top | item 32667910

(no title)

Would you care to elaborate?

I always thought npm was open-source-centric. If npm somehow ran opaque binaries, I'd really like to know about that.

discuss

leppr|3 years ago

There is no open-source requirement, like there would be on Gentoo packages for instance. NPM packages frequently pull arbitrary binaries in their install scripts.

bhedgeoser|3 years ago

1. There are thousands of dependencies in a usual lockfile.

2. A package author can push something other than the repository contents to npm/ change contents before pushing to npm, making the whole open source thing useless.

3. As someone else pointed out, you can download+exec when an npm package is installed.

Something1234|3 years ago

Do you really think your average javascript developer is going to read and understand all of their dependencies?