Correct, luckily, but all it takes is one eval. So be diligent about checking. However, like you said, luckily it’s JavaScript and there’s a history online that you can see.
Be weary of binary wasms though, harder to analyze. In the end, because it was published and npm allows you to see the history, we can all see.
Still, from a security standpoint, anything within a “package” that is compromised, compromises the package. Don’t install it. Wait for the fix.
Be weary of binary wasms though, harder to analyze. In the end, because it was published and npm allows you to see the history, we can all see.
Still, from a security standpoint, anything within a “package” that is compromised, compromises the package. Don’t install it. Wait for the fix.