Alberto Gimeno
Dec 7, 2018 ⋅ 3 min read

How to protect your Node.js applications from malicious dependencies

Alberto Gimeno Ecosystem Engineer at GitHub. Sometimes I write about JavaScript, Node.js, and frontend development.

Recent posts:

Exploring Stylex And The New Generation Of Styling Libraries

Exploring StyleX and the new generation of styling libraries

StyleX is a build-time, type-safe CSS-in-JS library recently open sourced by Meta. Explore StyleX and the evolution of styling libraries.

Ibadehin Mojeed
Feb 29, 2024 ⋅ 9 min read
Building High Performance Ecommerce Sites With Astro

Building high-performance ecommerce sites with Astro

Learn to set up a completely custom Astro ecommerce implementation that’s also highly performant and type-safe in this straightforward guide.

Onuorah Bonaventure
Feb 28, 2024 ⋅ 64 min read
Implementing Vector Search With Open Ai, Next Js, And Supabase

Implementing vector search with OpenAI, Next.js, and Supabase

Let’s build a Next.js app that implements vector search using Supabase and OpenAI to offer better search experiences for users.

Peter Ekene Eze
Feb 27, 2024 ⋅ 11 min read
Comparing React Native BLE libraries

Comparing React Native BLE libraries

Discover the most popular libraries for enabling Bluetooth Low Energy (BLE) in React Native apps, allowing them to interact with Bluetooth hardware on iOS and Android platforms.

Fimber Elemuwa
Feb 26, 2024 ⋅ 4 min read
View all posts

2 Replies to "How to protect your Node.js applications from malicious dependencies"

  1. This method is good for standard methods, but do you know what is a good way to block calls at the system level? When calls reach the v8 engine or uv, it should be able to implement a gating mechanism where the user can be asked consent.
    This model is similar to android apps where we are told the permissions that the app requires in advance, and any additional access is denied till the user explicitly approves it.

  2. I actually created a library that does something very similar to this, but uses a more sensible approach for permissions. It also differentiates between 1st/3rd party code so that your main application doesn’t have to jump through hoops https://github.com/yaakov123/hagana

Leave a Reply