Hacker News new | past | comments | ask | show | jobs | submit login

Make your application directory read-only to the user running the application, as it ought to be anyway.

Automatic dependency resolution however... Fantastic for experimentation, but that's a dealbreaker for production. Maybe it would be OK if it actually wrote the package-lock.json to the application directory, I'd have to think about that.

In this case the application also tries to auto-install dependencies, so making it read-only removes one of the stated features.

I think this framework hasn't been written with security in mind at all.

Whatever it's doing, it's not writing the packages into the application directory.

If it can write to the applications dependencies isn't that as good as writing to the application?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact