top | item 45287781

(no title)

keraf | 5 months ago

I might be naive but why isn't any package manager (npm, pnpm, bun, yarn, ...) pushing for a permission system, where packages have to define in the package.json what permission they would like to access? À la Deno but scoped to dependencies or like mobile apps do with their manifest.

I know it would take time for packages to adopt this but it could be implemented as parameters when installing a new dependency, like `npm i ping --allow-net`. I wouldn't give a library like chalk access to I/O, processes or network.

discuss

IanCal|5 months ago

I feel like that would require work from the language side, or at least runtimes. Is there a way of stopping code in one package from, say, hitting the network?

You might be able to do this around install scripts, though disk writing is likely needed for all (but perhaps locations could be controlled).

Filligree|5 months ago

We've seen a lot of stunningly incompetent attacks that nevertheless get to a lot of people.

Yeah, it needs work from the language runtime, but I think even a hacky, leaky 'security' abstraction would be helpful, because the majority of malware developers probably aren't able to break out of a language-level sandbox, even if the language still allows you to do unsafe array access.

Then we can iterate.

____tom____|5 months ago

Java had support for something very like this, but no one used it, and they recently removed it. https://openjdk.org/jeps/486

It's too bad, it would be useful in this situation