Please take a look at my RFC for making install scripts *opt in* (and thus OFF by default) on : github.com/npm/rfcs/pull/, to hopefully lessen the attack surface that compromised packages can take advantage of in the future, like what we saw today: therecord.media/malware-found-
Conversation
imho npm has a *trust* issue, and it's not fixed by reducing its handy features ... example:
Quote Tweet
Replying to @bitandbang and @npmjs
What saddens me is that ther e is zero signal in npm about 2FA being used for a module.
A badge, a security check, nothing.
npm info module? Zero!
Make it recognizable and see people running for it to show off how much they care 
1
1
Both are necessary, but it can’t be the case that we just rely on “trust” to give every package (most of which are dependencies you don’t explicitly ask for) the ability to run any script *on install*, for the same reason sandboxing matters more on iOS than “AppStore approval”.
1
3
Show replies
NAPI is great for making binaries that support multiple versions of Node.js, but they are still platform specific. WASM + WASI offer a potential platform agnostic future, but that isn't here yet.
So we are still stuck with the challenge of lazy loading binary extensions
1
1
Show replies