> You're collapsing two different threat models. The risk isn't that code runs, it's WHEN it runs.
reply> You don't have to build it, run it, or even import it
If you just installed something with npm, chances are you'll be running it shortly, either as a tool or a library, probably minutes or seconds later. I imagine the use case of installing an npm package you don't plan on using or transitively importing, constitute a small portion of npm installs.
> apt/dnf scripts run on packages a maintainer signed and a distro gatekept
replyUnfortunately apt/dnf isn't much better here because random tutorials online suggest people add random repositories where the creator of any repository effectively has root access to anyone machine that adds it as a remote.
Don't add random repositories from random tutorials? Come on, it's basic Internet hygiene. Entirely different thing.
replydeleted
replyIt's the exact same problem when random tutorials (and official pages) recommend to do a curl "URL" | bash to install something. Every time that I see it, I look it suspicious.
reply