re: How do we improve security in the npm ecosystem? VIEW POST


Not really a solution to this problem, but more of a damage control thought... Is there a way to run dependencies of dependencies in some kind of a restricted sandbox environment, where HTTP requests and access to DOM are intercepted, and only whitelisted dependencies get that kind of access? Is it possible to create a scope with fake window and document objects for those dependencies, from which they cannot break out?

If it's possible I guess webpack or whatever is bundling the JS would have to take care of that sandboxing?

code of conduct - report abuse