top | item 45770672 (no title) Sander_Marechal | 4 months ago How does Deno solve this? Genuine question by the way. I'm not trying to be snarky. discuss order hn newest bytefish|4 months ago It provides a runtime, that sandboxes your application and requires you to give explicit permissions for file system operations and network requests.This limits the attack surface, when it comes to installing malicious dependencies, that npm happily installs for you.So yes, I was wrong and my previous comment a hyperbole. A big problem is npm, and not JavaScript.My point about the staggering amount of dependencies still holds though. int_19h|4 months ago Of course, this only works so long as the sandbox is secure.There have been attempts to do this kind of sandboxing before. Java and .NET both used to have it. Both dropped it because it turns out that properly sandboxing stuff is hard.
bytefish|4 months ago It provides a runtime, that sandboxes your application and requires you to give explicit permissions for file system operations and network requests.This limits the attack surface, when it comes to installing malicious dependencies, that npm happily installs for you.So yes, I was wrong and my previous comment a hyperbole. A big problem is npm, and not JavaScript.My point about the staggering amount of dependencies still holds though. int_19h|4 months ago Of course, this only works so long as the sandbox is secure.There have been attempts to do this kind of sandboxing before. Java and .NET both used to have it. Both dropped it because it turns out that properly sandboxing stuff is hard.
int_19h|4 months ago Of course, this only works so long as the sandbox is secure.There have been attempts to do this kind of sandboxing before. Java and .NET both used to have it. Both dropped it because it turns out that properly sandboxing stuff is hard.
bytefish|4 months ago
This limits the attack surface, when it comes to installing malicious dependencies, that npm happily installs for you.
So yes, I was wrong and my previous comment a hyperbole. A big problem is npm, and not JavaScript.
My point about the staggering amount of dependencies still holds though.
int_19h|4 months ago
There have been attempts to do this kind of sandboxing before. Java and .NET both used to have it. Both dropped it because it turns out that properly sandboxing stuff is hard.