Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Except you "need" things like postinstall lifecycle hook for some things. So you add the specific package you wanna download to trustedDependencies (like you'd need to do with node-sass for example), and then we're back to it executing code after downloading, making compromises to upstream dangerous again.

A lot better than npm that lets any package run postinstall for sure, but as always there are no silver bullets.

Apparently there is also a default list of packages that are allowed to run scripts on download with Bun, FYI https://github.com/oven-sh/bun/blob/main/src/install/default...



It allows you to separate these steps and only execute the unsafe ones in a container but not having to do everything in there.

Thanks for mentioning the default list! Good point.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: