2018-12-07
1008
#node
Alberto Gimeno
105
Dec 7, 2018 ⋅ 3 min read

How to protect your Node.js applications from malicious dependencies

Alberto Gimeno Ecosystem Engineer at GitHub. Sometimes I write about JavaScript, Node.js, and frontend development.

Recent posts:

Exploring The Javascript Registry For Javascript Module Management

Exploring JSR for JavaScript module management

JSR is designed to serve as a registry for both JavaScript and TypeScript packages, and an upgrade to the features provided by npm.

Oyinkansola Awosan
Jul 19, 2024 ⋅ 8 min read
Error Handling In Rust A Comprehensive Guide

Error handling in Rust: A comprehensive tutorial

Learn to handle Rust errors efficiently to write cleaner, more maintainable Rust code and create a more user-friendly application.

Eze Sunday
Jul 18, 2024 ⋅ 10 min read
Exploring Actions And Request Rewriting In Astro

Exploring actions and request rewriting in Astro

Astro v4.8 ships with server actions and request rewriting. Let’s see how to use these long-awaited (though still experimental) features.

Ivaylo Gerchev
Jul 17, 2024 ⋅ 13 min read
Comparing Fiber Vs Gin For Go Web Development

Comparing Fiber vs. Gin for Go web development

Go Fiber and Gin are two popular Go frameworks that provide extensive toolkits for developing high-performance apps with modern features.

Temitope Oyedele
Jul 17, 2024 ⋅ 8 min read
View all posts

2 Replies to "How to protect your Node.js applications from malicious dependencies"

  1. This method is good for standard methods, but do you know what is a good way to block calls at the system level? When calls reach the v8 engine or uv, it should be able to implement a gating mechanism where the user can be asked consent.
    This model is similar to android apps where we are told the permissions that the app requires in advance, and any additional access is denied till the user explicitly approves it.

  2. I actually created a library that does something very similar to this, but uses a more sensible approach for permissions. It also differentiates between 1st/3rd party code so that your main application doesn’t have to jump through hoops https://github.com/yaakov123/hagana

Leave a Reply