> definitely wouldn't recommend `npm install <actually a random package>`, even ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ashishb 30 days ago \| parent \| context \| favorite \| on: Sandboxing Untrusted Python > definitely wouldn't recommend `npm install <actually a random package>`, even in Docker. That's not the main attack vector. The attack vector is some random dependency that is used by a lot of popular packages, which you `npm install` indirectly.

staticassertion 30 days ago [–]

That doesn't change what I said. It definitely doesn't change what I said about docker as a security boundary.

Again, it's great to run `npm` in a container. I do that too because it's the lowest effort solution I have available.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact