Or, you can of course always bundle your deps in ./blerg/ and refer to them via ./blerg/blorg/ or whatever, and that'll be as explicit as you can be.
On Sat, Apr 27, 2013 at 10:29 AM, Isaac Schlueter <[email protected]> wrote: > If she doesn't trust you, why is her code on your machine? Why don't > you just compromise HER files directly in that case? > > If you don't trust your infrastructure provider, then nothing can > protect you. If you want defense-in-depth against accidental things > like this, then make sure that you have local copies in node_modules > of the things you want to use. > > > On Sat, Apr 27, 2013 at 9:27 AM, Carlos <[email protected]> wrote: >> From the docs: >> >> For example, if the file at '/home/ry/projects/foo.js' called >> require('bar.js'), then node would look in the following locations, in this >> order: >> >> /home/ry/projects/node_modules/bar.js >> /home/ry/node_modules/bar.js >> /home/node_modules/bar.js [color added by me] >> /node_modules/bar.js >> >> Maybe I'm paranoid. Ok, I am paranoid. But is there a potential for >> injection of untrusted code here? I mean, it's really unlikely that I would >> be running a node-based service on a machine I don't own-as-in-root. But >> suppose I have users, and one of them is using node to do whatever just >> because node is the coolest thing ever. Should she trust me not to have put >> something evil in /home/node_modules? I mean, I could be evil. I could >> dump the list of the top ten downloads from the npm registry and then run >> those module names through a typo predictor (This is insanely easy to >> automate, plus you have variations of foo, node-foo and foo-node which >> create even more open space for evil.) and seed /home/node_modules with >> compromised versions of the real thing. The next time Karen Koder does an >> 'npm install' on a new package file she might very well end up pulling >> compromised code. I'm not saying this is a big security risk. It's not. >> If it were, I would not be posting here. But I question whether this is >> really good design practice and suggest that maybe pulling code from other >> user directories is more risky than useful. >> >> -- >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "nodejs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
