If we run a package (not with elevated permission) from npm (I'm on Windows, if that matters) can it access the full filesystem? Or just within the the directory it was run from? If the former, is there a Node setting to restrict it? Does it matter whether the package is installed globally or as a project dependency?Also, more generally, if the package is malicious, assuming it is not run with elevated permission, are there are security risks with it, in terms of installing malicious software on the host, stealing data, etc. Or is it rather limited in what it can do?
Submitted November 27, 2018 at 06:23PM by Independent_Focus
No comments:
Post a Comment