It's bizarre to me that node has so little to lock down what dependencies can access, especially when it's such an free-for-all. Even if you take the good advice to specify specific dependency versions, you can't be 100% sure that when you update them, what you're updating to is safe. This idiot's actions seem amateurish. I imagine more thoughtful malware goes undetected - things that scan your hard disc for password, maybe something that targets individuals through social media ids on the naughty list, etc.
Allegedly deno (node successor, but not yet as popular) does something about the user of the dependencies being aware of, or having to explicitly grant access to things like the filesystem, which seems not-stupid. If you need to use node, and so many things use it these days - you should probably run in in a VM or something, and maybe play detective a bit and try to catch malicious things.
In the 90s and early 2000s they tried to turn it into an engineering profession. Unfortunately they failed. Hipsters, dude bros, activists and idiots who think anyone can code after a weekend course took over.
It's true and they all call themselves engineers. Sorry, bro mashing up a few libraries to display something in a browser doesn't make you an engineer.
It's bizarre to me that node has so little to lock down what dependencies can access, especially when it's such an free-for-all. Even if you take the good advice to specify specific dependency versions, you can't be 100% sure that when you update them, what you're updating to is safe. This idiot's actions seem amateurish. I imagine more thoughtful malware goes undetected - things that scan your hard disc for password, maybe something that targets individuals through social media ids on the naughty list, etc.
Allegedly deno (node successor, but not yet as popular) does something about the user of the dependencies being aware of, or having to explicitly grant access to things like the filesystem, which seems not-stupid. If you need to use node, and so many things use it these days - you should probably run in in a VM or something, and maybe play detective a bit and try to catch malicious things.
Software development failed to grow up.
In the 90s and early 2000s they tried to turn it into an engineering profession. Unfortunately they failed. Hipsters, dude bros, activists and idiots who think anyone can code after a weekend course took over.
wow itd almost be like they were thrust into tech purposefully, i mean that would never happen in our world but still
Diversity
brohoIt's true and they all call themselves engineers. Sorry, bro mashing up a few libraries to display something in a browser doesn't make you an engineer.
The safest approach is just do not run it as root. There is no need to do that anyway.
Which you can just restore from the system that is still functional. If the whole disk is wiped, then you are hosed without an external backup.