The npm / event-stream incident is the perfect teaching moment for POLA (Principle of Least Authority), and for the need to support least authority for JavaScript libraries. https://medium.com/agoric/pola-would-have-prevented-the-event-stream-incident-45653ecbda99 by Kate Sills (cc'ed) explains the point. The links at the end of Kate's article are worth following. In particular:
Securing EcmaScript, presentation to Node Security https://www.youtube.com/watch?v=9Snbss_tawI&list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2 is my presentation explaining many of these issues *prior to* this particular incident. At the recent (November 2018) tc39 meeting, I presented on the enhancements needed to support least authority for JavaScript modules and libraries, adequate to have prevented this incident. Besides es-discuss https://news.ycombinator.com/item?id=18590116 would be a good place to discuss these issues. -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
