Hacker News new | past | comments | ask | show | jobs | submit
graemep | on: Microsoft's open source tools were hacked to steal passwords of AI developers
> Nobody should do 'npm install' or 'pip install' on their machine.

What alternative do you suggest?

Do you mean not install outside a sandbox?

mr_mitm | parent | next
I've been playing around with declarative container configurations: https://github.com/AdrianVollmer/ContainerConductor (It's not ready, don't use it!)

It will always introduce friction, though.

Modern software development is simply too fast to be reviewed properly.

progx | parent | next
alias npm / bun / ... to run in a docker container, so npm install run automatically in the container.
ashishb | root | parent
That's exactly what I started with. It gets unwieldy quickly enough as you need to mount a lot of directories that these you uses as cache.

So, amazing-sandbox at its core is nothing but a glorified docker command generator (in default mode).

themafia | parent
Download source. Extract. Move files to correct node_modules folder.

If your distribution requires more than this, then it's not really a module, or combines too many non-modular components, and should be distributed differently.

The ability for npm to run scripts on any level should be removed.

Then we can go back to worrying about namespacing issues.

ashishb | root | parent | next
> The ability for npm to run scripts on any level should be removed.

Even Python has that ability now. Also, `npm run dev` is running the script with full disk access.

Heck, Vscode/Cursor will auto-execute code if you open a project. And this has been actively used in the wild https://ashishb.net/security/contagious-interview/

loading story #48459401
loading story #48459124