How does that add any danger? You're pulling in code because you want to use it.... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		dns_snek on March 28, 2024 \| parent \| context \| favorite \| on: PyPI halted new users and projects while it fended... How does that add any danger? You're pulling in code because you want to use it. If the package is malicious and your package manager doesn't have post-install scripts, the malicious code is just going to run 5 seconds later when you import it and start working with it. In the case of NPM with post-install scripts disabled, you'll simply get pwned when you `npm start` rather than `npm install`.

taeric on March 28, 2024 [–]

Honestly, I'm going off memory on python. In the olden days, it was not at all uncommon for devs to want the ability to "sudo pip install foo".

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact