alt Hacker News> allows all packages to run package supplied arbitrary code as the logged-in user after an update completes
As opposed to the completely untrusted package supplied arbitrary code that the logged in user executes when they actually use the package immediately after installing it?
Replies
lionkor • today at 4:09 PM
You can't even install the package without running arbitrary code, that's quite different from most other package managers for languages.
Sankozi • today at 4:03 PM
One malicious script that is run right after install vs one per each API entry point that might be called or not (transitive dependency).
➕ show 1 reply
The package might not ever be executed on the user's machine. Depending on your setup, it might only be ran on a server, where the data that can be exfiltrated is completely different.