means ads will eventually permeate every electron of our universe. It is/was inevitable
Show this thread -
No amount of revamping open source software funding structures would have prevented this from happening eventually, nor can it make this go away now it's begun
Show this thread -
Advertising in your install log is going to be as simple as dropping a banner ad on your website. Install log ads are going to have all the same problems and very familiar solutions
Show this thread
End of conversation
New conversation -
-
-
As other folks have mentioned, loading data at install time isn't uncommon. There also have been, from time to time, modules with "install trackers" that executed at install time, either fetching a known page, or actually doing a Google Analytics post.
-
If you're concerned about that, consider that a library or tool could also do this at _run time_. standard could be putting out ads whenever it checks your code. react could be phoning home when embedded in your website. Package manager mitigations will not save us.
End of conversation
New conversation -
-
-
Lots of "legitimate" packages already do this, e.g. Cypress, Puppeteer. I'm not saying it's a good idea, just that it is already in wide use. Making `--no-scripts` the default would be a very good thing!
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
https://www.npmjs.com/package/cldr-data … fetches data on install. I'm sure there are others
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
PoC using Docker https://github.com/DavidBruant/containednpm … To prevent networking, configure docker with `network_mode: "none"` (happy to help if you get into any difficulty with it)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.